Features
| Pricing
| Documentation
| Contact
| About
Features
| Pricing
| Documentation
| Contact
| About
30-50% of a typical $1M Datadog bill is log ingestion and retention — commodity pipe work with no analytical value. Proxylity replaces that layer serverlessly on AWS for a fraction of the cost. Keep Datadog for APM, dashboards, and developer tooling. Pay for the pipes separately.
Datadog is an exceptional observability platform. That is not the argument here. The argument is that raw UDP log ingestion — syslog datagrams, SNMP traps, firewall events — does not require an enterprise APM platform behind it. That's a commodity pipe, and you are paying APM pricing for it. The ingest and retention work belongs on the infrastructure that already stores the rest of your data: AWS.
Each site — headquarters, branch offices, data centers, cloud accounts — runs a gateway that peers with the Proxylity listener over WireGuard. Syslog traffic never traverses the internet unencrypted. Individual devices continue sending UDP to port 514 on their local gateway unchanged. No per-device reconfiguration. One WireGuard key pair per site.
Proxylity batch-delivers each message to two destinations in your AWS account: CloudWatch Logs for live querying and metric-filter alerting, and Kinesis Firehose for durable delivery to S3 Glacier. One CloudFormation stack deploys the entire pipeline — listener, KMS key, Firehose, S3 bucket with Object Lock, CloudWatch log group, and SNS alarm topic.
Both destinations are configured as Proxylity destinations referencing CloudWatch Logs and Firehose ARNs from the CloudFormation stack. All log data stays in your AWS environment — encrypted at rest with a customer-managed KMS key, protected by S3 Object Lock (GOVERNANCE mode), and transmitted only over WireGuard + TLS. No agents, no collectors, no log shippers.
At 3 TB/month of syslog, the Proxylity Enterprise + AWS stack costs approximately $2,778/month all-in. The Datadog equivalent at the same volume is estimated at $25,000/month. That's a difference of ~$22,200/month — roughly $267,000/year — for the same ingest volume, the same archive retention, and the same live-query capability.
Assumption 1: Log ingest and retention represents ~30% of a $1M annual Datadog bill — an estimate consistent with industry analyst commentary on large observability contracts where APM and infrastructure monitoring share the remainder. Your proportion may be higher or lower. At 30%, log management costs $25,000/month.
Assumption 2: At a blended effective rate of ~$8/GB (ingest + indexing + 30-day retention, averaged across on-demand list pricing for 300-byte syslog events), $25K/month corresponds to approximately 3 TB/month of syslog volume. Negotiated enterprise rates are typically lower; your implied volume would be proportionally higher at the same spend.
3 TB/month = roughly 10 billion packets/month = ~3,860 packets/second average. At that rate, well above the 400-pps crossover, Enterprise batch pricing strictly dominates per-packet pricing. The batch calculation:
| Plan | Enterprise subscription (no per-Listener charges) | $850 |
| Batch usage | 110M batches/mo · 10M @$2.50/M, next 90M @$2.25/M, next 10M @$2.00/M | ~$248 |
| Proxylity total | ~$1,098/mo | |
| Archive delivery | Kinesis Firehose · 3,000 GB × $0.029/GB | ~$87 |
| Live query ingest | CloudWatch Logs · 3,000 GB × $0.50/GB (7-day retention) | ~$1,500 |
| CW storage | ~700 GB avg stored × $0.03/GB | ~$21 |
| WORM archive | S3 Glacier · 365-day retention (Object Lock GOVERNANCE) | ~$72 |
| AWS total | ~$1,680/mo | |
| Full stack (Proxylity + AWS) | ~$2,778/mo | |
| Datadog equivalent (same volume) | ~$25,000/mo | |
Note on CloudWatch Logs cost: At 3 TB/month, the dominant AWS cost is CloudWatch ingest ($0.50/GB). Proxylity destinations do not filter — all packets go to all configured destinations. If you want to reduce CloudWatch ingest, the practical approach is to add a Lambda as a second Proxylity destination that forwards only high-severity events (emerg, alert, crit) to CloudWatch Logs, while Firehose receives everything. At typical syslog severity distributions, high-severity events are under 1% of volume — reducing CloudWatch ingest from $1,500/month to $10–$15/month and bringing the total stack to approximately $1,100–$1,300/month.
Per-packet pricing (Professional plan) is available and more cost-effective at lower volumes — below roughly 400 packets/second. At the volumes a $1M Datadog customer generates, Enterprise batch pricing reduces Proxylity-side costs from well over $10,000/month (per-packet) to under $900/month. Billed through AWS Marketplace — no separate vendor invoice, no minimums, no contract.
