From c102a2afcab00292505ee9bca6fe2622ba484aac Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Wed, 17 Dec 2025 13:50:01 -0500
Subject: [PATCH 1/8] add sm tabs

---
 .../sources/amazon_data_firehose.md           | 31 +++++++++---
 .../sources/amazon_s3.md                      | 31 +++++++++---
 .../observability_pipelines/sources/fluent.md | 31 +++++++++---
 .../sources/google_pubsub.md                  | 16 +++++-
 .../sources/http_client.md                    | 50 ++++++++++++++-----
 .../sources/http_server.md                    | 41 +++++++++++----
 .../observability_pipelines/sources/kafka.md  | 42 +++++++++++-----
 .../sources/logstash.md                       | 31 +++++++++---
 .../observability_pipelines/sources/socket.md | 31 +++++++++---
 .../sources/splunk_hec.md                     | 31 +++++++++---
 .../sources/splunk_tcp.md                     | 31 +++++++++---
 .../sources/sumo_logic.md                     | 22 ++++++--
 .../observability_pipelines/sources/syslog.md | 31 +++++++++---
 13 files changed, 325 insertions(+), 94 deletions(-)

diff --git a/content/en/observability_pipelines/sources/amazon_data_firehose.md b/content/en/observability_pipelines/sources/amazon_data_firehose.md
index 6f467075a24..5c20d934888 100644
--- a/content/en/observability_pipelines/sources/amazon_data_firehose.md
+++ b/content/en/observability_pipelines/sources/amazon_data_firehose.md
@@ -13,9 +13,9 @@ Use Observability Pipelines' Amazon Data Firehose source to receive logs from Am
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-- Enter the identifier for your Amazon Data Firehose address.
-    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_AWS_DATA_FIREHOSE_ADDRESS`.
+<div class="alert alert-danger">Only enter the identifiers for the Amazon Data Firehose address, and if applicable, the key pass. Do <b>not</b> enter the actual values.</div>
+
+- Enter the identifier for your Amazon Data Firehose address. If you leave it blank, the [default](#set-secrets) is used.
 
 ### Optional settings
 
@@ -28,17 +28,34 @@ Select an **AWS authentication** option. If you select **Assume role**:
 #### Enable TLS
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your Amazon Data Firehose key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_AWS_DATA_FIREHOSE_KEY_PASS`.
+- Enter the identifier for your Amazon Data Firehose key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Amazon Data Firehose address identifier:
+	- The default identifier is `SOURCE_AWS_DATA_FIREHOSE_ADDRESS`.
+- Amazon Data Firehose TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_AWS_DATA_FIREHOSE_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/amazon_data_firehose %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Send logs to the Observability Pipelines Worker over Amazon Data Firehose
 
 {{% observability_pipelines/log_source_configuration/amazon_data_firehose %}}
diff --git a/content/en/observability_pipelines/sources/amazon_s3.md b/content/en/observability_pipelines/sources/amazon_s3.md
index 8f65a864643..6710391ad7d 100644
--- a/content/en/observability_pipelines/sources/amazon_s3.md
+++ b/content/en/observability_pipelines/sources/amazon_s3.md
@@ -13,9 +13,9 @@ Use Observability Pipelines' Amazon S3 source to receive logs from Amazon S3. Se
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-1. Enter the identifier for your Amazon S3 URL.
-    - **Note**: Only enter the identifier for the URL. Do **not** enter the actual URL.
-    - If left blank, the default is used: `SOURCE_AWS_S3_SQS_URL`.
+<div class="alert alert-danger">Only enter the identifiers for the Amazon S3 URL, and if applicable, the key pass. Do <b>not</b> enter the actual values.</div>
+
+1. Enter the identifier for your Amazon S3 URL. If you leave it blank, the [default](#set-secrets) is used.
 1. Enter the AWS region.
 
 ### Optional settings
@@ -29,17 +29,34 @@ Select an **AWS authentication** option. If you select **Assume role**:
 #### Enable TLS
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your Amazon S3 key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_AWS_S3_KEY_PASS`.
+- Enter the identifier for your Amazon S3 key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Amazon S3 URL identifier:
+	- The default identifier is `SOURCE_AWS_S3_SQS_URL`.
+- Amazon S3 TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_AWS_S3_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/amazon_s3 %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 ## AWS Authentication
 
 {{% observability_pipelines/aws_authentication/instructions %}}
diff --git a/content/en/observability_pipelines/sources/fluent.md b/content/en/observability_pipelines/sources/fluent.md
index 8651f67a126..ab8427180f2 100644
--- a/content/en/observability_pipelines/sources/fluent.md
+++ b/content/en/observability_pipelines/sources/fluent.md
@@ -13,24 +13,41 @@ Use Observability Pipelines' Fluentd or Fluent Bit source to receive logs from t
 
 Select and set up this source when you [set up a pipeline][1]. The information below are for the source settings in the pipeline UI.
 
-- 1. Enter the identifier for your Fluent address.
-    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_FLUENT_ADDRESS`.
+<div class="alert alert-danger">Only enter the identifiers for the Fluent address, and if applicable, the key pass. Do <b>not</b> enter the actual values.</div>
+
+1. Enter the identifier for your Fluent address. If you leave it blank, the [default](#set-secrets) is used.
 
 ### Optional settings
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your Fluent key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_FLUENT_KEY_PASS`.
+- Enter the identifier for your Fluent key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Fluent address identifier:
+	- The default identifier is `SOURCE_FLUENT_ADDRESS`.
+- Fluent TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_FLUENT_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/fluent %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Send logs to the Observability Pipelines Worker over Fluent
 
 {{% observability_pipelines/log_source_configuration/fluent %}}
diff --git a/content/en/observability_pipelines/sources/google_pubsub.md b/content/en/observability_pipelines/sources/google_pubsub.md
index d2c16d84054..2dc2f2ad323 100644
--- a/content/en/observability_pipelines/sources/google_pubsub.md
+++ b/content/en/observability_pipelines/sources/google_pubsub.md
@@ -24,10 +24,24 @@ Select and set up this source when you [set up a pipeline][1]. The information b
     - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
     - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
-## Set the environment variables
+## Set secrets
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+No default secret identifiers are required for this source.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/google_pubsub %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 [1]: /observability_pipelines/configuration/set_up_pipelines/
 [2]: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
 [3]: /observability_pipelines/configuration/install_the_worker/advanced_worker_configurations/
diff --git a/content/en/observability_pipelines/sources/http_client.md b/content/en/observability_pipelines/sources/http_client.md
index 6a78660d8e4..6e916ef3e93 100644
--- a/content/en/observability_pipelines/sources/http_client.md
+++ b/content/en/observability_pipelines/sources/http_client.md
@@ -15,26 +15,25 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your HTTP/S Client source:
 
-1. Enter the identifier for your HTTP Client endpoint URL.
-    - **Note**: Only enter the identifier for the endpoint URL. Do **not** enter the actual endpoint URL.
-    - If left blank, the default is used: `SOURCE_HTTP_CLIENT_ENDPOINT_URL`.
+
+<div class="alert alert-danger">Only enter the identifiers for the HTTP Client endpoint URL and if applicable, your authorization strategy secrets. Do <b>not</b> enter the actual values.</div>
+
+1. Enter the identifier for your HTTP Client endpoint URL. If you leave it blank, the [default](#set-secrets) is used.
+
 1. Select your authorization strategy. If you selected:
    - **Basic**:
-      - Enter the identifier for your HTTP Client username.
-         - If left blank, the default is used: `SOURCE_HTTP_CLIENT_USERNAME`.
-      Enter the identifier for your HTTP Client password.
-         - If left blank, the default is used: `SOURCE_HTTP_CLIENT_PASSWORD`.
-   - **Bearer**: Enter the identifier for your bearer token.
-      - If left blank, the default is used: `SOURCE_HTTP_CLIENT_BEARER_TOKEN`.
+      - Enter the identifier for your HTTP Client username. If you leave it blank, the [default](#set-secrets) is used.
+      - Enter the identifier for your HTTP Client password. If you leave it blank, the [default](#set-secrets) is used.
+   - **Bearer**: Enter the identifier for your bearer token. If you leave it blank, the [default](#set-secrets) is used.
 1. Select the decoder you want to use on the HTTP messages. Logs pulled from the HTTP source must be in this format.
 
