Cloudflare Zone-scoped Logs
- Aaron Gabriel (Deactivated)
- Development Operations (Deactivated)
- Catie G.
- Luke Fritz (Unlicensed)
Topics Discussed
You can use this document to send Cloudflare Zone-scoped logs to Armor's Security Information & Event Management (SIEM) using Logpush.
Cloudflare Logpush is able to push logs of Cloudflare's datasets to AWS S3 in batches.
Logpush is available to customers on Cloudflare's Enterprise plan.
Logpush will generally deliver batches of logs to within 5 minutes, depending on the volume of logs. Each batch of logs will have no more than 100,000 events — so the more events there are for a zone the more frequent the logs will be pushed.
In order to provide ingestion of Cloudflare Zone-scoped HTTP requests and Firewall events datasets you will need to add Logpush jobs to your zone(s) with our destination_conf.
Pre-deployment Considerations
In order to enable this log type, you must have:
An AWS account
A Cloudflare zone with an Enterprise plan
Access to manage Cloudflare Zone logging
Access to create a new Logpush job to the designated AWS S3 bucket
Setup
Determine the AWS Account that provides IAM Roles
Add a policy that provides access to the S3 bucket in our destination_conf
Attach the policy to a role that will be setting up Logpush
Identify the Cloudflare Zone that you would like to forward logs for
Identify which datasets (out of http_requests and firewall_events) you would like to push to Armor
Create a Cloudflare API Token with permissions to Logs Write
Assume the AWS Role that provides access to our S3 bucket
Set the environment variable CLOUDFLARE_API_TOKEN to the value of your Cloudflare API Token and run the cloudflare-logpush.sh script to configure Cloudflare to forward logs for the dataset
Download the cloudflare-logpush.sh file
http_requests example
export CLOUDFLARE_API_TOKEN=abcd PARTNER_ID=65535 TENANT_ID=65536 DATASET=http_requests DOMAIN_NAME=example.com ZONE_ID=ABCDEF0123456789; ./cloudflare-logpush.sh $PARTNER_ID $TENANT_ID "$DATASET" "$DOMAIN_NAME" "$ZONE_ID"firewall_events example
export CLOUDFLARE_API_TOKEN=abcd PARTNER_ID=65535 TENANT_ID=65536 DATASET=firewall_events DOMAIN_NAME=example.com ZONE_ID=ABCDEF0123456789; ./cloudflare-logpush.sh $PARTNER_ID $TENANT_ID "$DATASET" "$DOMAIN_NAME" "$ZONE_ID"Only setup the datasets that you require
You may be limited in the number of Logpush Jobs that you can configure. Work with your Cloudflare representative if you run into limitations with the number of Logpush jobs.
Supporting Vendor Documentation
Configuration Details
Your partner account will be assigned an AWS S3 bucket that is used by Armor. This S3 bucket will provide policy permitting both Cloudflare and the AWS principal(s) of your choice access. Cloudflare will be permitted to create objects within the bucket, within a specified prefix. Your AWS principal will be permitted to list and get objects within the specified prefix.
When approved for access to this log source we will request the AWS Principal that you would like to provide access to. This will typically be an AWS Organizational account, a dedicated AWS Account that provides IAM users, or an AWS Account that provides your own integration services.
S3 Bucket: prod-xdr-cloudflare-${partner_id}
S3 Prefix: ${partner_id}
Cloudflare Logpush Destination_conf
When providing the destination_conf to the Cloudflare Logpush job, Armor requires a specific path to be configured in order to properly associate the ingested data with your customer and your partner account. The destination_conf will consist of the Armor-leveraged S3 bucket, your partner id, your customer's tenant id, the Cloudflare dataset name, and the date.
In addition to the bucket name we also specify the bucket region and configure object encryption.
Example destination_conf: s3://prod-xdr-cloudflare-65535/65535/65536/http_requests/{DATE}
Example: s3://prod-xdr-cloudflare-65535/65535/65536/http_requests/20220101/object.txt
Where:
PartnerID = 65535
PartnerCustomerID = 65536
Cloudflare dataset = http_requests
DATE = 20220101
Cloudflare object = object.txt
Cloudflare Logpush Logpull_options
When configuring the Logpush job we enable all fields available for the dataset and request timestamps to be in the rfc3339 format.
