cloudflare

This application has been developed and is supported by Cloudflare. In case of technical questions, please review the technical documentation for Cloudflare logs or email analytics@cloudflare.com.

The Cloudflare App provides a set of dashboards that make analyzing Cloudflare logs easy, helping you to understand events and trends from your websites and applications on the Cloudflare network. Logs are gathered from all 160+ Cloudflare data centers in near real-time and can be combined with other data sources, such as your origin data, to provide unique insights and help you improve the performance and security of your websites and applications.

Log types

The Cloudflare App uses HTTP request logs in JSON format gathered from all of the 160+ Cloudflare data centers. By default, timestamps are returned as Unix nanosecond integers. We recommend using the RFC 3339 format for sending logs to Sumo Logic. For a description of the fields available in the logs see link here.

Sample log messages

{
"ClientIP": "89.163.242.206",
"ClientRequestHost": "www.theburritobot.com",
"ClientRequestMethod": "GET",
"ClientRequestURI": "/static/img/testimonial-hipster.png",
"EdgeEndTimestamp": 2018-12-15T02:20:57Z,
"EdgeResponseBytes": 69045,
"EdgeResponseStatus": 200,
"EdgeStartTimestamp": 2018-12-15T02:20:57Z,
"RayID": "3a6050bcbe121a87"
}

Sample queries

The following log query is from the ‘Total Number of Requests’ panel in the ‘Cloudflare - Snapshot’ dashboard.

ClientCountry*
| json "EdgePathingSrc", "EdgePathingOp","EdgePathingStatus", "ClientCountry",
"ClientIP", "ClientDeviceType", "ClientRequestHost", "ClientRequestUserAgent",
"ClientRequestURI", "OriginResponseStatus", "EdgeResponseStatus", "OriginIP",
"ClientIPClass" as edge_pathing_src, edge_pathing_op, edge_pathing_status, client_country,
client_ip, client_device_type, client_request_host, client_request_user_agent,
client_request_uri, origin_response_status, edge_response_status, origin_ip, client_ip_class
| count

Collecting logs for Cloudflare

This section shows you how to set up a Hosted Collector and specify a Sumo Logic Source.

To send Cloudflare logs to Sumo Logic directly, you can follow the steps outlined below, or follow the guide in the Cloudflare documentation (Enable Logpush to Sumo Logic).

Cloudflare Logpush supports pushing logs directly to Sumo Logic via the Cloudflare dashboard or via API. Cloudflare can send logs to a Hosted Collector with HTTP Logs and Metrics as the source. Once you have set up a collector, you simply provide the HTTP Source Address (a unique URL) to which logs can be posted.

Ensure Log Share permissions are enabled in Cloudflare before attempting to read or configure a Logpush job. For more information, refer to the Roles section in Cloudflare documentation.

Configure a Hosted Collector

1. Follow the instructions to Configure a Hosted Collector and Source in Sumo Logic to start collecting logs.
2. Follow the instructions to Configure an HTTP Logs and Metrics Source.
3. Optional: To forward logs to Cloud SIEM, click +Add Field with the key _parser and value /Parsers/System/Cloudflare/Cloudflare Logpush
4. Click Advanced, if the settings are not already shown.
5. For Timestamp Format, select Specify a format and enter the following:
   • Format: yyyy-MM-dd'T'HH:mm:ss'Z'
   • Timestamp Locator: \"EdgeStartTimestamp\"\s*:\s*\"(.*)\"
6. Click Test. A Test Timestamp Parsing dialog appears.
7. Enter a sample log message in the Test Timestamp Parsing dialog, such as the following, and then click Test: "EdgeStartTimestamp":"2022-12-19T23:38:10Z". A dialog confirming that your timestamp format matched should appear.
8. Click Done and then click Save to save the timestamp parsing to the source.

Configure Logpush to Sumo Logic via the Cloudflare Dashboard

To enable the Cloudflare Logpush service:

1. Log in to the Cloudflare dashboard.
2. Select the Enterprise account or domain you want to use with Logpush.
3. Go to Analytics & Logs > Logs.
4. Click Add Logpush job. A modal window opens where you will need to complete several steps.
5. Select the dataset you want to push to a storage service.
6. Select the data fields to include in your logs. Add or remove fields later by modifying your settings in Logs > Logpush.
7. Select Sumo Logic.
8. Enter or select the HTTP Source Address. Note that the same collector can be used for multiple Logpush jobs, but each job must have a dedicated source.
9. Click Validate access.
10. Enter the Ownership token (included in a file or log Cloudflare sends to your provider) and click Prove ownership. To find the ownership token, click the Open button in the Overview tab of the ownership challenge file.
11. Click Save and Start Pushing to finish enabling Logpush.

