Sending Logs to Datadog via CloudWatch Logs Subscription Filter with Firehose as Destination

2026-04-30 datadog aws

One way to send AWS service logs to Datadog is through Firehose. Creating a stack from the official template provisions a Firehose pointed at a specified endpoint, IAM roles, and an S3 Bucket for storing failed delivery logs.

$ export DD_API_KEY=*****

$ export DD_INTAKE_LOG_ENDPOINT=https://aws-kinesis-http-intake.logs.datadoghq.com/v1/input

$ aws cloudformation create-stack \
  --stack-name datadog-kinesis-logs \
  --template-body "$(curl -sL --compressed https://docs.datadoghq.com/resources/json/kinesis-logs-cloudformation-template.json)" \
  --capabilities CAPABILITY_IAM \
  --region ap-northeast-1 \
  --parameters \
    ParameterKey=DatadogAPIKey,ParameterValue=$DD_API_KEY \
    ParameterKey=DatadogHttpEndpointUrl,ParameterValue=$DD_INTAKE_LOG_ENDPOINT

Creating a CloudWatch Logs Subscription Filter with this Firehose as the destination starts sending logs.

$ export DELIVERY_STREAM_ARN=$(aws cloudformation describe-stacks \
  --stack-name datadog-kinesis-logs \
  --query "Stacks[0].Outputs[?OutputKey=='DatadogDeliveryStreamARN'].OutputValue" \
  --output text)

$ export ROLE_ARN=$(aws cloudformation describe-stacks \
  --stack-name datadog-kinesis-logs \
  --query "Stacks[0].Outputs[?OutputKey=='CloudWatchLogsRoleARN'].OutputValue" \
  --output text)

$ aws logs put-subscription-filter \
    --filter-name datadog-kinesis-logs \
    --log-group-name "/aws/lambda/helloworld" \
    --filter-pattern "\"REPORT RequestId:\"" \
    --destination-arn $DELIVERY_STREAM_ARN \
    --role-arn $ROLE_ARN

If logs are not arriving, check the S3 Bucket for error logs.

{"attemptsMade":7,"arrivalTimestamp":1777558106000,"errorCode":"HttpEndpointDestinationException","errorMessage":"403: {\"requestId\":\"*****\",\"timestamp\":\"1777558226309\",\"errorMessage\":\"API key is invalid\"}","attemptEndingTimestamp":1777558226313,"rawData":"H4sIAAAAAAAA****","subsequenceNumber":0,"dataId":"*****"}

When you send Lambda metrics to Datadog via AWS integration or Forwarder, Serverless billing applies, but simply sending logs this way does not count.