Example logpull_options: fields=ClientIP, ClientRequestMethod, ClientSrcPort, EdgeResponseStatus, EdgeStartTimestamp, WAFAction, ZoneID, ZoneName×tamps=rfc3339
Log Fields
Dataset http_requests
Cloudflare | ECS |
ClientIP | client.address |
ClientIP | client.ip |
ClientSrcPort | client.port |
EdgeEndTimestamp | event.end |
CacheResponseBytes | http.response.bytes |
EdgeServerIP | observer.ip |
OriginIP | origin.ip |
OriginIP | server.ip |
ClientIP | source.address |
ClientRequestUserAgent | user_agent.original |
CacheCacheStatus | cloudflare.cache.status |
CacheResponseBytes | cloudflare.cache.response.bytes |
CacheTieredFill | cloudflare.cache.tiered.fill |
ClientASN | source.as.number |
ClientCountry | source.geo.country_iso_code |
ClientDeviceType | cloudflare.device_type |
ClientIP | source.ip |
ClientIPClass | cloudflare.client.ip_class |
ClientRequestBytes | http.request.bytes |
ClientRequestHost | url.domain |
ClientRequestMethod | http.request.method |
ClientRequestPath | url.path |
ClientRequestProtocol | client.request.protocol |
ClientRequestReferer | http.request.referrer |
ClientRequestURI | url.full |
ClientSrcPort | source.port |
ClientSSLCipher | client.ssl.cipher |
ClientSSLProtocol | client.ssl.protocol |
EdgeColoCode | cloudflare.edge.colo.code |
EdgeColoID | |
EdgeEndTimestamp | cloudflare.edge.end.timestamp |
EdgePathingOp | cloudflare.edge.pathing.op |
EdgePathingSrc | cloudflare.edge.pathing.src |
EdgePathingStatus | cloudflare.edge.pathing.status |
EdgeRateLimitAction | cloudflare.edge.rate.limit.action |
EdgeRateLimitID | |
EdgeRequestHost | cloudflare.edge.request.host |
EdgeResponseBytes | cloudflare.edge.response.bytes |
EdgeResponseCompressionRatio | cloudflare.edge.response.compression_ratio |
EdgeResponseContentType | cloudflare.edge.response.content_type |
EdgeResponseStatus | cloudflare.edge.response.status |
EdgeServerIP | cloudflare.edge.server.ip |
EdgeStartTimestamp | cloudflare.edge.start.timestamp |
FirewallMatchesActions | firewall.matches.actions |
FirewallMatchesRuleIDs | firewall.matches.rule_ids |
FirewallMatchesSources | firewall.matches.sources |
OriginIP | destination.ip |
OriginResponseBytes | cloudflare.origin.response.bytes |
OriginResponseHTTPExpires | cloudflare.origin.response.http.expires |
OriginResponseHTTPLastModified | cloudflare.origin.response.http.last_modified |
OriginResponseStatus | http.response.status_code |
OriginSSLProtocol | cloudflare.origin.ssl.protocol |
ParentRayID | cloudflare.parent.ray_id |
RayID | cloudflare.ray_id |
SecurityLevel | cloudflare.security_level |
WAFAction | event.action |
WAFFlags | cloudflare.waf.flags |
WAFMatchedVar | cloudflare.waf.matched_var |
WAFProfile | cloudflare.waf.profile |
WAFRuleID | |
WAFRuleMessage | cloudflare.waf.rule.message |
WorkerCPUTime | cloudflare.worker.cpu_time |
WorkerStatus | cloudflare.worker.status |
WorkerSubrequest | cloudflare.worker.subrequest |
WorkerSubrequestCount | cloudflare.worker.subrequest_count |
ZoneID | |
ZoneName |
Dataset firewall_events
Cloudflare | ECS |
ClientIP | client.address |
ClientIP | client.ip |
ClientIP | source.address |
Action | event.action |
ClientASN | source.as.number |
ClientASNDescription | |
ClientCountry | cloudflare.client.country |
ClientIP | source.ip |
ClientIPClass | cloudflare.client.ip_class |
ClientRefererHost | cloudflare.client.referer.host |
ClientRefererPath | cloudflare.client.referer.path |
ClientRefererQuery | cloudflare.client.referer.query |
ClientRefererScheme | cloudflare.client.referer.scheme |
ClientRequestHost | cloudflare.client.request.host |
ClientRequestMethod | cloudflare.client.request.method |
ClientRequestPath | cloudflare.client.request.path |
ClientRequestProtocol | cloudflare.client.request.protocol |
ClientRequestQuery | cloudflare.client.request.query |
ClientRequestScheme | cloudflare.client.request.scheme |
ClientRequestUserAgent | user_agent.original |
Datetime | cloudflare.firewall.Datetime |
EdgeColoCode | cloudflare.edge.colo.code |
EdgeResponseStatus | cloudflare.edge.response.status |
Kind | event.kind |
MatchIndex | cloudflare.firewall.match.index |
Metadata | cloudflare.firewall.metadata |
OriginatorRayID | cloudflare.originator.ray_id |
OriginResponseStatus | http.response.status_code |
RayID | cloudflare.ray_id |
RuleID | |
Source | rule.category |