 ### Optional settings
 
 #### Enable TLS
+
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-   - Enter the identifier for your HTTP Client key pass.
+   - Enter the identifier for your HTTP Client key pass. If you leave it blank, the [default](#set-secrets) is used.
          - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-         - If left blank, the default is used: `SOURCE_HTTP_CLIENT_KEY_PASS`
    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
@@ -46,9 +45,36 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
    - Since requests run concurrently, if a scrape takes longer than the interval given, a new scrape is started, which can consume extra resources. Set the timeout to a value lower than the scrape interval to prevent this from happening.
 - Enter the timeout for each scrape request.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- HTTP Client endpoint URL identifier:
+	- The default identifier is `SOURCE_HTTP_CLIENT_ENDPOINT_URL`.
+- HTTP Client TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_HTTP_CLIENT_KEY_PASS`.
+- If you are using basic authentication:
+	- HTTP Client username identifier:
+		- The default identifier is `SOURCE_HTTP_CLIENT_USERNAME`.
+	- HTTP Client password identifier:
+		- The default identifier is `SOURCE_HTTP_CLIENT_PASSWORD`.
+- If you are using bearer authentication:
+	- HTTP Client bearer token identifier:
+		- The default identifier is `SOURCE_HTTP_CLIENT_BEARER_TOKEN`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/http_client %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 [1]: /observability_pipelines/configuration/set_up_pipelines/
 [2]: /observability_pipelines/configuration/install_the_worker/advanced_worker_configurations/
\ No newline at end of file
diff --git a/content/en/observability_pipelines/sources/http_server.md b/content/en/observability_pipelines/sources/http_server.md
index 0a8691e1eb6..6cdb25ede6b 100644
--- a/content/en/observability_pipelines/sources/http_server.md
+++ b/content/en/observability_pipelines/sources/http_server.md
@@ -17,30 +17,51 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your HTTP/S Server source, enter the following:
 
-1. Enter the identifier for your HTTP Server address.
+<div class="alert alert-danger">Only enter the identifiers for the HTTP Server address, and if applicable, the username and password for basic authorization and the TLS key pass. Do <b>not</b> enter the actual values.</div>
+
+1. Enter the identifier for your HTTP Server address. If you leave it blank, the [default](#set-secrets) is used.
     - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_HTTP_SERVER_ADDRESS`.
 1. Select your authorization strategy. If you selected **Basic**:
-    - Enter the identifier for your HTTP Server username.
-        - If left blank, the default is used: `SOURCE_HTTP_SERVER_USERNAME`.
-    Enter the identifier for your HTTP Server password.
-        - If left blank, the default is used: `SOURCE_HTTP_SERVER_PASSWORD`.
+    - Enter the identifier for your HTTP Server username. If you leave it blank, the [default](#set-secrets) is used.
+    - Enter the identifier for your HTTP Server password. If you leave it blank, the [default](#set-secrets) is used.
 1. Select the decoder you want to use on the HTTP messages. Your HTTP client logs must be in this format. **Note**: If you select `bytes` decoding, the raw log is stored in the `message` field.
 
 ### Optional settings
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your HTTP Server key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_HTTP_SERVER_KEY_PASS`.
+- Enter the identifier for your HTTP Server key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- HTTP Server address identifier:
+	- The default identifier is `SOURCE_HTTP_SERVER_ADDRESS`.
+- HTTP Server TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_HTTP_SERVER_KEY_PASS`.
+- If you are using basic authentication:
+	- HTTP Server username identifier:
+		- The default identifier is `SOURCE_HTTP_SERVER_USERNAME`.
+	- HTTP Server password identifier:
+		- The default identifier is `SOURCE_HTTP_SERVER_PASSWORD`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/http_server %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Send AWS vended logs with the Datadog Lambda Forwarder to Observability Pipelines
 
 To send AWS vended logs to Observability Pipelines with the HTTP/S Server source:
diff --git a/content/en/observability_pipelines/sources/kafka.md b/content/en/observability_pipelines/sources/kafka.md
index a8474f8bebc..ddba3320d35 100644
--- a/content/en/observability_pipelines/sources/kafka.md
+++ b/content/en/observability_pipelines/sources/kafka.md
@@ -15,14 +15,11 @@ You can also [send Azure Event Hub logs to Observability Pipelines using the Kaf
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Kafka servers, username, and password. Do <b>not</b> enter the actual values.</a></div>
-
-1. Enter the identifier for your Kafka servers.
-    - If left blank, the default is used: `SOURCE_KAFKA_BOOTSTRAP_SERVERS`.
-1. Enter the identifier for your Kafka username.
-    - If left blank, the default is used: `SOURCE_KAFKA_SASL_USERNAME`.
-1. Enter the identifier for your Kafka password.
-    - If left blank, the default is used: `SOURCE_KAFKA_SASL_PASSWORD`.
+<div class="alert alert-danger">Only enter the identifiers for the Kafka servers, username, password, and if applicable, the key pass. Do <b>not</b> enter the actual values.</a></div>
+
+1. Enter the identifier for your Kafka servers. If you leave it blank, the [default](#set-secrets) is used.
+1. Enter the identifier for your Kafka username. If you leave it blank, the [default](#set-secrets) is used.
+1. Enter the identifier for your Kafka password. If you leave it blank, the [default](#set-secrets) is used.
 1. Enter the group ID.
 1. Enter the topic name. If there is more than one, click **Add Field** to add additional topics.
 
@@ -36,9 +33,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 #### Enable TLS
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your Kafka key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_KAFKA_KEY_PASS`.
+- Enter the identifier for your Kafka key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
@@ -51,10 +46,33 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 1. Check your values against the [librdkafka documentation][4] to make sure they have the correct type and are within the set range.
 1. Click **Add Option** to add another librdkafka option.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Kafka bootstrap servers identifier:
+	- The default identifier is `SOURCE_KAFKA_BOOTSTRAP_SERVERS`.
+- Kafka SASL username identifier:
+	- The default identifier is `SOURCE_KAFKA_SASL_USERNAME`.
+- Kafka SASL password identifier:
+	- The default identifier is `SOURCE_KAFKA_SASL_PASSWORD`.
+- Kafka TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_KAFKA_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/kafka %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 ## librdkafka options
 
 These are the available librdkafka options:
diff --git a/content/en/observability_pipelines/sources/logstash.md b/content/en/observability_pipelines/sources/logstash.md
index 6e5fa7f1472..fb7ec5faac5 100644
--- a/content/en/observability_pipelines/sources/logstash.md
+++ b/content/en/observability_pipelines/sources/logstash.md
@@ -15,24 +15,41 @@ You can also use the Logstash source to [send logs to Observability Pipelines us
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-- Enter the identifier for your Logstash address.
-    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_LOGSTASH_ADDRESS`.
+<div class="alert alert-danger">Only enter the identifiers for the Logstash address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+
+- Enter the identifier for your Logstash address. If you leave it blank, the [default](#set-secrets) is used.
 
