Cloudflare collector
Overview
Cloudflare is a Content Delivery Network and DDoS mitigation cloud service company. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider.
Data sources
Data source | Description | Devo Table | API endpoint | Description |
---|---|---|---|---|
Cloudflare | Audit Logs | cdn.cloudflare.audit.events |
| Get audit logs for an account or an organization, filter by who made the change, which zone was the change was made on, and the timeframe of the change. |
| GraphQL Analytics | cdn.cloudflare.firewall.samples |
{
"query": "query {
viewer {
zones (filter: {zoneTag: $zone_tag}) {
<DATASET>(
filter: {
datetime_geq: $start_date,
datetime_lt: $end_date
},
limit: $limit,
orderBy: [datetime_ASC]
) {
datetime
<FIELDS>
}
}
}
}",
"variables": {
"zoneTag": "<ZONE_TAG>",
"filter": {
"zone_tag": "<ZONE_TAG>",
"start_date": "<START_DATE>",
"end_date": "<END_DATE>",
"limit": <LIMIT>
}
}
}
where:
- action
- clientAsn
- clientASNDescription
- clientCountryName
- clientIP
- clientIPClass
- clientRefererHost
- clientRefererPath
- clientRefererQuery
- clientRefererScheme
- clientRequestHTTPHost
- clientRequestHTTPMethodName
- clientRequestHTTPProtocol
- clientRequestPath
- clientRequestQuery
- clientRequestScheme
- edgeColoName
- edgeResponseStatus
- kind
- matchIndex
- originResponseStatus
- originatorRayName
- rayName
- ruleId
- source
- userAgent
| Query for a dataset in a specific zone and timeframe. The only dataset allowed right now by the collector is Firewall Activity Log: The collector uses The collector also performs a request to check allowed limits for each dataset on service setup: Limits · Cloudflare Analytics docs In a small number of cases, the analytics provided on the Cloudflare GraphQL Analytics API are based on a sample — a subset of the dataset. In these cases, Cloudflare Analytics returns an estimate derived from the sampled value. For example, suppose that during an attack the sampling rate is 10% and 5,000 events are sampled. Cloudflare will estimate 50,000 total events (5,000 × 10) and report this value in Analytics. See Sampling · Cloudflare Analytics docs for more details. |
For more information on how the events are parsed, visit our page.
Vendor setup
To configure the Cloudflare Collector Services you need to configure one of the allowed authentication methods:
API tokens
API keys
Authentication Method | Details | Configuration properties | Link |
---|---|---|---|
API Tokens | Cloudflare recommends API Tokens as the preferred way to interact with Cloudflare APIs. You can configure the scope of tokens to limit access to account and zone resources, and you can define the Cloudflare APIs to which the token authorizes access. | The following credentials properties are needed: credentials:
api_token: <API_TOKEN>
| |
API Keys | Unique to each Cloudflare user and used only for authentication. API keys do not authorize access to accounts or zones. Use the Global API Key for authentication. Only use the Origin CA Key when you create origin certificates through the API. | The following credentials properties are needed: |
Accepted authentication methods
Depending on how did you obtain your credentials, you will have to either fill or delete the following properties on the JSON credentials
configuration block.
Authentication Method | api_token | api_key | user_email |
---|---|---|---|
API Tokens | REQUIRED |
|
|
API Keys |
| REQUIRED | REQUIRED |
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).