§ SIEM
Datadog Integration
Stream every agent trace — including policy violations and governance context — into Datadog Log Management. Build monitors on agent behavior with the log queries your team already writes.
How it works
Execlave ships completed traces to the Datadog Logs intake API asynchronously: events are batched and delivered by a dedicated export worker after the trace is committed, so delivery never adds latency to the enforcement path. Failed batches are retried. The API key is envelope-encrypted at rest — it is never stored as plaintext configuration.
Logs arrive with source:execlave and the service and tags you configure, one structured log per trace.
Setup
Two steps: create an API key in Datadog, then point Execlave at your site.
1 · Create an API key in Datadog
In Datadog: Organization Settings → API Keys → New Key. Note your Datadog site from the URL you log in at — datadoghq.com (US1), datadoghq.eu (EU), us3.datadoghq.com / us5.datadoghq.com, etc. The intake endpoint is derived from it.
2 · Configure the integration in Execlave
Go to Settings → Integrations and add a Datadog Logs destination:
| Field | Value |
|---|---|
site | Your Datadog site, e.g. datadoghq.com or datadoghq.eu. |
apiKey | The API key from step 1 (secret, encrypted at rest). |
service | Optional — service tag on every log (default: execlave). |
ddtags | Optional — comma-separated tags, e.g. env:production,team:platform. |
Click Test connection — Execlave calls the Datadog key-validation endpoint before enabling exports.
Log format & attribute reference
Each trace is one structured log. Top-level keys become log attributes you can facet and monitor on.
{ "ddsource": "execlave", "service": "agents-prod", "ddtags": "env:production,team:platform", "hostname": "execlave", "message": "send_email policy_blocked", "timestamp": 1765449600000, "trace_id": "9f4e2c1a-7b3d-4e8f-a1c2-3d4e5f6a7b8c", "organization_id": "org_2x...", "agent_id": "support-bot", "status": "policy_blocked", "model": "gpt-4o", "total_tokens": 412, "cost_usd": 0.0021, "duration_ms": 184, "environment": "production", "span_type": "tool", "span_name": "send_email", "agent_name": "Support Bot", "autonomy_level": "act_with_approval", "agent_status": "active", "idp_bound": true}| Attribute | Description |
|---|---|
trace_id / parent_trace_id | Trace identifiers — join key back to the Execlave dashboard. |
agent_id / agent_name | Business agent id and registry display name. |
status | success · error · timeout · policy_blocked · limit_exceeded · flagged_for_review |
model, prompt_tokens, completion_tokens, total_tokens, cost_usd | Model usage and spend. |
duration_ms, environment, span_type, span_name | Execution context. |
error_type / error_message | Populated on error spans. |
session_id / user_id | End-user attribution, when reported. |
autonomy_level, agent_status, idp_bound | Governance context: declared autonomy tier, registry status, and whether the agent is bound to an external identity provider. |
Monitor starting points
Log queries to seed your monitors — adapt thresholds to your fleet.
Policy violation burst
# Log monitor: policy violation burst per agentsource:execlave status:(policy_blocked OR flagged_for_review OR limit_exceeded)# group by @agent_id, alert when count > 10 in 15mCost runaway
# Log monitor: cost runawaysource:execlave# measure: sum of @cost_usd by @agent_id over 1h, alert above your budget lineAutonomous-tier agents hitting blocks
# Log monitor: blocked tool calls from autonomous-tier agentssource:execlave status:policy_blocked span_type:tool @autonomy_level:autonomous# an autonomous agent hitting blocks is a tiering signal — review or downgradeWhen a monitor fires, follow the incident response workflow — pivot by trace_id back into Execlave for the span timeline, policy decision, and audit evidence.