 ### Optional settings
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your Logstash key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_LOGSTASH_KEY_PASS`.
+- Enter the identifier for your Logstash key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Logstash address identifier:
+	- The default identifier is `SOURCE_LOGSTASH_ADDRESS`.
+- Logstash TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_LOGSTASH_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/logstash %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Send logs to the Observability Pipelines Worker over Logstash
 
 {{% observability_pipelines/log_source_configuration/logstash %}}
diff --git a/content/en/observability_pipelines/sources/socket.md b/content/en/observability_pipelines/sources/socket.md
index 164f1027d94..25879ae4547 100644
--- a/content/en/observability_pipelines/sources/socket.md
+++ b/content/en/observability_pipelines/sources/socket.md
@@ -13,9 +13,9 @@ Use Observability Pipelines' Socket source to send logs to the Worker over a soc
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-1.  Enter the identifier for your socket address.
-    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_SOCKET_ADDRESS`.
+<div class="alert alert-danger">Only enter the identifiers for the socket address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+
+1.  Enter the identifier for your socket address. If you leave it blank, the [default](#set-secrets) is used.
 1. In the **Mode** dropdown menu, select the socket type to use.
 1. In the **Framing** dropdown menu, select how to delimit the stream of events.
     <table>
@@ -54,16 +54,33 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 ### Optional settings
 
 If you selected **TCP** mode, toggle the switch to **Enable TLS**. The following certificate and key files are required for TLS.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your socket key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_SOCKET_KEY_PASS`.
+- Enter the identifier for your socket key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Socket address identifier:
+	- The default identifier is `SOURCE_SOCKET_ADDRESS`.
+- Socket TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_SOCKET_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/socket %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 [1]: /observability_pipelines/configuration/set_up_pipelines/
 [2]: /observability_pipelines/configuration/install_the_worker/advanced_worker_configurations/
\ No newline at end of file
diff --git a/content/en/observability_pipelines/sources/splunk_hec.md b/content/en/observability_pipelines/sources/splunk_hec.md
index e3dce84097a..2e9159c8680 100644
--- a/content/en/observability_pipelines/sources/splunk_hec.md
+++ b/content/en/observability_pipelines/sources/splunk_hec.md
@@ -15,24 +15,41 @@ Use Observability Pipelines' Splunk HTTP Event Collector (HEC) source to receive
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-- Enter the identifier for your Splunk HEC address.
-    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_SPLUNK_HEC_ADDRESS`.
+<div class="alert alert-danger">Only enter the identifiers for the Splunk HEC address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+
+- Enter the identifier for your Splunk HEC address. If you leave it blank, the [default](#set-secrets) is used.
 
 ### Optional settings
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your Splunk HEC key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_SPLUNK_HEC_KEY_PASS`.
+- Enter the identifier for your Splunk HEC key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Splunk HEC address identifier:
+	- The default identifier is `SOURCE_SPLUNK_HEC_ADDRESS`.
+- Splunk HEC TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_SPLUNK_HEC_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/splunk_hec %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 {{% observability_pipelines/log_source_configuration/splunk_hec %}}
 
 ## Send logs from the Splunk Distribution of the OpenTelemetry Collector to Observability Pipelines
diff --git a/content/en/observability_pipelines/sources/splunk_tcp.md b/content/en/observability_pipelines/sources/splunk_tcp.md
index 87b7485e33b..9a78a3a1aab 100644
--- a/content/en/observability_pipelines/sources/splunk_tcp.md
+++ b/content/en/observability_pipelines/sources/splunk_tcp.md
@@ -13,24 +13,41 @@ Use Observability Pipelines' Splunk Heavy and Universal Forwards (TCP) source to
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-- Enter the identifier for your Splunk TCP address.
-    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_SPLUNK_TCP_ADDRESS`.
+<div class="alert alert-danger">Only enter the identifiers for the Splunk TCP address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+
+- Enter the identifier for your Splunk TCP address. If you leave it blank, the [default](#set-secrets) is used.
 
 ### Optional settings
 
 Click the toggle to **Enable TLS**. If you enable TLS, the following certificate and key files are required:
-- Enter the identifier for your Splunk TCP key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_SPLUNK_TCP_KEY_PASS`.
+- Enter the identifier for your Splunk TCP key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in either DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Splunk TCP address identifier:
+	- The default identifier is `SOURCE_SPLUNK_TCP_ADDRESS`.
+- Splunk TCP TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_SPLUNK_TCP_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/splunk_tcp %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 {{% observability_pipelines/log_source_configuration/splunk_tcp %}}
 
 [1]: /observability_pipelines/configuration/set_up_pipelines/
diff --git a/content/en/observability_pipelines/sources/sumo_logic.md b/content/en/observability_pipelines/sources/sumo_logic.md
index 2bdaef257f5..8ee459c67e6 100644
--- a/content/en/observability_pipelines/sources/sumo_logic.md
+++ b/content/en/observability_pipelines/sources/sumo_logic.md
@@ -13,18 +13,34 @@ Use Observability Pipelines' Sumo Logic Hosted Collector source to receive logs
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-- Enter the identifier for your Sumo Logic address.
+- Enter the identifier for your Sumo Logic address. If you leave it blank, the [default](#set-secrets) is used.
     - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_SUMO_LOGIC_ADDRESS`.
 
 ### Optional settings
 
 In the **Decoding** dropdown menu, select whether your input format is raw **Bytes**, **JSON**, Graylog Extended Log Format (**Gelf**), or **Syslog**. If no decoding is selected, the decoding defaults to JSON.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Sumo Logic address identifier:
+	- The default identifier is `SOURCE_SUMO_LOGIC_ADDRESS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/sumo_logic %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 {{% observability_pipelines/log_source_configuration/sumo_logic %}}
 
 [1]: /observability_pipelines/configuration/set_up_pipelines/
\ No newline at end of file
diff --git a/content/en/observability_pipelines/sources/syslog.md b/content/en/observability_pipelines/sources/syslog.md
index 4c455965910..f59b4319451 100644
--- a/content/en/observability_pipelines/sources/syslog.md
+++ b/content/en/observability_pipelines/sources/syslog.md
@@ -17,25 +17,42 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your Syslog source:
 
-1. Enter the identifier for your syslog address.
-    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
-    - If left blank, the default is used: `SOURCE_SYSLOG_ADDRESS`.
+<div class="alert alert-danger">Only enter the identifiers for the syslog address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+
+1. Enter the identifier for your syslog address. If you leave it blank, the [default](#set-secrets) is used.
 1. In the **Socket Type** dropdown menu, select the communication protocol you want to use: **TCP** or **UDP**.
 
