Versions Compared

Old Version 9

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 10

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

Tags beginning with cdn.cloudflare identify events generated by Cloudfare.

...

The full tag must have 4 levels. The first two are fixed ascdn.cloudfare. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

...

Technology

...

Brand

...

Type

...

Subtype

...

cdn

...

cloudfare

...

  • audit

...

  • events

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Product / Service

Tags

Data

table

tables

Cloudflare

cdn.cloudflare.audit.events

.<ENTITY_ID>

cdn.cloudflare.audit.events

cdn.cloudflare.firewall.samples

cdn.cloudflare.firewall.samples

cdn.cloudflare.waf.events

cdn.cloudflare.

audit

waf.events

For more information, read more about Devo tags.

Table structure

This is These are the set fields displayed by in these tables:

Anchor
tag1
tag1
cdn.cloudflare.audit.events

Field

Type

Extra Label fields

eventdate

timestamp-

hostname

str-

ENTITY_ID

str-

id

str-

action__info

str

-

action__type

str

-

action__result

bool

-

actor__id

str-

actor__email

str

-

actor__type

str-

actor__ip

ip4-

newValue

str-

oldValue

str

-

owner__id

str

-

resource__id

str

-

resource__type

str-

interface

str

-

metadata__zone_name

str-

metadata__zone_tag

str-

metadata__type

str

metadata__name

-

metadata__name

str

-

metadata__value

str

-

when

timestamp

-

hostchain

str

tag

str

rawMessage

strstr

metadata__value

str

when

timestamp

hostchain

str

tag

str

rawMessage

str

Anchor
tag2
tag2
cdn.cloudflare.firewall.samples

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

zone_tag

str

 

 

action

str

 

 

clientASN

str

 

 

clientASNDescription

str

 

 

clientCountryName

str

 

 

clientIP

str

 

 

clientIP4

ip4

Code Block
ip4(clientIP)

clientIP

clientIP_v6

ip6

Code Block
ifthenelse(isnull(clientIP4) and not isnull(clientIP), ip6(clientIP), null)

clientIP

clientIP4

clientIPClass

str

 

 

clientRefererHost

str

 

 

clientRefererPath

str

 

 

clientRefererQuery

str

 

 

clientRefererScheme

str

 

 

clientRequestHTTPHost

str

 

 

clientRequestHTTPMethodName

str

 

 

clientRequestHTTPProtocol

str

 

 

clientRequestPath

str

 

 

clientRequestQuery

str

 

 

clientRequestScheme

str

 

 

datetime

timestamp

 

 

edgeColoName

str

 

 

edgeResponseStatus

int4

 

 

kind

str

 

 

matchIndex

int4

 

 

originResponseStatus

int4

 

 

originatorRayName

str

 

 

rayName

str

 

 

ruleId

str

 

 

source

str

 

 

userAgent

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
tag3
tag3
cdn.cloudflare.waf.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

zone_tag

str

 

 

ClientASN

int4

 

 

ClientCountry

str

 

 

ClientDeviceType

str

 

 

ClientIP

ip4

 

 

ClientIPClass

str

 

 

ClientRequestBytes

int4

 

 

ClientRequestHost

str

 

 

ClientRequestMethod

str

 

 

ClientRequestPath

str

 

 

ClientRequestProtocol

str

 

 

ClientRequestReferer

str

 

 

ClientRequestURI

str

 

 

ClientRequestUserAgent

str

 

 

ClientSSLCipher

str

 

 

ClientSSLProtocol

str

 

 

ClientSrcPort

int4

 

 

ClientXRequestedWith

str

 

 

EdgeColoCode

str

 

 

EdgeColoID

int4

 

 

EdgeEndTimestamp

int8

 

 

EdgePathingOp

str

 

 

EdgePathingSrc

str

 

 

EdgePathingStatus

str

 

 

EdgeRateLimitAction

str

 

 

EdgeRateLimitID

int4

 

 

EdgeRequestHost

str

 

 

EdgeResponseBytes

int4

 

 

EdgeResponseCompressionRatio

float8

 

 

EdgeResponseContentType

str

 

 

EdgeResponseStatus

int4

 

 

EdgeServerIP

str

 

 

FirewallMatchesActions_str

str

Code Block
join(FirewallMatchesActions, ',')

FirewallMatchesActions

FirewallMatchesRuleIDs_str

str

Code Block
join(FirewallMatchesRuleIDs, ',')

FirewallMatchesRuleIDs

FirewallMatchesSources_str

str

Code Block
join(FirewallMatchesSources, ',')

FirewallMatchesSources

OriginIP

str

 

 

OriginResponseBytes

int4

 

 

OriginResponseHTTPExpires

str

 

 

OriginResponseHTTPLastModified

str

 

 

OriginResponseStatus

int4

 

 

OriginResponseTime

int4

 

 

OriginSSLProtocol

str

 

 

ParentRayID

str

 

 

RayID

str

 

 

SecurityLevel

str

 

 

WAFAction

str

 

 

WAFFlags

str

 

 

WAFMatchedVar

str

 

 

WAFProfile

str

 

 

WAFRuleID

str

 

 

WAFRuleMessage

str

 

 

ZoneID

int8

 

 

at_devo_collector_version

int4

 

 

at_devo_source_id

str

 

 

at_devo_project_id

str

 

 

at_devo_retrieving_timestamp

timestamp

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str