From 385ef0661fe906ff5282dc6b5acf3e6d3ad5ea12 Mon Sep 17 00:00:00 2001 From: Kristin Martin Date: Wed, 1 Jul 2026 20:33:17 +0000 Subject: [PATCH 1/4] Secure log shipper docs: no public services or IPs The log shipper guide told users to keep a [[services]] section on port 8686, which exposed Vector's unauthenticated GraphQL API publicly (reported at community.fly.io/t/14836). Vector pulls logs from the internal stream and needs no inbound access, so remove the service section and deploy with --no-public-ips. Also note how to release IPs on already-exposed deployments. Supersedes #930. --- monitoring/exporting-logs.html.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/monitoring/exporting-logs.html.md b/monitoring/exporting-logs.html.md index 6c0b9b56d8..c1b9f4902b 100644 --- a/monitoring/exporting-logs.html.md +++ b/monitoring/exporting-logs.html.md @@ -46,20 +46,16 @@ fly secrets set LOGTAIL_TOKEN= You can configure as many providers as you'd like by adding more secrets. The secrets needed are determined by [which provider(s)](https://github.com/superfly/fly-log-shipper#provider-configuration+external) you want to use. -Before launching your application, you should edit the generated `fly.toml` file and delete the entire `[[services]]` section. Replace it with this: +The Log Shipper pulls logs from Fly.io's internal log stream and doesn't need to accept inbound connections, so it shouldn't have any public services or IP addresses. Before deploying, edit the generated `fly.toml` file and delete the entire `[[http_service]]` (or `[[services]]`) section. -```toml -[[services]] - http_checks = [] - internal_port = 8686 -``` - -Then you can deploy it: +Then deploy without allocating a public IP address: ```cmd -fly deploy +fly deploy --no-public-ips ``` +If you already deployed a Log Shipper with a public IP address, list its addresses with `fly ips list` and remove them with `fly ips release
`. + ## Shipping specific logs By default, the log shipper gets logs from every app running within your organization (organization is set by the `ORG` secret/environment variable). From a9ac0f4fd5d0ca6db93855071508261092b56609 Mon Sep 17 00:00:00 2001 From: Kristin Martin Date: Thu, 2 Jul 2026 17:34:51 +0000 Subject: [PATCH 2/4] Match http_service section name to what fly launch generates --- monitoring/exporting-logs.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monitoring/exporting-logs.html.md b/monitoring/exporting-logs.html.md index c1b9f4902b..bf712f0c63 100644 --- a/monitoring/exporting-logs.html.md +++ b/monitoring/exporting-logs.html.md @@ -46,7 +46,7 @@ fly secrets set LOGTAIL_TOKEN= You can configure as many providers as you'd like by adding more secrets. The secrets needed are determined by [which provider(s)](https://github.com/superfly/fly-log-shipper#provider-configuration+external) you want to use. -The Log Shipper pulls logs from Fly.io's internal log stream and doesn't need to accept inbound connections, so it shouldn't have any public services or IP addresses. Before deploying, edit the generated `fly.toml` file and delete the entire `[[http_service]]` (or `[[services]]`) section. +The Log Shipper pulls logs from Fly.io's internal log stream and doesn't need to accept inbound connections, so it shouldn't have any public services or IP addresses. Before deploying, edit the generated `fly.toml` file and delete the entire `[http_service]` (or `[[services]]`) section. Then deploy without allocating a public IP address: From 1b1c22d25ca950b324482b805558168309a759f2 Mon Sep 17 00:00:00 2001 From: Kristin Martin Date: Thu, 2 Jul 2026 17:41:07 +0000 Subject: [PATCH 3/4] Add Datadog to Vale vocabulary --- styles/config/vocabularies/fly-terms/accept.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/styles/config/vocabularies/fly-terms/accept.txt b/styles/config/vocabularies/fly-terms/accept.txt index 81bb456740..e25026ebe8 100644 --- a/styles/config/vocabularies/fly-terms/accept.txt +++ b/styles/config/vocabularies/fly-terms/accept.txt @@ -28,6 +28,7 @@ containerd [Cc]ron(jobs?|job)?\b [Cc]rontabs?\b datacenters?\b +Datadog datasource datatypes?\b declaratively From aab638c6e673bd154281097904ce672072d945ce Mon Sep 17 00:00:00 2001 From: Kristin Martin Date: Mon, 6 Jul 2026 20:52:02 +0000 Subject: [PATCH 4/4] Add health check section for the Log Shipper --- monitoring/exporting-logs.html.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/monitoring/exporting-logs.html.md b/monitoring/exporting-logs.html.md index bf712f0c63..0bec6fa397 100644 --- a/monitoring/exporting-logs.html.md +++ b/monitoring/exporting-logs.html.md @@ -56,6 +56,24 @@ fly deploy --no-public-ips If you already deployed a Log Shipper with a public IP address, list its addresses with `fly ips list` and remove them with `fly ips release
`. +## Add a health check + +The Log Shipper can occasionally stop shipping logs without exiting, so it's a good idea to add a health check. Vector serves a `/health` endpoint on port 8686. Since the app has no services, use a top-level [`[checks]` section](/docs/reference/configuration/#the-checks-section) in `fly.toml`, which doesn't require a public service or IP address: + +```toml +[checks] + [checks.vector] + port = 8686 + type = "http" + method = "get" + path = "/health" + grace_period = "10s" + interval = "30s" + timeout = "5s" +``` + +Check the health status with `fly checks list`. + ## Shipping specific logs By default, the log shipper gets logs from every app running within your organization (organization is set by the `ORG` secret/environment variable).