 ### Optional settings
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][6] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- Enter the identifier for your syslog key pass.
-    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-    - If left blank, the default is used: `SOURCE_SYSLOG_KEY_PASS`.
+- Enter the identifier for your syslog key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
-## Set the environment variables
+## Set secrets
+
+The following are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+
+{{< tabs >}}
+{{% tab "Secrets Management" %}}
+
+- Syslog address identifier:
+	- The default identifier is `SOURCE_SYSLOG_ADDRESS`.
+- Syslog TLS passphrase identifier (when TLS is enabled):
+	- The default identifier is `SOURCE_SYSLOG_KEY_PASS`.
+
+{{% /tab %}}
+
+{{% tab "Environment Variables" %}}
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/syslog %}}
 
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Send logs to the Observability Pipelines Worker over syslog
 
 {{% observability_pipelines/log_source_configuration/syslog %}}

From 3fce5aafd38efe5bb61721e3a89116095803b9a5 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 19 Dec 2025 13:13:24 -0500
Subject: [PATCH 2/8] use set secrets intro shortcode

---
 .../observability_pipelines/sources/amazon_data_firehose.md   | 4 +---
 content/en/observability_pipelines/sources/amazon_s3.md       | 4 +---
 content/en/observability_pipelines/sources/fluent.md          | 4 +---
 content/en/observability_pipelines/sources/google_pubsub.md   | 2 +-
 content/en/observability_pipelines/sources/http_client.md     | 4 +---
 content/en/observability_pipelines/sources/http_server.md     | 4 +---
 content/en/observability_pipelines/sources/kafka.md           | 4 +---
 content/en/observability_pipelines/sources/logstash.md        | 4 +---
 content/en/observability_pipelines/sources/socket.md          | 4 +---
 content/en/observability_pipelines/sources/splunk_hec.md      | 4 +---
 content/en/observability_pipelines/sources/splunk_tcp.md      | 4 +---
 content/en/observability_pipelines/sources/sumo_logic.md      | 4 +---
 content/en/observability_pipelines/sources/syslog.md          | 4 +---
 13 files changed, 13 insertions(+), 37 deletions(-)

diff --git a/content/en/observability_pipelines/sources/amazon_data_firehose.md b/content/en/observability_pipelines/sources/amazon_data_firehose.md
index 19332588f21..cb1892f381d 100644
--- a/content/en/observability_pipelines/sources/amazon_data_firehose.md
+++ b/content/en/observability_pipelines/sources/amazon_data_firehose.md
@@ -40,9 +40,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/amazon_s3.md b/content/en/observability_pipelines/sources/amazon_s3.md
index 6710391ad7d..a07ec4fec47 100644
--- a/content/en/observability_pipelines/sources/amazon_s3.md
+++ b/content/en/observability_pipelines/sources/amazon_s3.md
@@ -36,9 +36,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/fluent.md b/content/en/observability_pipelines/sources/fluent.md
index d74a210241e..f052f081308 100644
--- a/content/en/observability_pipelines/sources/fluent.md
+++ b/content/en/observability_pipelines/sources/fluent.md
@@ -32,9 +32,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/google_pubsub.md b/content/en/observability_pipelines/sources/google_pubsub.md
index c5d8eaa0fb8..06048ad999b 100644
--- a/content/en/observability_pipelines/sources/google_pubsub.md
+++ b/content/en/observability_pipelines/sources/google_pubsub.md
@@ -31,7 +31,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 ## Set secrets
 
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/http_client.md b/content/en/observability_pipelines/sources/http_client.md
index a55f5c363ba..ea1733680af 100644
--- a/content/en/observability_pipelines/sources/http_client.md
+++ b/content/en/observability_pipelines/sources/http_client.md
@@ -52,9 +52,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/http_server.md b/content/en/observability_pipelines/sources/http_server.md
index 20ea02bef14..8ca04f7e7c3 100644
--- a/content/en/observability_pipelines/sources/http_server.md
+++ b/content/en/observability_pipelines/sources/http_server.md
@@ -41,9 +41,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/kafka.md b/content/en/observability_pipelines/sources/kafka.md
index f9b95e4db99..c3e41983663 100644
--- a/content/en/observability_pipelines/sources/kafka.md
+++ b/content/en/observability_pipelines/sources/kafka.md
@@ -53,9 +53,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/logstash.md b/content/en/observability_pipelines/sources/logstash.md
index fc70dbfe06a..4fc258c2301 100644
--- a/content/en/observability_pipelines/sources/logstash.md
+++ b/content/en/observability_pipelines/sources/logstash.md
@@ -34,9 +34,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/socket.md b/content/en/observability_pipelines/sources/socket.md
index 1bc11a57ceb..3708bcf9a9d 100644
--- a/content/en/observability_pipelines/sources/socket.md
+++ b/content/en/observability_pipelines/sources/socket.md
@@ -66,9 +66,7 @@ If you selected **TCP** mode, toggle the switch to **Enable TLS**. The following
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/splunk_hec.md b/content/en/observability_pipelines/sources/splunk_hec.md
index d91597ff908..465bf7381a2 100644
--- a/content/en/observability_pipelines/sources/splunk_hec.md
+++ b/content/en/observability_pipelines/sources/splunk_hec.md
@@ -34,9 +34,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/splunk_tcp.md b/content/en/observability_pipelines/sources/splunk_tcp.md
index 63db7a3afbf..479d0756fde 100644
--- a/content/en/observability_pipelines/sources/splunk_tcp.md
+++ b/content/en/observability_pipelines/sources/splunk_tcp.md
@@ -32,9 +32,7 @@ Click the toggle to **Enable TLS**. If you enable TLS, the following certificate
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/sumo_logic.md b/content/en/observability_pipelines/sources/sumo_logic.md
index b83e7288726..487fd1083b5 100644
--- a/content/en/observability_pipelines/sources/sumo_logic.md
+++ b/content/en/observability_pipelines/sources/sumo_logic.md
@@ -27,9 +27,7 @@ In the **Decoding** dropdown menu, select whether your input format is raw **Byt
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
diff --git a/content/en/observability_pipelines/sources/syslog.md b/content/en/observability_pipelines/sources/syslog.md
index 4136acfb078..663ad56a77c 100644
--- a/content/en/observability_pipelines/sources/syslog.md
+++ b/content/en/observability_pipelines/sources/syslog.md
@@ -37,9 +37,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 
 ## Set secrets
 
-The following are the defaults used for secret identifiers and environment variables.
-
-**Note**: If you entered identifiers for yours secrets and then choose to use environment variables, the environment variable is the identifier entered prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for the a password identifier, the environment variable for the password is `DD_OP_PASSWORD_1`.
+{{% observability_pipelines/set_secrets_intro %}}
 
 {{< tabs >}}
 {{% tab "Secrets Management" %}}

From 1253049214c1664065e8eeffefb4a568909c2628 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 19 Dec 2025 13:14:46 -0500
Subject: [PATCH 3/8] update key pass

---
 .../en/observability_pipelines/sources/amazon_data_firehose.md  | 2 +-
 content/en/observability_pipelines/sources/amazon_s3.md         | 2 +-
 content/en/observability_pipelines/sources/fluent.md            | 2 +-
 content/en/observability_pipelines/sources/kafka.md             | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/en/observability_pipelines/sources/amazon_data_firehose.md b/content/en/observability_pipelines/sources/amazon_data_firehose.md
index cb1892f381d..3592bc3a6d0 100644
--- a/content/en/observability_pipelines/sources/amazon_data_firehose.md
+++ b/content/en/observability_pipelines/sources/amazon_data_firehose.md
@@ -18,7 +18,7 @@ Use Observability Pipelines' Amazon Data Firehose source to receive logs from Am
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Amazon Data Firehose address, and if applicable, the key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Amazon Data Firehose address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 - Enter the identifier for your Amazon Data Firehose address. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/amazon_s3.md b/content/en/observability_pipelines/sources/amazon_s3.md
index a07ec4fec47..b356b745693 100644
--- a/content/en/observability_pipelines/sources/amazon_s3.md
+++ b/content/en/observability_pipelines/sources/amazon_s3.md
@@ -13,7 +13,7 @@ Use Observability Pipelines' Amazon S3 source to receive logs from Amazon S3. Se
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Amazon S3 URL, and if applicable, the key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Amazon S3 URL, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your Amazon S3 URL. If you leave it blank, the [default](#set-secrets) is used.
 1. Enter the AWS region.
diff --git a/content/en/observability_pipelines/sources/fluent.md b/content/en/observability_pipelines/sources/fluent.md
index f052f081308..1ad54958cc2 100644
--- a/content/en/observability_pipelines/sources/fluent.md
+++ b/content/en/observability_pipelines/sources/fluent.md
@@ -18,7 +18,7 @@ Use Observability Pipelines' Fluentd or Fluent Bit source to receive logs from t
 
