---
title: 'Log streaming: HTTPS'
summary: null
url: >-
  https://www.fastly.com/documentation/guides/integrations/logging-endpoints/protocol-based-and-self-hosted/log-streaming-https
---

Fastly's [Real-Time Log Streaming](https://www.fastly.com/documentation/guides/integrations/streaming-logs/about-fastlys-realtime-log-streaming-features) feature can send log files to an HTTPS endpoint.

> **NOTE:** 
>
> Fastly does not provide direct support for third-party services. Read [Fastly's Terms of Service](https://www.fastly.com/terms) for more information.
>
>

## Prerequisites

> **WARNING:** When sending logs to a HTTPS endpoint, Fastly requires proof that you control the domain name specified in the URL field by using a domain control verification challenge that conforms to [RFC 8615](https://datatracker.ietf.org/doc/html/rfc8615). If your existing HTTPS endpoint can't accommodate this specific validation, we recommend that you set up a reverse proxy gateway. This gateway will fulfill the RFC 8615 challenge-response handshake requirements while leaving your primary HTTPS endpoint interface unchanged.

The HTTPS logging endpoint uses a domain control verification challenge to prove you control the domain attached to your service. Specifically, it uses a GET request to a well-known path. For example, if your URL field is `foo.example.com/some/log/path`, then the following challenge path must send a 200 response:

```text
foo.example.com/.well-known/fastly/logging/challenge
```

Responses must include the hex representation of the SHA-256 of your Fastly service ID and it must appear on its own line in the response. For example:

```term nolinenums
$ sha256sum 

ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
```

If multiple service IDs are used, multiple hex(sha256) lines can be added to that challenge body. In addition, an asterisk (`*`) can be used on a line to allow any service to post to the HTTP endpoint. For example:

```term nolinenums
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
06ae6402e02a9dad74edc71aa69c77c5747e553b0840bfc56feb7e65b23f0f61
*
```

## Adding HTTPS as a logging endpoint

Follow these instructions to add HTTPS as a logging endpoint:

### Cdn Services

1.   Review the information in our guide to [setting up remote log streaming](/guides/integrations/streaming-logs/setting-up-remote-log-streaming).

2. In the HTTPS area, click **Create endpoint**.
3. Fill out the **Create an HTTPS endpoint** fields as follows:
   -   In the **Name** field, enter a human-readable name for the endpoint.

   -   In the **Placement** area, select where the logging call should be placed in the generated VCL. Valid values are **Format Version Default** and **None**. Read our guide on [changing log placement](/guides/integrations/streaming-logs/changing-log-placement) for more information.

   -   In the **Log format** field, optionally enter an Apache-style string or VCL variables to use for log formatting. Consult the [example format section](#example-format) for details.

   - In the **URL** field, enter the URL to which log data will be sent (e.g., `https://logs.example.com/`).
   - _(Optional)_ In the **Maximum logs** field, enter the maximum number of logs to send as a batch.
   - _(Optional)_ In the **Maximum bytes** field, enter the maximum size of a log batch.
   -   *(Optional)* From the **Processing region** menu, select a geographic region where logs are processed before being sent to the logging endpoint. Our guide on [regional log aggregation](/guides/integrations/streaming-logs/setting-up-regional-log-aggregation) provides more information.

4. Click **Advanced options** and fill out the fields as follows:
   - _(Optional)_ In the **Content type** field, enter the content type to use when sending logs (e.g., `application/json`).
   - _(Optional)_ In the **Custom header name** field, enter a custom header to use when sending logs (e.g., `Authorization`).
   - _(Optional)_ In the **Custom header value** field, enter a custom header value to use when sending logs (e.g., `Bearer <token>`).
   - _(Optional)_ In the **Method** area, select the appropriate HTTP method to use.
   - In the **JSON log entry format** area, select the appropriate log entry format to use. The JSON log entry format enforces valid JSON formatting. Selecting **Array of JSON** wraps JSON log batches in an array. Selecting **Newline delimited** places each JSON log entry onto a new line in a batch.
   -   In the **Select a log line format** area, select the log line format for your log messages. Our guide on [changing log line formats](/guides/integrations/streaming-logs/changing-log-line-formats) provides more information.

   -   *(Optional)* In the **Compression** field, select the compression format you want applied to the log files. Our guide on [changing log compression options](/guides/integrations/streaming-logs/changing-log-compression-options) provides more information.

5. Fill out the **Using your own certificate authority (CA)** section of the **Advanced options** area as follows:
   - _(Optional)_ In the **TLS Hostname** field, enter the hostname used to verify the logging endpoint server's certificate. This can be either the Common Name (CN) or Subject Alternative Name (SAN). This field only appears when you select Yes from the Use TLS menu.
   - _(Optional)_ In the **TLS CA certificate** field, copy and paste the certification authority (CA) certificate used to verify the logging endpoint server's certificate is valid. The certificate you upload must be in PEM format. Consider uploading the certificate if it's not signed by a well-known certification authority. This value is not required if your TLS certificate is signed by a well-known authority. This field only appears when you select Yes from the Use TLS menu.
   - _(Optional)_ In the **TLS client certificate** field, copy and paste the TLS client certificate used to authenticate Fastly to the logging endpoint server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client key. A TLS client certificate allows your logging endpoint server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
   - _(Optional)_ In the **TLS client key** field, copy and paste the TLS client key used to authenticate to the logging endpoint server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your logging endpoint server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
6.   Click **Create** to create the new logging endpoint.

