Skip to main content
Apply policies to AWS service logs (CloudWatch, S3, EventBridge) before they reach Datadog using the Tero Edge Lambda Extension.
Looking to filter telemetry from your Lambda functions? See the Lambda Extension instead.

How it works

The Tero Edge Lambda Extension integrates with the Datadog Forwarder to provide policy-based log filtering. The extension runs as an external Lambda extension alongside the forwarder, intercepting logs and applying your policies before forwarding to Datadog. Use cases:
  • Filter CloudWatch logs from EC2, RDS, ECS, and other AWS services
  • Apply policies to S3 access logs, ALB logs, or CloudTrail events
  • Drop noisy AWS service logs before they’re indexed in Datadog

Prerequisites

  • AWS account with logs you want to forward to Datadog
  • Datadog account with an API key
  • Tero account with an API key
The Tero Edge Extension layer is currently available in us-east-1 only. Need support in another region? Contact us.

Setup

Deploy the Datadog Forwarder with Tero Edge Extension using CloudFormation.

Launch Stack

Deploy via AWS CloudFormation

Required parameters

ParameterDescription
DdApiKeyYour Datadog API key
DdSiteYour Datadog site (e.g., us5.datadoghq.com, datadoghq.com, datadoghq.eu)
TeroPolicyApiKeyYour Tero API key for policy sync

Tero Edge parameters

The extension is enabled by default. Configure these parameters as needed:
ParameterDefaultDescription
TeroEdgeLayerVersion4Version of the Tero Edge layer. Set to empty string to disable.
TeroEdgeLayerArn(auto)Override the full layer ARN. Leave empty to use default.
TeroPolicyUrlhttps://sync.usetero.com/v1/policy/syncHTTP policy provider URL
TeroPolicyApiKeyAPI key for authenticating with the policy provider
TeroPolicyStaticJSON string for static policies (alternative to HTTP provider)
TeroListenPort3000Port for the extension proxy server
TeroLogLevelinfoLog level (debug, info, warn, err)
The extension automatically configures the Datadog Forwarder to route logs through localhost:3000. The upstream URL is derived from your DdSite parameter.

Triggers

After deploying the forwarder, configure triggers to send AWS logs to it.
Use the Datadog AWS integration to automatically set up log collection.
1

Get the forwarder ARN

In the AWS console, go to LambdaFunctions and select your Datadog Forwarder. Copy the Function ARN from the function overview.
2

Configure the AWS integration

In Datadog, go to IntegrationsAmazon Web Services. Select your AWS account and navigate to the Log Collection tab.Paste the forwarder ARN and save.
3

Enable log sources

In the same AWS integration page, enable the AWS services you want to collect logs from. Datadog automatically configures the triggers.

Static policies

For simple use cases, you can embed policies directly in the Lambda configuration instead of using the HTTP policy provider. Set TeroPolicyStatic (or TERO_POLICY_STATIC environment variable) to a JSON string: 
{
  "policies": [
    {
      "id": "drop-health-checks",
      "name": "Drop health check logs",
      "log": {
        "match": [
          {
            "log_field": "body",
            "regex": "GET /health"
          }
        ],
        "keep": "none"
      }
    }
  ]
}
Static policies don’t update without redeploying. Use the HTTP policy provider for dynamic policy management.

Environment variables reference

VariableDescription
TERO_UPSTREAM_URLDatadog intake URL for forwarding logs
TERO_LISTEN_PORTPort for the extension proxy (default: 3000)
TERO_LOG_LEVELLog verbosity: debug, info, warn, err
TERO_POLICY_URLHTTP policy provider URL
TERO_POLICY_API_KEYAPI key for the policy provider
TERO_POLICY_STATICJSON string with static policies
TERO_SERVICE_VERSIONVersion identifier for tracking

Troubleshooting

Extension not starting Check CloudWatch logs for the extension: 
EXTENSION Name: tero-edge State: Started Events: []
If you see LaunchError, verify the layer ARN matches your architecture (ARM64 vs x86_64). Policies not applying
  • Verify TERO_POLICY_URL is set and accessible
  • Check TERO_POLICY_API_KEY is correct
  • Enable TERO_LOG_LEVEL=debug to see policy loading logs
Connection errors to Datadog
  • Verify TERO_UPSTREAM_URL matches your Datadog site
  • Check the Lambda has network access to Datadog endpoints
  • Review extension logs for TLS or connection errors
Forwarder not routing through extension Ensure these environment variables are set:
  • DD_URL=localhost
  • DD_PORT=3000
  • DD_NO_SSL=true

Disabling Tero Edge

To disable the extension and route logs directly to Datadog: CloudFormation: Set TeroEdgeLayerVersion to an empty string. Manual: Remove the Tero Edge layer and unset the DD_URL, DD_PORT, DD_NO_SSL, and TERO_* environment variables.