Page Comparison

Cloudflare

Audit Logs

cdn.cloudflare.audit.events

GET https://api.cloudflare.com/client/v4/{entity_type}/{entity_id}/audit_logs?since={start_date}&before={end_date}Z&page={page_num}&per_page={page_limit}&direction={direction}, where:

• {entity_type} is one of the two entity types allowed: organizations or accounts.

• {entity_id} is the account or organization identifier

• {start_date} to limit the returned results to logs newer than the specified date with RFC3339 format (YYYY-MM-DDTHH:mm:ssZ).

• {end_date} to limit the returned results to logs older than the specified date with RFC3339 format (YYYY-MM-DDTHH:mm:ssZ).

• {page_num} which page of results to return.

• {page_limit} how many results to return per page.

• {direction} is the direction of the chronological sorting (allowed values are asc or desc -default).

Get audit logs for an account or an organization, filter by who made the change, which zone was the change was made on, and the timeframe of the change.

GraphQL Analytics

cdn.cloudflare.firewall.samples

POST https://api.cloudflare.com/client/v4/graphql, where the body of the request use the following template:

{
  "query": "query { 
              viewer {
                zones (filter: {zoneTag: $zone_tag}) {
                  <DATASET>(
                    filter: {
                      datetime_geq: $start_date,
                      datetime_lt: $end_date
                    },
                    limit: $limit,
                    orderBy: [datetime_ASC]
                  ) {
                    datetime
                    <FIELDS>
                  }
                }
              }
            }",
  "variables": {
    "zoneTag": "<ZONE_TAG>",
    "filter": {
      "zone_tag": "<ZONE_TAG>",
      "start_date": "<START_DATE>",
      "end_date": "<END_DATE>",
      "limit": <LIMIT>
    }
  }
}

where:

• <DATASET> is the dataset (product) name you want to query against a zone. Right now, the only dataset allowed by the collector is for Firewall Activity Log: firewallEventsAdaptive. Check the following URL for API available datasets: Datasets (tables) · Cloudflare Analytics docs

• <FIELDS> list of fields you want to fetch. List of fields used for firewallEventsAdaptive dataset:

- action
- clientAsn
- clientASNDescription
- clientCountryName
- clientIP
- clientIPClass
- clientRefererHost
- clientRefererPath
- clientRefererQuery
- clientRefererScheme 
- clientRequestHTTPHost
- clientRequestHTTPMethodName
- clientRequestHTTPProtocol
- clientRequestPath
- clientRequestQuery
- clientRequestScheme 
- edgeColoName
- edgeResponseStatus
- kind
- matchIndex
- originResponseStatus
- originatorRayName
- rayName
- ruleId
- source
- userAgent

• <ZONE_TAG> is the zone tag (or zone key/ID).

• <START_DATE> is the initial date for the query (inclusive).

• <END_DATE> is the final date for the query (exclusive).

• <LIMIT> to limit the results.

Query for a dataset in a specific zone and timeframe. The only dataset allowed right now by the collector is Firewall Activity Log: firewallEventsAdaptive.

The collector uses limit, orderBy and datetime filters for pagination. For a timeframe request, is limit is not reached no more request are needed. But if limit is reached, collector removes all events with the last datetime value from the result and performs a new timeframe request using this last datetime as start_dateand the same end_date. As start_date is inclusive, all the request removed from the previous request should be returned again. In case all the events returned by the request have the same datetime and also the maximum limit per request is reached, the collector will add all the events and use as start_date the last datetime plus one second. Take into account that this behavior can cause losing events for the requested timeframe.

The collector also performs a request to check allowed limits for each dataset on service setup: Limits · Cloudflare Analytics docs