7.   From the **Activate** menu, select **Activate on Production** to deploy your configuration changes.

### Example format

The following is an example format string for sending data to an HTTPS logging endpoint. Our discussion of [format strings](https://www.fastly.com/documentation/guides/integrations/streaming-logs/custom-log-formats) provides more information.

```plaintext
{
  "timestamp": "%{strftime(\{"%Y-%m-%dT%H:%M:%S%z"\}, time.start)}V",
  "client_ip": "%{req.http.Fastly-Client-IP}V",
  "geo_country": "%{client.geo.country_name}V",
  "geo_city": "%{client.geo.city}V",
  "host": "%{if(req.http.Fastly-Orig-Host, req.http.Fastly-Orig-Host, req.http.Host)}V",
  "url": "%{json.escape(req.url)}V",
  "request_method": "%{json.escape(req.method)}V",
  "request_protocol": "%{json.escape(req.proto)}V",
  "request_referer": "%{json.escape(req.http.referer)}V",
  "request_user_agent": "%{json.escape(req.http.User-Agent)}V",
  "response_state": "%{json.escape(fastly_info.state)}V",
  "response_status": %{resp.status}V,
  "response_reason": %{if(resp.response, "%22"+json.escape(resp.response)+"%22", "null")}V,
  "response_body_size": %{resp.body_bytes_written}V,
  "fastly_server": "%{json.escape(server.identity)}V",
  "fastly_is_edge": %{if(fastly.ff.visits_this_service == 0, "true", "false")}V
}
```

### Compute Services

1.   Review the information in our guide to [setting up remote log streaming for Compute](/guides/integrations/streaming-logs/setting-up-remote-log-streaming-for-compute). Additionally, our developer documentation provides more [information about logging](/guides/integrations/non-fastly-services/developer-guide-logging/) with Compute code written in our [supported languages](/reference/compute/sdks/).

2. In the HTTPS area, click **Create endpoint**.
3. Fill out the **Create an HTTPS endpoint** fields as follows:
   -   In the **Name** field, enter the endpoint name you specified in your Compute code. For example, in our [Rust code example](/guides/compute/developer-guides/rust/#logging), the name is `my_endpoint_name`.

   - In the **URL** field, enter the URL to which log data will be sent (e.g., `https://logs.example.com/`).
   - _(Optional)_ In the **Maximum logs** field, enter the maximum number of logs to send as a batch.
   - _(Optional)_ In the **Maximum bytes** field, enter the maximum size of a log batch.
4. Click **Advanced options** and fill out the fields as follows:
   - _(Optional)_ In the **Content type** field, enter the content type to use when sending logs (e.g., `application/json`).
   - _(Optional)_ In the **Custom header name** field, enter a custom header to use when sending logs (e.g., `Authorization`).
   - _(Optional)_ In the **Custom header value** field, enter a custom header value to use when sending logs (e.g., `Bearer <token>`).
   - _(Optional)_ In the **Method** area, select the appropriate HTTP method to use.
   - In the **JSON log entry format** area, select the appropriate log entry format to use. The JSON log entry format enforces valid JSON formatting. Selecting **Array of JSON** wraps JSON log batches in an array. Selecting **Newline delimited** places each JSON log entry onto a new line in a batch.
   -   In the **Select a log line format** area, select the log line format for your log messages. Our guide on [changing log line formats](/guides/integrations/streaming-logs/changing-log-line-formats) provides more information.

   -   *(Optional)* In the **Compression** field, select the compression format you want applied to the log files. Our guide on [changing log compression options](/guides/integrations/streaming-logs/changing-log-compression-options) provides more information.

5. Fill out the **Using your own certificate authority (CA)** section of the **Advanced options** area as follows:
   - _(Optional)_ In the **TLS Hostname** field, enter the hostname used to verify the logging endpoint server's certificate. This can be either the Common Name (CN) or Subject Alternative Name (SAN). This field only appears when you select Yes from the Use TLS menu.
   - _(Optional)_ In the **TLS CA certificate** field, copy and paste the certification authority (CA) certificate used to verify the logging endpoint server's certificate is valid. The certificate you upload must be in PEM format. Consider uploading the certificate if it's not signed by a well-known certification authority. This value is not required if your TLS certificate is signed by a well-known authority. This field only appears when you select Yes from the Use TLS menu.
   - _(Optional)_ In the **TLS client certificate** field, copy and paste the TLS client certificate used to authenticate Fastly to the logging endpoint server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client key. A TLS client certificate allows your logging endpoint server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
   - _(Optional)_ In the **TLS client key** field, copy and paste the TLS client key used to authenticate to the logging endpoint server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your logging endpoint server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
6.   Click **Create** to create the new logging endpoint.

7.   From the **Activate** menu, select **Activate on Production** to deploy your configuration changes.

## Firewall considerations

Your HTTPS endpoint may have limited security features. For this reason, it's best to create a firewall for your HTTP endpoint server and only accept TCP traffic on your configured port from our address blocks. Our list of IP address blocks is dynamic, so we recommend [programmatically obtaining the list](https://www.fastly.com/documentation/reference/api/utils/public-ip-list/) whenever possible.

## Related content

- [API reference: HTTPS log streaming](https://www.fastly.com/documentation/reference/api/logging/https/)
- [CLI reference: HTTPS log streaming](https://www.fastly.com/documentation/reference/cli/logging/https/)