Document toolboxDocument toolbox

bms.cloudflare

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with bms.cloudflare identify events generated by Cloudflare Bot Management.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as bms.cloudflare. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Cloudflare Bot Management

bms.cloudflare.audit.events

bms.cloudflare.audit.events

Table structure

This is the set displayed in this table.

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

Application

str

 

 

 

BotScore

int4

 

 

 

BotScoreSrc

str

 

 

 

BotTags

str

 

 

 

CacheCacheStatus

str

 

 

 

CacheResponseBytes

int4

 

 

 

CacheResponseStatus

int4

 

 

 

CacheTieredFill

bool

 

 

 

ClientASN

int4

 

 

 

ClientBytes

int4

 

 

 

ClientCountry

str

 

 

 

ClientDeviceType

str

 

 

 

ClientIP

str

 

 

 

ClientIPClass

str

 

 

 

ClientMatchedIpFirewall

str

 

 

 

ClientMTLSAuthCertFingerprint

str

 

 

 

ClientMTLSAuthStatus

str

 

 

 

ClientPort

int4

 

 

 

ClientProto

str

 

 

 

ClientRequestBytes

int4

 

 

 

ClientRequestHost

str

 

 

 

ClientRequestMethod

str

 

 

 

ClientRequestPath

str

 

 

 

ClientRequestProtocol

str

 

 

 

ClientRequestReferer

str

 

 

 

ClientRequestScheme

str

 

 

 

ClientRequestSource

str

 

 

 

ClientRequestURI

str

 

 

 

ClientRequestUserAgent

str

 

 

 

ClientSSLCipher

str

 

 

 

ClientSSLProtocol

str

 

 

 

ClientSrcPort

int4

 

 

 

ClientTcpRtt

int4

 

 

 

ClientTCPRTTMs

int4

 

 

 

ClientTlsCipher

str

 

 

 

ClientTlsClientHelloServerName

str

 

 

 

ClientTlsProtocol

str

 

 

 

ClientTlsStatus

str

 

 

 

ClientXRequestedWith

str

 

 

 

ColoCode

str

 

 

 

ConnectTimestamp

timestamp

 

 

 

DisconnectTimestamp

timestamp

 

 

 

EdgeCFConnectingO2O

bool

 

 

 

EdgeColoCode

str

 

 

 

EdgeColoID

int4

 

 

 

EdgeEndTimestamp

timestamp

 

 

 

EdgePathingOp

str

 

 

 

EdgePathingSrc

str

 

 

 

EdgePathingStatus

str

 

 

 

EdgeRateLimitAction

str

 

 

 

EdgeRateLimitID

int4

 

 

 

EdgeRequestHost

str

 

 

 

EdgeResponseBodyBytes

int4

 

 

 

EdgeResponseBytes

int4

 

 

 

EdgeResponseCompressionRatio

float8

 

 

 

EdgeResponseContentType

str

 

 

 

EdgeResponseStatus

int4

 

 

 

EdgeServerIP

str

 

 

 

EdgeStartTimestamp

timestamp

 

 

 

EdgeTimeToFirstByteMs

int4

 

 

 

Event

str

 

 

 

FirewallMatchesActions

str

 

 

 

FirewallMatchesRuleIDs

str

 

 

 

FirewallMatchesSources

str

 

 

 

IpFirewall

bool

 

 

 

JA3Hash

str

 

 

 

OriginDNSResponseTimeMs

int4

 

 

 

OriginIP

str

 

 

 

OriginBytes

int4

 

 

 

OriginPort

int4

 

 

 

OriginProto

str

 

 

 

OriginRequestHeaderSendDurationMs

int4

 

 

 

OriginResponseBytes

int8

 

 

 

OriginResponseDurationMs

str

 

 

 

OriginResponseHTTPExpires

str

 

 

 

OriginResponseHTTPLastModified

str

 

 

 

OriginResponseHeaderReceiveDurationMs

int4

 

 

 

OriginResponseStatus

int4

 

 

 

OriginResponseTime

str

 

 

 

OriginSSLProtocol

str

 

 

 

OriginTcpRtt

int4

 

 

 

OriginTCPHandshakeDurationMs

int4

 

 

 

OriginTLSHandshakeDurationMs

int4

 

 

 

OriginTlsCipher

str

 

 

 

OriginTlsFingerprint

str

 

 

 

OriginTlsMode

str

 

 

 

OriginTlsProtocol

str

 

 

 

OriginTlsStatus

str

 

 

 

ParentRayID

str

 

 

 

ProxyProtocol

str

 

 

 

RayID

str

 

 

 

SecurityLevel

str

 

 

 

SmartRouteColoID

int4

 

 

 

Status

int4

 

 

 

Timestamp

timestamp

 

 

 

UpperTierColoID

int4

 

 

 

WAFAction

str

 

 

 

WAFFlags

str

 

 

 

WAFMatchedVar

str

 

 

 

WAFProfile

str

 

 

 

WAFRuleID

str

 

 

 

WAFRuleMessage

str

 

 

 

WorkerCPUTime

int4

 

 

 

WorkerStatus

str

 

 

 

WorkerSubrequest

bool

 

 

 

WorkerSubrequestCount

int4

 

 

 

ZoneID

int8

 

 

 

ZoneName

str

 

 

 

CacheReserveUsed

bool

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

Â