 Select and set up this source when you [set up a pipeline][1]. The information below are for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Fluent address, and if applicable, the key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Fluent address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your Fluent address. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/kafka.md b/content/en/observability_pipelines/sources/kafka.md
index c3e41983663..ece10643919 100644
--- a/content/en/observability_pipelines/sources/kafka.md
+++ b/content/en/observability_pipelines/sources/kafka.md
@@ -20,7 +20,7 @@ You can also [send Azure Event Hub logs to Observability Pipelines using the Kaf
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Kafka servers, username, password, and if applicable, the key pass. Do <b>not</b> enter the actual values.</a></div>
+<div class="alert alert-danger">Only enter the identifiers for the Kafka servers, username, password, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</a></div>
 
 1. Enter the identifier for your Kafka servers. If you leave it blank, the [default](#set-secrets) is used.
 1. Enter the identifier for your Kafka username. If you leave it blank, the [default](#set-secrets) is used.

From 80f70977cbbf1e1afc1b3202bf77d2fa2aa7574e Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 19 Dec 2025 13:26:23 -0500
Subject: [PATCH 4/8] fix commas

---
 .../en/observability_pipelines/sources/amazon_data_firehose.md  | 2 +-
 content/en/observability_pipelines/sources/amazon_s3.md         | 2 +-
 content/en/observability_pipelines/sources/fluent.md            | 2 +-
 content/en/observability_pipelines/sources/http_client.md       | 2 +-
 content/en/observability_pipelines/sources/http_server.md       | 2 +-
 content/en/observability_pipelines/sources/logstash.md          | 2 +-
 content/en/observability_pipelines/sources/socket.md            | 2 +-
 content/en/observability_pipelines/sources/splunk_hec.md        | 2 +-
 content/en/observability_pipelines/sources/splunk_tcp.md        | 2 +-
 content/en/observability_pipelines/sources/syslog.md            | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/content/en/observability_pipelines/sources/amazon_data_firehose.md b/content/en/observability_pipelines/sources/amazon_data_firehose.md
index 3592bc3a6d0..d3a56911373 100644
--- a/content/en/observability_pipelines/sources/amazon_data_firehose.md
+++ b/content/en/observability_pipelines/sources/amazon_data_firehose.md
@@ -18,7 +18,7 @@ Use Observability Pipelines' Amazon Data Firehose source to receive logs from Am
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Amazon Data Firehose address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Amazon Data Firehose address and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 - Enter the identifier for your Amazon Data Firehose address. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/amazon_s3.md b/content/en/observability_pipelines/sources/amazon_s3.md
index b356b745693..b4e5af78e09 100644
--- a/content/en/observability_pipelines/sources/amazon_s3.md
+++ b/content/en/observability_pipelines/sources/amazon_s3.md
@@ -13,7 +13,7 @@ Use Observability Pipelines' Amazon S3 source to receive logs from Amazon S3. Se
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Amazon S3 URL, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Amazon S3 URL and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your Amazon S3 URL. If you leave it blank, the [default](#set-secrets) is used.
 1. Enter the AWS region.
diff --git a/content/en/observability_pipelines/sources/fluent.md b/content/en/observability_pipelines/sources/fluent.md
index 1ad54958cc2..102205664b6 100644
--- a/content/en/observability_pipelines/sources/fluent.md
+++ b/content/en/observability_pipelines/sources/fluent.md
@@ -18,7 +18,7 @@ Use Observability Pipelines' Fluentd or Fluent Bit source to receive logs from t
 
 Select and set up this source when you [set up a pipeline][1]. The information below are for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Fluent address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Fluent address and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your Fluent address. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/http_client.md b/content/en/observability_pipelines/sources/http_client.md
index ea1733680af..12142f95f73 100644
--- a/content/en/observability_pipelines/sources/http_client.md
+++ b/content/en/observability_pipelines/sources/http_client.md
@@ -21,7 +21,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 To configure your HTTP/S Client source:
 
 
-<div class="alert alert-danger">Only enter the identifiers for the HTTP Client endpoint URL and if applicable, your authorization strategy secrets. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the HTTP Client endpoint URL and, if applicable, your authorization strategy secrets. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your HTTP Client endpoint URL. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/http_server.md b/content/en/observability_pipelines/sources/http_server.md
index 8ca04f7e7c3..1a8da798a1c 100644
--- a/content/en/observability_pipelines/sources/http_server.md
+++ b/content/en/observability_pipelines/sources/http_server.md
@@ -22,7 +22,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your HTTP/S Server source, enter the following:
 
-<div class="alert alert-danger">Only enter the identifiers for the HTTP Server address, and if applicable, the username and password for basic authorization and the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the HTTP Server address and, if applicable, the username and password for basic authorization and the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your HTTP Server address. If you leave it blank, the [default](#set-secrets) is used.
     - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
diff --git a/content/en/observability_pipelines/sources/logstash.md b/content/en/observability_pipelines/sources/logstash.md
index 4fc258c2301..38cb88567ba 100644
--- a/content/en/observability_pipelines/sources/logstash.md
+++ b/content/en/observability_pipelines/sources/logstash.md
@@ -20,7 +20,7 @@ You can also use the Logstash source to [send logs to Observability Pipelines us
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Logstash address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Logstash address and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 - Enter the identifier for your Logstash address. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/socket.md b/content/en/observability_pipelines/sources/socket.md
index 3708bcf9a9d..4af05d2076e 100644
--- a/content/en/observability_pipelines/sources/socket.md
+++ b/content/en/observability_pipelines/sources/socket.md
@@ -18,7 +18,7 @@ Use Observability Pipelines' Socket source to send logs to the Worker over a soc
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the socket address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the socket address and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 1.  Enter the identifier for your socket address. If you leave it blank, the [default](#set-secrets) is used.
 1. In the **Mode** dropdown menu, select the socket type to use.
diff --git a/content/en/observability_pipelines/sources/splunk_hec.md b/content/en/observability_pipelines/sources/splunk_hec.md
index 465bf7381a2..04dc32f837d 100644
--- a/content/en/observability_pipelines/sources/splunk_hec.md
+++ b/content/en/observability_pipelines/sources/splunk_hec.md
@@ -20,7 +20,7 @@ Use Observability Pipelines' Splunk HTTP Event Collector (HEC) source to receive
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Splunk HEC address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Splunk HEC address and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 - Enter the identifier for your Splunk HEC address. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/splunk_tcp.md b/content/en/observability_pipelines/sources/splunk_tcp.md
index 479d0756fde..72dde2be1ef 100644
--- a/content/en/observability_pipelines/sources/splunk_tcp.md
+++ b/content/en/observability_pipelines/sources/splunk_tcp.md
@@ -18,7 +18,7 @@ Use Observability Pipelines' Splunk Heavy and Universal Forwards (TCP) source to
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-<div class="alert alert-danger">Only enter the identifiers for the Splunk TCP address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the Splunk TCP address and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 - Enter the identifier for your Splunk TCP address. If you leave it blank, the [default](#set-secrets) is used.
 
diff --git a/content/en/observability_pipelines/sources/syslog.md b/content/en/observability_pipelines/sources/syslog.md
index 663ad56a77c..a88bee0c554 100644
--- a/content/en/observability_pipelines/sources/syslog.md
+++ b/content/en/observability_pipelines/sources/syslog.md
@@ -22,7 +22,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your Syslog source:
 
-<div class="alert alert-danger">Only enter the identifiers for the syslog address, and if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
+<div class="alert alert-danger">Only enter the identifiers for the syslog address and, if applicable, the TLS key pass. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your syslog address. If you leave it blank, the [default](#set-secrets) is used.
 1. In the **Socket Type** dropdown menu, select the communication protocol you want to use: **TCP** or **UDP**.

