Document toolboxDocument toolbox

cloud.cloudflare

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Oct 04, 2021
2 min read

Introduction

The tags beginning with cloud.cloudflare identify events generated by Cloudflare.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as cloud.cloudflare. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology

Brand

Type

Subtype

cloud

cloudflare

  • logpush
  • <eventType>
  • http

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

cloud.cloudflare.logpush.<eventType>cloud.cloudflare.logpush
cloud.cloudflare.logpush.httpcloud.cloudflare.logpush.http

Log samples

The following are sample logs sent to each of the cloud.cloudflare data tables. Also, find how the information will be parsed in your data table under each sample log. 

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cloud.cloudflare.logpush

{"ParentRayID": "02", "RayID": "61232396d270d", "SecurityLevel": "off", "SmartRouteColoID": 0, "UpperTierColoID": 0, "ZoneID": 123455, "ZoneName": "desktop-45.terry.net", "BotScoreSrc": "Machine Learning", "BotScore": 98, "WorkerCPUTime": 0, "WorkerStatus": "unknown", "WorkerSubrequest": false, "WorkerSubrequestCount": 0, "WAFAction": "unknown", "WAFFlags": "0", "WAFMatchedVar": "", "WAFProfile": "unknown", "WAFRuleID": "", "WAFRuleMessage": "", "OriginResponseBytes": 0, "OriginResponseDurationMs": 0, "OriginResponseHTTPExpires": "", "OriginResponseHTTPLastModified": "", "OriginResponseHeaderReceiveDurationMs": 0, "OriginResponseStatus": 0, "OriginResponseTime": 0, "OriginDNSResponseTimeMs": 0, "OriginIP": "", "OriginRequestHeaderSendDurationMs": 0, "OriginSSLProtocol": "unknown", "OriginTCPHandshakeDurationMs": 0, "OriginTLSHandshakeDurationMs": 0, "CacheCacheStatus": "hit", "CacheTieredFill": false, "CacheResponseBytes": 3043, "CacheResponseStatus": 200, "ClientASN": 133481, "ClientCountry": "th", "ClientDeviceType": "desktop", "ClientIP": "1.2.3.4", "ClientIPClass": "noRecord", "ClientMTLSAuthCertFingerprint": "", "ClientMTLSAuthStatus": "unknown", "ClientSSLCipher": "AEAD-AES128-GCM-SHA256", "ClientSSLProtocol": "TLSv1.3", "ClientSrcPort": 12345, "ClientTCPRTTMs": 33, "ClientXRequestedWith": "", "ClientRequestBytes": 2168, "ClientRequestHost": "db-62.domain.org", "ClientRequestMethod": "GET", "ClientRequestPath": "/static/images/icons/_l.png", "ClientRequestProtocol": "HTTP/2", "ClientRequestReferer": "", "ClientRequestScheme": "https", "ClientRequestSource": "eyeball", "ClientRequestURI": "/static/images/icons/_l.png", "ClientRequestUserAgent": "danielsan", "EdgeCFConnectingO2O": false, "EdgeColoCode": "BKK", "EdgeColoID": 127, "EdgeEndTimestamp": "2020-08-29T14:07:57Z", "EdgePathingOp": "wl", "EdgePathingSrc": "macro", "EdgePathingStatus": "nr", "EdgeRateLimitAction": "", "EdgeRateLimitID": 0, "EdgeRequestHost": "db-62.domain.org", "EdgeResponseBodyBytes": 1299, "EdgeResponseBytes": 2177, "EdgeResponseCompressionRatio": 1, "EdgeResponseContentType": "image/png", "EdgeResponseStatus": 200, "EdgeServerIP": "", "EdgeStartTimestamp": "2020-08-29T14:07:57Z", "EdgeTimeToFirstByteMs": 9, "FirewallMatchesActions": ["allow"], "FirewallMatchesRuleIDs": ["7basdfasdf8aa7603a18"], "FirewallMatchesSources": ["firewallRules"]}

And this is how the log would be parsed:

Field

Value 

Type

Extra field

eventdate


timestamp


hostname


str


ParentRayID

02

str


RayID

61232396d270d

str


SecurityLevel

off

str


SmartRouteColoID

0

int8


UpperTierColoID

0

int8


ZoneID

123455

int8


ZoneName

desktop-45.terry.net

str


BotScoreSrc

Machine Learning

str


BotScore

98

int8


WorkerCPUTime

0

int8


WorkerStatus

unknown

str


WorkerSubrequest

false

bool


WorkerSubrequestCount

0

int8


WAFAction

unknown

str


WAFFlags

0

str


WAFMatchedVar

null

str


WAFProfile

unknown

str


WAFRuleID

null

str


WAFRuleMessage

null

str


OriginResponseBytes

0

int8


OriginResponseDurationMs

0

int8


OriginResponseHTTPExpires

null

str


OriginResponseHTTPLastModified

null

str


OriginResponseHeaderReceiveDurationMs

0

int8


OriginResponseStatus

0

int8


OriginResponseTime

0

int8


OriginDNSResponseTimeMs

0

int8


OriginIP

null

str


OriginRequestHeaderSendDurationMs

0

int8


OriginSSLProtocol

unknown

str


OriginTCPHandshakeDurationMs

0

int8


OriginTLSHandshakeDurationMs

0

int8


CacheCacheStatus

hit

str


CacheTieredFill

false

bool


CacheResponseBytes

3043

int8


CacheResponseStatus

200

int8


ClientASN

133481

int8


ClientCountry

th

str


ClientDeviceType

desktop

str


ClientIP

1.2.3.4

str


ClientIPClass

noRecord

str


ClientMTLSAuthCertFingerprint

null

str


ClientMTLSAuthStatus

unknown

str


ClientSSLCipher

AEAD-AES128-GCM-SHA256

str


ClientSSLProtocol

TLSv1.3

str


ClientSrcPort

12345

int8


ClientTCPRTTMs

33

int8


ClientXRequestedWith

null

str


ClientRequestBytes

2168

int8


ClientRequestHost

db-62.domain.org

str


ClientRequestMethod

GET

str


ClientRequestPath

/static/images/icons/_l.png

str


ClientRequestProtocol

HTTP/2

str


ClientRequestReferer

null

str


ClientRequestScheme

https

str


ClientRequestSource

eyeball

str


ClientRequestURI

/static/images/icons/_l.png

str


ClientRequestUserAgent

danielsan

str


EdgeCFConnectingO2O

false

bool


EdgeColoCode

BKK

str


EdgeColoID

127

int8


EdgeEndTimestamp

2020-08-29T14:07:57Z

timestamp


EdgePathingOp

wl

str


EdgePathingSrc

macro

str


EdgePathingStatus

nr

str


EdgeRateLimitAction

null

str


EdgeRateLimitID

0

int8


EdgeRequestHost

db-62.domain.org

str


EdgeResponseBodyBytes

1299

int8


EdgeResponseBytes

2177

int8


EdgeResponseCompressionRatio

1

str


EdgeResponseContentType

image/png

str


EdgeResponseStatus

200

int8


EdgeServerIP

null

str


EdgeStartTimestamp

2020-08-29T14:07:57Z

timestamp


EdgeTimeToFirstByteMs

9

int8


FirewallMatchesActions

["allow"]

str


FirewallMatchesRuleIDs

["7basdfasdf8aa7603a18"]

str


FirewallMatchesSources

["firewallRule]

str


hostchain


str

✓

tag


str

✓

rawMessage


str

✓