Support for log processingRules directly within the DatadogAgent CRD

[SotaSato-stst]

Problem

Currently, when using the Datadog Operator, there is no direct way to define global log processingRules (such as exclude_at_match) within the DatadogAgent Custom Resource Definition (CRD).

To filter or exclude certain logs across the entire cluster (e.g., health checks, debug logs), we have to rely on Pod annotations for every application. This approach is not scalable and makes it difficult to enforce a consistent, global logging policy.

Feature Request

I would like to request the addition of a processingRules field within the DatadogAgent CRD, ideally under the spec.features.logCollection section.

This would allow users to define global log processing rules that are applied by the agent on every node.

Example of desired configuration:

# kind: DatadogAgent
# apiVersion: [datadoghq.com/v2alpha1](https://datadoghq.com/v2alpha1)
...
spec:
  features:
    logCollection:
      enabled: true
      containerCollectAll: true
      # This is the proposed new field
      processingRules:
        - type: "exclude_at_match"
          name: "exclude_health_checks_globally"
          pattern: "GET /healthz"
        - type: "mask_sequences"
          name: "mask_credit_cards"
          pattern: 'visa'
          replace_placeholder: '[CREDIT_CARD_REMOVED]'

[levan-m]

@SotaSato-stst, have you considered using DD_LOGS_CONFIG_PROCESSING_RULES described in this doc?
Regardless, structured schema does have some advantages compared to json in env var and we will take this in as a feature request but this may not get prioritized in near future since there is an alternative available.

[SotaSato-stst]

Thank you for the suggestion!
I tried using DD_LOGS_CONFIG_PROCESSING_RULES as you recommended, and it worked for my needs. I appreciate you pointing me to that solution.
I understand that the structured schema feature request may not be prioritized at this time, and the alternative you provided is a great workaround.

[dd-octo-sts]

This issue has been automatically marked as stale because it has not had activity in the past 15 days.

It will be closed in 30 days if no further activity occurs. If this issue is still relevant, adding a comment will keep it open. Also, you can always reopen the issue if you missed the window.

Thank you for your contributions!