Your APM traces, error tracking, dashboards, SLO monitors, and developer tooling stay exactly where they are. The extraction is precise: move the commodity ingest and retention work to the infrastructure layer where it belongs, and keep Datadog doing what Datadog is excellent at.
| Capability | Keep in Datadog | Move to Proxylity + AWS |
|---|---|---|
APM / distributed tracing |
Yes — unchanged | — |
Dashboards + alerting |
Yes — unchanged | — |
Error tracking |
Yes — unchanged | — |
Developer tooling |
Yes — unchanged | — |
UDP syslog ingest (:514) |
— | Proxylity Listener |
Raw log delivery + 30-day search |
— | CloudWatch Logs |
Compliance archive |
— | Firehose → S3 Glacier |
Long-term retention (12+ months) |
— | S3 lifecycle policies |
The change your syslog sources see: a new UDP endpoint IP. That's it. Reconfiguring rsyslog or syslog-ng to point at a new destination takes minutes.
Syslog data in this architecture passes through Proxylity in transit before landing in your AWS account. Proxylity is not independently SOC 2, HIPAA, or PCI audited at this time. Your security team should evaluate Proxylity as a subprocessor alongside the storage layer when scoping compliance coverage. Proxylity participates in AWS Marketplace Vendor Insights, which provides a documented security profile — covering encryption, access control, and data handling practices — that procurement and security teams can review directly in the AWS Marketplace console or request through AWS. What the architecture does provide — and what is fully auditable — is a set of strong technical controls on both the transport and storage layers.
| Control | Where it applies | Details |
|---|---|---|
| Encryption in transit | Site → Proxylity → AWS | WireGuard (ChaCha20-Poly1305, Curve25519) from each site gateway to the listener; TLS for Proxylity-to-CloudWatch and Proxylity-to-Firehose delivery. No plaintext traversal over the internet at any hop. |
| Encryption at rest | S3, CloudWatch Logs | Customer-managed KMS key (CMK) on all stored objects and log events; automatic key rotation (default 365 days). Keys are owned by your AWS account. |
| Log immutability | S3 | S3 Object Lock in GOVERNANCE mode prevents deletion or overwrite before the retention period expires. Switch to COMPLIANCE mode for environments under continuous audit where no principal should be able to bypass retention. |
| Log retention (365 days) | S3 Glacier | Configurable via LogArchiveExpirationInDays parameter. Lifecycle policy transitions objects to Glacier after 28 days. |
| Data residency | AWS account + region | All stored log data lands in your AWS account in the region you deploy to. Proxylity does not retain or copy log contents. |
| AWS service certifications | Storage layer only | CloudWatch Logs, Kinesis Firehose, and S3 are covered under AWS's SOC 2, PCI DSS Level 1, and HIPAA BAA programs. These certifications apply to the storage layer inside your account — not to Proxylity as an ingest service. |
A production-ready CloudFormation template is available in the Proxylity examples repository (syslog-cw-s3.template.json). It provisions the full stack: WireGuard listener, KMS CMK with rotation, Kinesis Firehose with S3 Object Lock bucket, CloudWatch log group, metric filters for high-severity detection, and an SNS alarm topic — all from a single deploy command.
Key parameters (all have sensible defaults):
728365Deploy:
# 1. Generate a WireGuard key pair for the first site gateway
wg genkey | tee site1.key | wg pubkey > site1.pub
# 2. Deploy the full stack (one command)
aws cloudformation deploy \
--template-file syslog-cw-s3.template.json \
--stack-name syslog \
--capabilities CAPABILITY_NAMED_IAM CAPABILITY_IAM CAPABILITY_AUTO_EXPAND \
--parameter-overrides \
PeerPublicKey=$(cat site1.pub) \
LogGroupRetentionInDays=7 \
LogArchiveExpirationInDays=365 \
AlarmEmail=ops@yourcompany.com
# 3. Retrieve the listener endpoint and public key
aws cloudformation describe-stacks --stack-name syslog \
--query 'Stacks[0].Outputs' > outputs.json
export ENDPOINT=$(jq -r '.[]|select(.OutputKey=="Domain")|.OutputValue' outputs.json)
export PORT=$(jq -r '.[]|select(.OutputKey=="Port")|.OutputValue' outputs.json)
export LISTENER_PUBKEY=$(jq -r '.[]|select(.OutputKey=="ListenerPublicKey")|.OutputValue' outputs.json)
Configure WireGuard on the site gateway, then point syslog to the listener's tunnel IP. For rsyslog:
*.* @<listener-tunnel-ip>:514
For syslog-ng:
destination d_proxylity { udp("<listener-tunnel-ip>" port(514)); };
log { source(s_src); destination(d_proxylity); };
Additional sites each add one WireGuard peer entry to the SyslogListener resource and redeploy. Individual syslog clients on those networks require no reconfiguration — they continue sending to the local gateway on port 514.
Free tier included. No contract. Billed through AWS Marketplace — no new vendor to onboard. Your procurement process already handles this.
Schedule a Savings Review → Buy with AWS Explore the docs