Document toolboxDocument toolbox

cdn.cloudflare

Owned by Former user (Deleted)
Last updated: Oct 23, 2024 by Borja Moro Moreno
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

Tags beginning with cdn.cloudflare identify events generated by Cloudfare.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as cdn.cloudfare. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Cloudflare

cdn.cloudflare.audit.events

cdn.cloudflare.audit.events

cdn.cloudflare.firewall.samples

cdn.cloudflare.firewall.samples

cdn.cloudflare.waf.events

cdn.cloudflare.waf.events

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

cdn.cloudflare.audit.events

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

ENTITY_ID

str

 

 

 

id

str

 

 

 

action__info

str

 

 

 

action__type

str

 

 

 

action__result

bool

 

 

 

actor__id

str

 

 

 

actor__email

str

 

 

 

actor__type

str

 

 

 

actor__ip

ip4

 

 

 

actor__ip_ipv6

ip6

 

 

 

newValue

str

 

 

 

new_value_comment

str

 

 

 

new_value_content

str

 

 

 

new_value_id

str

 

 

 

new_value_name

str

 

 

 

new_value_proxied

bool

 

 

 

new_value_tags

str

 

 

 

new_value_ttl

int4

 

 

 

new_value_type

str

 

 

 

new_value_zone_id

str

 

 

 

new_value_zone_name

str

 

 

 

oldValue

str

 

 

 

owner__id

str

 

 

 

resource__id

str

 

 

 

resource__type

str

 

 

 

interface

str

 

 

 

metadata__zone_name

str

 

 

 

metadata__zone_tag

str

 

 

 

metadata__type

str

 

 

 

metadata__name

str

 

 

 

metadata__value

str

 

 

 

when

timestamp

parsedate(when_tmp, when_fmt, "UTC")

when_tmp

when_fmt

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

cdn.cloudflare.firewall.samples

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

zone_tag

str

 

 

 

action

str

 

 

 

clientASN

str

 

 

 

clientASNDescription

str

 

 

 

clientCountryName

str

 

 

 

clientIP

str

 

 

 

clientIP4

ip4

ip4(clientIP)

clientIP

 

clientIP_v6

ip6

ifthenelse(isnull(clientIP4) and not isnull(clientIP), ip6(clientIP), null)

clientIP

clientIP4

 

clientIPClass

str

 

 

 

clientRefererHost

str

 

 

 

clientRefererPath

str

 

 

 

clientRefererQuery

str

 

 

 

clientRefererScheme

str

 

 

 

clientRequestHTTPHost

str

 

 

 

clientRequestHTTPMethodName

str

 

 

 

clientRequestHTTPProtocol

str

 

 

 

clientRequestPath

str

 

 

 

clientRequestQuery

str

 

 

 

clientRequestScheme

str

 

 

 

datetime

timestamp

 

 

 

edgeColoName

str

 

 

 

edgeResponseStatus

int4

 

 

 

kind

str

 

 

 

matchIndex

int4

 

 

 

originResponseStatus

int4

 

 

 

originatorRayName

str

 

 

 

rayName

str

 

 

 

ruleId

str

 

 

 

source

str

 

 

 

userAgent

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

cdn.cloudflare.waf.events

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

zone_tag

str

 

 

 

ClientASN

int4

 

 

 

ClientCountry

str

 

 

 

ClientDeviceType

str

 

 

 

ClientIP

ip4

 

 

 

ClientIPClass

str

 

 

 

ClientRequestBytes

int4

 

 

 

ClientRequestHost

str

 

 

 

ClientRequestMethod

str

 

 

 

ClientRequestPath

str

 

 

 

ClientRequestProtocol

str

 

 

 

ClientRequestReferer

str

 

 

 

ClientRequestURI

str

 

 

 

ClientRequestUserAgent

str

 

 

 

ClientSSLCipher

str

 

 

 

ClientSSLProtocol

str

 

 

 

ClientSrcPort

int4

 

 

 

ClientXRequestedWith

str

 

 

 

Description

str

 

 

 

EdgeColoCode

str

 

 

 

EdgeColoID

int4

 

 

 

EdgeEndTimestamp

int8

 

 

 

EdgePathingOp

str

 

 

 

EdgePathingSrc

str

 

 

 

EdgePathingStatus

str

 

 

 

EdgeRateLimitAction

str

 

 

 

EdgeRateLimitID

int4

 

 

 

EdgeRequestHost

str

 

 

 

EdgeResponseBytes

int4

 

 

 

EdgeResponseCompressionRatio

float8

 

 

 

EdgeResponseContentType

str

 

 

 

EdgeResponseStatus

int4

 

 

 

EdgeServerIP

str

 

 

 

FirewallMatchesActions_str

str

FirewallMatchesActions

 

FirewallMatchesRuleIDs_str

str

FirewallMatchesRuleIDs

 

FirewallMatchesSources_str

str

FirewallMatchesSources

 

OriginIP

str

 

 

 

OriginResponseBytes

int4

 

 

 

OriginResponseHTTPExpires

str

 

 

 

OriginResponseHTTPLastModified

str

 

 

 

OriginResponseStatus

int4

 

 

 

OriginResponseTime

int4

 

 

 

OriginSSLProtocol

str

 

 

 

ParentRayID

str

 

 

 

RayID

str

 

 

 

Ref

str

 

 

 

SecurityLevel

str

 

 

 

WAFAction

str

 

 

 

WAFFlags

str

 

 

 

WAFMatchedVar

str

 

 

 

WAFProfile

str

 

 

 

WAFRuleID

str

 

 

 

WAFRuleMessage

str

 

 

 

ZoneID

int8

 

 

 

at_devo_collector_version

int4

 

 

 

at_devo_source_id

str

 

 

 

at_devo_project_id

str

 

 

 

at_devo_retrieving_timestamp

timestamp

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