Appearance
Collect and view logs
The Logs workspace combines agent and platform events with external ingestion in one organisation-wide stream.
Open the stream
Open Logs for the organisation. Use the onboarding panel if no records have arrived. The available ingestion instructions and source controls are generated for the current organisation, so follow those instead of copying credentials or endpoints from another environment.
For external syslog ingestion, use an organisation API key with the narrow log-ingest scope offered by the API key editor. Include valid device context when the ingestion contract requires it. Disable and rotate the key if it appears in log output.
Verify collection
- Generate a distinctive, non-secret test event.
- Search a short recent window.
- Confirm device, class, application, origin, level, source type, and timestamp fields that your workflow depends on.
- Confirm a second operator with the intended role can find the same event.
If data is absent, check source controls, API key scope, device identity, payload format, organisation usage, and the source system's delivery status. Local agent logs help diagnose the agent itself, but local output is not proof that central ingestion succeeded.
Live and archived data
The recent stream is optimised for live viewing. Older retained records are queried from archive storage. Archive delivery and query latency can differ from live tail, and a query can cross both paths.
Normal log search covers the retention period shown for your organisation in the UI and service-limit response.
Usage is measured for log ingestion. Review Usage before enabling a noisy source. Filter at the producer where practical and avoid credentials, access tokens, health data, or unnecessary personal data.
Move from an alert to logs
Use the alert's device or monitor context and first-observed time. Add a resource token, then inspect a narrow window before broadening the query. Preserve relevant context in the incident timeline rather than copying an unbounded log dump.
Permissions
Control who can view logs through team membership. Support teams typically need log read access; restrict write/configuration to engineering.
Reliable log collection
- Verify central collection with a distinctive test event
- Use a narrowly scoped API key for ingestion
- Start with the affected resource before broadening a search
- Check retention and delivery when a query returns no result