From 7cc26a64c2ed17d61547d202bf9cb04d07f37b4a Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 19 Dec 2025 13:58:04 -0500
Subject: [PATCH 5/8] add descriptions

---
 .../observability_pipelines/sources/amazon_data_firehose.md  | 1 +
 content/en/observability_pipelines/sources/amazon_s3.md      | 1 +
 content/en/observability_pipelines/sources/fluent.md         | 1 +
 content/en/observability_pipelines/sources/http_client.md    | 1 +
 content/en/observability_pipelines/sources/http_server.md    | 1 +
 content/en/observability_pipelines/sources/kafka.md          | 2 ++
 content/en/observability_pipelines/sources/logstash.md       | 1 +
 content/en/observability_pipelines/sources/socket.md         | 1 +
 content/en/observability_pipelines/sources/splunk_hec.md     | 1 +
 content/en/observability_pipelines/sources/splunk_tcp.md     | 1 +
 content/en/observability_pipelines/sources/sumo_logic.md     | 1 +
 content/en/observability_pipelines/sources/syslog.md         | 5 +++--
 12 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/content/en/observability_pipelines/sources/amazon_data_firehose.md b/content/en/observability_pipelines/sources/amazon_data_firehose.md
index d3a56911373..b6691658a37 100644
--- a/content/en/observability_pipelines/sources/amazon_data_firehose.md
+++ b/content/en/observability_pipelines/sources/amazon_data_firehose.md
@@ -46,6 +46,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - Amazon Data Firehose address identifier:
+	- References the socket address on which the Observability Pipelines Worker listens to receive logs.
 	- The default identifier is `SOURCE_AWS_DATA_FIREHOSE_ADDRESS`.
 - Amazon Data Firehose TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_AWS_DATA_FIREHOSE_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/amazon_s3.md b/content/en/observability_pipelines/sources/amazon_s3.md
index b4e5af78e09..bcb96ed56b9 100644
--- a/content/en/observability_pipelines/sources/amazon_s3.md
+++ b/content/en/observability_pipelines/sources/amazon_s3.md
@@ -42,6 +42,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - Amazon S3 URL identifier:
+	- References the URL of the SQS queue to which the S3 bucket sends the notification events.
 	- The default identifier is `SOURCE_AWS_S3_SQS_URL`.
 - Amazon S3 TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_AWS_S3_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/fluent.md b/content/en/observability_pipelines/sources/fluent.md
index 102205664b6..3ba4948c2f9 100644
--- a/content/en/observability_pipelines/sources/fluent.md
+++ b/content/en/observability_pipelines/sources/fluent.md
@@ -38,6 +38,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - Fluent address identifier:
+	- References the address on which the Observability Pipelines Worker listens for incoming log messages.
 	- The default identifier is `SOURCE_FLUENT_ADDRESS`.
 - Fluent TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_FLUENT_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/http_client.md b/content/en/observability_pipelines/sources/http_client.md
index 12142f95f73..d86951e3d6c 100644
--- a/content/en/observability_pipelines/sources/http_client.md
+++ b/content/en/observability_pipelines/sources/http_client.md
@@ -58,6 +58,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - HTTP Client endpoint URL identifier:
+	- References the endpoint from which the Observability Pipelines Worker collects log events.
 	- The default identifier is `SOURCE_HTTP_CLIENT_ENDPOINT_URL`.
 - HTTP Client TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_HTTP_CLIENT_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/http_server.md b/content/en/observability_pipelines/sources/http_server.md
index 1a8da798a1c..2c9c5cd4fc8 100644
--- a/content/en/observability_pipelines/sources/http_server.md
+++ b/content/en/observability_pipelines/sources/http_server.md
@@ -47,6 +47,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - HTTP Server address identifier:
+	- References the socket address, such as `0.0.0.0:9997`, on which Observability Pipelines Worker listens for HTTP client logs.
 	- The default identifier is `SOURCE_HTTP_SERVER_ADDRESS`.
 - HTTP Server TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_HTTP_SERVER_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/kafka.md b/content/en/observability_pipelines/sources/kafka.md
index ece10643919..731f6d8f036 100644
--- a/content/en/observability_pipelines/sources/kafka.md
+++ b/content/en/observability_pipelines/sources/kafka.md
@@ -59,6 +59,8 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - Kafka bootstrap servers identifier:
+	- References the bootstrap server that the client uses to connect to the Kafka cluster and discover all the other hosts in the cluster.
+	- In your secrets manager, the host and port must be entered in the format of `host:port`, such as `10.14.22.123:9092`. If there is more than one server, use commas to separate them.
 	- The default identifier is `SOURCE_KAFKA_BOOTSTRAP_SERVERS`.
 - Kafka SASL username identifier:
 	- The default identifier is `SOURCE_KAFKA_SASL_USERNAME`.
diff --git a/content/en/observability_pipelines/sources/logstash.md b/content/en/observability_pipelines/sources/logstash.md
index 38cb88567ba..a498ab30c32 100644
--- a/content/en/observability_pipelines/sources/logstash.md
+++ b/content/en/observability_pipelines/sources/logstash.md
@@ -40,6 +40,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - Logstash address identifier:
+	- References the address on which the Observability Pipelines Worker listens for incoming log messages.
 	- The default identifier is `SOURCE_LOGSTASH_ADDRESS`.
 - Logstash TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_LOGSTASH_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/socket.md b/content/en/observability_pipelines/sources/socket.md
index 4af05d2076e..73e9e307946 100644
--- a/content/en/observability_pipelines/sources/socket.md
+++ b/content/en/observability_pipelines/sources/socket.md
@@ -72,6 +72,7 @@ If you selected **TCP** mode, toggle the switch to **Enable TLS**. The following
 {{% tab "Secrets Management" %}}
 
 - Socket address identifier:
+	- References the address and port where the Observability Pipelines Worker listens for incoming logs.
 	- The default identifier is `SOURCE_SOCKET_ADDRESS`.
 - Socket TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_SOCKET_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/splunk_hec.md b/content/en/observability_pipelines/sources/splunk_hec.md
index 04dc32f837d..c18b88b73ea 100644
--- a/content/en/observability_pipelines/sources/splunk_hec.md
+++ b/content/en/observability_pipelines/sources/splunk_hec.md
@@ -40,6 +40,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - Splunk HEC address identifier:
+	- References the bind address, such as `0.0.0.0:8088`, on which your Observability Pipelines Worker listens to receive logs originally intended for the Splunk indexer.
 	- The default identifier is `SOURCE_SPLUNK_HEC_ADDRESS`.
 - Splunk HEC TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_SPLUNK_HEC_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/splunk_tcp.md b/content/en/observability_pipelines/sources/splunk_tcp.md
index 72dde2be1ef..096d2ef450b 100644
--- a/content/en/observability_pipelines/sources/splunk_tcp.md
+++ b/content/en/observability_pipelines/sources/splunk_tcp.md
@@ -38,6 +38,7 @@ Click the toggle to **Enable TLS**. If you enable TLS, the following certificate
 {{% tab "Secrets Management" %}}
 
