Accessing Application Logs as an Add-on Partner

Last updated 06 May 2019

Add-on Partners can access an app’s log data once a customer installs your add-on on their app. If you’re building an add-on that requires this access, you can create a log drain on behalf of the app and receive the log data.

Log drains allow your add-on to read application logs. If you’d like to write to them, see this documentation.

To set it up, you first need to request it through the manifest.

Add-on manifest

The manifest will need to tell Heroku that your add-on requires permission to set up the log drain. This is done by adding syslog_drain to the list if permissions in the requires property:

{
  "id": "myaddon",
  "api": {
    "requires": ["syslog_drain"]
    //...
  }
}

Despite the name (syslog_drain), drains are not limited to the syslog:// protocol, in fact HTTPS drains are preferred. See the user docs on log drains for more details.

Provisioning call

When the add-on is provisioned, Heroku’s systems will generate a unique log drain token for that attachment. Add-on Partners should use this token to identify logs sent to the drain.

Relying on the Heroku provided drain token instead of a unique field in a url like a port or api key ensures that drain urls can not be copy/pasted and used in a manual context. That restriction in turn allows you to use the platform api to update a drain in the future, and know that all valid instances of the url have been updated.

The provisioning call will contain the log drain token. The content of our POST to the /heroku/resources endpoint is described here. When the syslog_drain feature is enabled, the log_drain_token field will be added to the provision payload:

{
  // ...
  "log_drain_token": "d.01234567-89ab-cdef-0123-456789abcdef"
}

and the response would be:

{
  "id": 456,
  "config": { ... },
  "log_drain_url": "https://example.com/",
  "message": "your message here"
}

Heroku will then start directing app logs to the provided drain url. We recommend using HTTPS urls for the log_drain_url. See the user docs on log drains for more details.

IP Whitelist API

The final piece of configuration is to whitelist Heroku’s Logplex IPs for incoming traffic. Simply send unauthenticated HTTP GET requests to https://api.heroku.com/vendor/logplex/whitelist. The call returns a JSON array of IP addresses to whitelist, similar to:

[
  "184.73.5.216",
  "50.16.41.187",
  "50.19.0.98",
  "50.19.146.67",
  "184.72.174.202",
  "50.16.56.45",
  "50.16.160.94",
  "50.17.56.172",
  //...
]

Since this list will change periodically we recommend updating it once every hour.

When an app provisions an add-on successfully, the user will be able to see the drain created on behalf of the add-on in the log drain list.

$ heroku drains
https://two.example.org
-----------------------------
[Dummy Addon]

Feedback

Log in to submit feedback.