 - Splunk TCP address identifier:
+	- References the socket address, such as `0.0.0.0:9997` on which the Observability Pipelines Worker listens to receive logs from the Splunk Forwarder.
 	- The default identifier is `SOURCE_SPLUNK_TCP_ADDRESS`.
 - Splunk TCP TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_SPLUNK_TCP_KEY_PASS`.
diff --git a/content/en/observability_pipelines/sources/sumo_logic.md b/content/en/observability_pipelines/sources/sumo_logic.md
index 487fd1083b5..32715e7c165 100644
--- a/content/en/observability_pipelines/sources/sumo_logic.md
+++ b/content/en/observability_pipelines/sources/sumo_logic.md
@@ -33,6 +33,7 @@ In the **Decoding** dropdown menu, select whether your input format is raw **Byt
 {{% tab "Secrets Management" %}}
 
 - Sumo Logic address identifier:
+	- The bind address, such as `0.0.0.0:80.`, that your Observability Pipelines Worker listens on to receive logs originally intended for the Sumo Logic HTTP Source.
 	- The default identifier is `SOURCE_SUMO_LOGIC_ADDRESS`.
 
 {{% /tab %}}
diff --git a/content/en/observability_pipelines/sources/syslog.md b/content/en/observability_pipelines/sources/syslog.md
index a88bee0c554..6c401af45ef 100644
--- a/content/en/observability_pipelines/sources/syslog.md
+++ b/content/en/observability_pipelines/sources/syslog.md
@@ -42,9 +42,10 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
 
-- Syslog address identifier:
+- rsyslog or syslog-ng address identifier:
+	- The Observability Pipelines Worker listens on this bind address, such `0.0.0.0:9997`, to receive logs from the Syslog forwarder.
 	- The default identifier is `SOURCE_SYSLOG_ADDRESS`.
-- Syslog TLS passphrase identifier (when TLS is enabled):
+- rsyslog or syslog-ng  TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_SYSLOG_KEY_PASS`.
 
 {{% /tab %}}

From c26ccc652ed9718c07e661a3a68397591f0d60f3 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 19 Dec 2025 14:02:52 -0500
Subject: [PATCH 6/8] update

---
 content/en/observability_pipelines/sources/http_server.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/observability_pipelines/sources/http_server.md b/content/en/observability_pipelines/sources/http_server.md
index 2c9c5cd4fc8..3e3566d2e6c 100644
--- a/content/en/observability_pipelines/sources/http_server.md
+++ b/content/en/observability_pipelines/sources/http_server.md
@@ -47,7 +47,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - HTTP Server address identifier:
-	- References the socket address, such as `0.0.0.0:9997`, on which Observability Pipelines Worker listens for HTTP client logs.
+	- References the socket address, such as `0.0.0.0:9997`, on which the Observability Pipelines Worker listens for HTTP client logs.
 	- The default identifier is `SOURCE_HTTP_SERVER_ADDRESS`.
 - HTTP Server TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_HTTP_SERVER_KEY_PASS`.

From c155828696b1b91409e4fb96e86d05687da7edbd Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 19 Dec 2025 16:52:37 -0500
Subject: [PATCH 7/8] fix case

---
 .../observability_pipelines/sources/amazon_data_firehose.md   | 2 +-
 content/en/observability_pipelines/sources/amazon_s3.md       | 2 +-
 content/en/observability_pipelines/sources/datadog_agent.md   | 4 ++--
 content/en/observability_pipelines/sources/fluent.md          | 4 ++--
 content/en/observability_pipelines/sources/google_pubsub.md   | 2 +-
 content/en/observability_pipelines/sources/http_client.md     | 4 ++--
 content/en/observability_pipelines/sources/http_server.md     | 2 +-
 content/en/observability_pipelines/sources/kafka.md           | 2 +-
 content/en/observability_pipelines/sources/logstash.md        | 2 +-
 content/en/observability_pipelines/sources/opentelemetry.md   | 2 +-
 content/en/observability_pipelines/sources/socket.md          | 2 +-
 content/en/observability_pipelines/sources/splunk_hec.md      | 2 +-
 content/en/observability_pipelines/sources/splunk_tcp.md      | 2 +-
 content/en/observability_pipelines/sources/syslog.md          | 4 ++--
 14 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/content/en/observability_pipelines/sources/amazon_data_firehose.md b/content/en/observability_pipelines/sources/amazon_data_firehose.md
index b6691658a37..7cfe2028f13 100644
--- a/content/en/observability_pipelines/sources/amazon_data_firehose.md
+++ b/content/en/observability_pipelines/sources/amazon_data_firehose.md
@@ -35,7 +35,7 @@ Select an **AWS authentication** option. If you select **Assume role**:
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your Amazon Data Firehose key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/amazon_s3.md b/content/en/observability_pipelines/sources/amazon_s3.md
index bcb96ed56b9..47249cd8cb7 100644
--- a/content/en/observability_pipelines/sources/amazon_s3.md
+++ b/content/en/observability_pipelines/sources/amazon_s3.md
@@ -31,7 +31,7 @@ Select an **AWS authentication** option. If you select **Assume role**:
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your Amazon S3 key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/datadog_agent.md b/content/en/observability_pipelines/sources/datadog_agent.md
index 249e7286fcd..ab68ed6f8f6 100644
--- a/content/en/observability_pipelines/sources/datadog_agent.md
+++ b/content/en/observability_pipelines/sources/datadog_agent.md
@@ -25,8 +25,8 @@ Use Observability Pipelines' Datadog Agent source to receive logs or metrics ({{
 ## Set up the source in the pipeline UI
 
 Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.
-   - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
-   - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
+   - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509) format.
+   - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509) format.
    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 **Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
diff --git a/content/en/observability_pipelines/sources/fluent.md b/content/en/observability_pipelines/sources/fluent.md
index 3ba4948c2f9..d397bfb4db6 100644
--- a/content/en/observability_pipelines/sources/fluent.md
+++ b/content/en/observability_pipelines/sources/fluent.md
@@ -26,8 +26,8 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your Fluent key pass. If you leave it blank, the [default](#set-secrets) is used.
-- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509) format.
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509) format.
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/google_pubsub.md b/content/en/observability_pipelines/sources/google_pubsub.md
index 06048ad999b..6f635c422e1 100644
--- a/content/en/observability_pipelines/sources/google_pubsub.md
+++ b/content/en/observability_pipelines/sources/google_pubsub.md
@@ -26,7 +26,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 1. Select the decoder you want to use (Bytes, GELF, JSON, syslog).
 1. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
     - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
     - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/http_client.md b/content/en/observability_pipelines/sources/http_client.md
index d86951e3d6c..4050400e1bd 100644
--- a/content/en/observability_pipelines/sources/http_client.md
+++ b/content/en/observability_pipelines/sources/http_client.md
@@ -39,8 +39,8 @@ To configure your HTTP/S Client source:
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
    - Enter the identifier for your HTTP Client key pass. If you leave it blank, the [default](#set-secrets) is used.
          - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
-   - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
-   - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
+   - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509) format.
+   - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509) format.
    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 #### Scrape settings
diff --git a/content/en/observability_pipelines/sources/http_server.md b/content/en/observability_pipelines/sources/http_server.md
index 3e3566d2e6c..b874fce4ca1 100644
--- a/content/en/observability_pipelines/sources/http_server.md
+++ b/content/en/observability_pipelines/sources/http_server.md
@@ -36,7 +36,7 @@ To configure your HTTP/S Server source, enter the following:
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your HTTP Server key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/kafka.md b/content/en/observability_pipelines/sources/kafka.md
index 731f6d8f036..c26c3226655 100644
--- a/content/en/observability_pipelines/sources/kafka.md
+++ b/content/en/observability_pipelines/sources/kafka.md
@@ -40,7 +40,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your Kafka key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 #### Add additional librdkafka options
diff --git a/content/en/observability_pipelines/sources/logstash.md b/content/en/observability_pipelines/sources/logstash.md
index a498ab30c32..ad166e97e41 100644
--- a/content/en/observability_pipelines/sources/logstash.md
+++ b/content/en/observability_pipelines/sources/logstash.md
@@ -29,7 +29,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your Logstash key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/opentelemetry.md b/content/en/observability_pipelines/sources/opentelemetry.md
index 83feae0ee3b..318f71dc5b6 100644
--- a/content/en/observability_pipelines/sources/opentelemetry.md
+++ b/content/en/observability_pipelines/sources/opentelemetry.md
@@ -36,7 +36,7 @@ If your forwarders are globally configured to enable SSL, you need the appropria
 
 Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
 {{< img src="observability_pipelines/sources/otel_settings.png" alt="The OpenTelemetry source settings" style="width:35%;" >}}
diff --git a/content/en/observability_pipelines/sources/socket.md b/content/en/observability_pipelines/sources/socket.md
index 73e9e307946..65bff5ca3bc 100644
--- a/content/en/observability_pipelines/sources/socket.md
+++ b/content/en/observability_pipelines/sources/socket.md
@@ -61,7 +61,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 If you selected **TCP** mode, toggle the switch to **Enable TLS**. The following certificate and key files are required for TLS.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your socket key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/splunk_hec.md b/content/en/observability_pipelines/sources/splunk_hec.md
index c18b88b73ea..60769c7b067 100644
--- a/content/en/observability_pipelines/sources/splunk_hec.md
+++ b/content/en/observability_pipelines/sources/splunk_hec.md
@@ -29,7 +29,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your Splunk HEC key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/splunk_tcp.md b/content/en/observability_pipelines/sources/splunk_tcp.md
index 096d2ef450b..36b3c216250 100644
--- a/content/en/observability_pipelines/sources/splunk_tcp.md
+++ b/content/en/observability_pipelines/sources/splunk_tcp.md
@@ -27,7 +27,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 Click the toggle to **Enable TLS**. If you enable TLS, the following certificate and key files are required:
 - Enter the identifier for your Splunk TCP key pass. If you leave it blank, the [default](#set-secrets) is used.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in either DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in either DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set secrets
diff --git a/content/en/observability_pipelines/sources/syslog.md b/content/en/observability_pipelines/sources/syslog.md
index 6c401af45ef..ef1777e0c06 100644
--- a/content/en/observability_pipelines/sources/syslog.md
+++ b/content/en/observability_pipelines/sources/syslog.md
@@ -31,8 +31,8 @@ To configure your Syslog source:
 
 Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][6] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
 - Enter the identifier for your syslog key pass. If you leave it blank, the [default](#set-secrets) is used.
-- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
-- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509) format.
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER or PEM (X.509) format.
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set secrets

From 913340489d99a035384afa6734c8cd4704e27f65 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Mon, 22 Dec 2025 14:54:17 -0500
Subject: [PATCH 8/8] small edits

---
 content/en/observability_pipelines/sources/google_pubsub.md | 2 +-
 content/en/observability_pipelines/sources/http_client.md   | 1 -
 content/en/observability_pipelines/sources/sumo_logic.md    | 2 +-
 content/en/observability_pipelines/sources/syslog.md        | 2 +-
 4 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/content/en/observability_pipelines/sources/google_pubsub.md b/content/en/observability_pipelines/sources/google_pubsub.md
index 6f635c422e1..72076e3ba18 100644
--- a/content/en/observability_pipelines/sources/google_pubsub.md
+++ b/content/en/observability_pipelines/sources/google_pubsub.md
@@ -36,7 +36,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 {{< tabs >}}
 {{% tab "Secrets Management" %}}
 
-No default secret identifiers are required for this source.
+There are no default secret identifiers for this source.
 
 {{% /tab %}}
 
diff --git a/content/en/observability_pipelines/sources/http_client.md b/content/en/observability_pipelines/sources/http_client.md
index 4050400e1bd..a1d54f79a4b 100644
--- a/content/en/observability_pipelines/sources/http_client.md
+++ b/content/en/observability_pipelines/sources/http_client.md
@@ -24,7 +24,6 @@ To configure your HTTP/S Client source:
 <div class="alert alert-danger">Only enter the identifiers for the HTTP Client endpoint URL and, if applicable, your authorization strategy secrets. Do <b>not</b> enter the actual values.</div>
 
 1. Enter the identifier for your HTTP Client endpoint URL. If you leave it blank, the [default](#set-secrets) is used.
-
 1. Select your authorization strategy. If you selected:
    - **Basic**:
       - Enter the identifier for your HTTP Client username. If you leave it blank, the [default](#set-secrets) is used.
diff --git a/content/en/observability_pipelines/sources/sumo_logic.md b/content/en/observability_pipelines/sources/sumo_logic.md
index 32715e7c165..4330c221b80 100644
--- a/content/en/observability_pipelines/sources/sumo_logic.md
+++ b/content/en/observability_pipelines/sources/sumo_logic.md
@@ -33,7 +33,7 @@ In the **Decoding** dropdown menu, select whether your input format is raw **Byt
 {{% tab "Secrets Management" %}}
 
 - Sumo Logic address identifier:
-	- The bind address, such as `0.0.0.0:80.`, that your Observability Pipelines Worker listens on to receive logs originally intended for the Sumo Logic HTTP Source.
+	- References the bind address, such as `0.0.0.0:80.`, that your Observability Pipelines Worker listens on to receive logs originally intended for the Sumo Logic HTTP Source.
 	- The default identifier is `SOURCE_SUMO_LOGIC_ADDRESS`.
 
 {{% /tab %}}
diff --git a/content/en/observability_pipelines/sources/syslog.md b/content/en/observability_pipelines/sources/syslog.md
index ef1777e0c06..0c011e65e19 100644
--- a/content/en/observability_pipelines/sources/syslog.md
+++ b/content/en/observability_pipelines/sources/syslog.md
@@ -43,7 +43,7 @@ Toggle the switch to **Enable TLS**. If you enable TLS, the following certificat
 {{% tab "Secrets Management" %}}
 
 - rsyslog or syslog-ng address identifier:
-	- The Observability Pipelines Worker listens on this bind address, such `0.0.0.0:9997`, to receive logs from the Syslog forwarder.
+	- References the bind address, such `0.0.0.0:9997`, on which the Observability Pipelines Worker listens to receive logs from the Syslog forwarder.
 	- The default identifier is `SOURCE_SYSLOG_ADDRESS`.
 - rsyslog or syslog-ng  TLS passphrase identifier (when TLS is enabled):
 	- The default identifier is `SOURCE_SYSLOG_KEY_PASS`.