Once connected, Cloudflare lists Sumo Logic as a connected service under Logs > Logpush. Edit or remove connected services from here.

Installing the Cloudflare app

To install the app, do the following:

1. From the Sumo Logic navigation, select App Catalog.
2. In the Search Apps field, search for and then select your app.
   Optionally, you can scroll down to preview the dashboards included with the app.
3. To install the app, click Install App.
4. Click Next in the Setup Data section.
5. In the Configure section of the respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category, and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
6. Click Next. You will be redirected to the Preview & Done section.

Your app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, updating with full graphs and charts over time.

Viewing Cloudflare dashboards

======= This section has instructions for installing the Cloudflare App for Sumo Logic.

Now that you've set up log and metric collection, you can install the Cloudflare App, and use its pre-configured searches and dashboards.

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

• You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
• You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
• Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Snapshot

The Cloudflare - Snapshot dashboard provides an at-a-glance overview of the most important metrics from your websites and applications on the Cloudflare network. You can use dashboard filters to further slice and dice the information for granular analysis of events and trends.

Use this dashboard to:

• Monitor the most important web traffic metrics of your websites and applications on the Cloudflare network.
• View what countries and IPs your traffic is coming from and analyze the breakdown between mobile and desktop traffic, protocol, methods, and content types.

Reliability

The Cloudflare - Reliability dashboard provides insights on the availability of your websites and applications. Metrics include origin response error ratio, origin response status over time, percentage of 3xx/4xx/5xx errors over time, and more.

Use this dashboard to:

• Investigate errors on your websites and applications by viewing edge and origin response status codes.
• Further analyze errors based on status codes by countries, client IPs, hostnames, and other metrics.

Security (Overview)

The Cloudflare - Security (Overview) dashboard provides insights on threats to your websites and applications, including number of threats stopped, threats over time, top threat countries, and more.

Use this dashboard to:

• Monitor the most important security and threat metrics for your websites and applications.
• Fine tune and configure your IP firewall.

Security (WAF)

The Cloudflare - Security (WAF) dashboard provides insights on threat identification and mitigation by our Web Application Firewall (WAF), including events like SQL injections, XSS, and more.

Use this dashboard to:

• Understand attacks and WAF rules triggered to reveal vulnerabilities and false positives.
• Fine tune the WAF to target obvious threats and prevent false positives.

Security (Rate Limiting)

The Cloudflare - Security (Rate Limiting) dashboard provides insights on rate limiting protection against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeted at your websites and applications.

Use this dashboard to:

• Investigate attacks by looking at rate limiting over time, top rate limit actions, top rate limit countries, top banned URIs, and top banned client IPs.
• Define thresholds or block client IP addresses to protect your website or application from malicious traffic.

Security (Bot Management)

The Cloudflare - Security (Bot Management) dashboard reliably detects and mitigates bad bots to prevent credential stuffing, spam registration, content scraping, click fraud, inventory hoarding, and other malicious activities.

To get bot requests identified correctly, use only one Filter Based Firewall rule with action "Challenge (Captcha)". For more information, see the Cloudflare documentation.

Use this dashboard to:

• Investigate bot activity on your website to prevent content scraping, checkout fraud, spam registration and other malicious activities.
• Use insight to tune Cloudflare to prevent bots from excessive usage and abuse across websites, applications, and API endpoints.

Performance (Requests, Bandwidth, Cache)

The Cloudflare - Performance (Requests, Bandwidth, Cache) dashboard identifies and addresses performance issues and caching misconfigurations. Metrics include total vs. cached bandwidth, saved bandwidth, total requests, cache ratio, top uncached requests, and more.

Use this dashboard to:

• Monitor caching behavior and identify misconfigurations.
• Improve configuration and caching ratio.

Performance (Hostname, Content Type, Request Methods, Connection Type)

The Cloudflare - Performance (Hostname, Content Type, Request Methods, Connection Type) dashboard provides insights into your most popular hostnames, most requested content types, breakdown of request methods, and connection type.

Use this dashboard to:

• Review the most requested content types, popular hostnames, and top triggered methods and TLS protocols.
• Compare these metrics over time and in requests per second.

Performance (Static vs. Dynamic Content)

The Cloudflare - Performance (Static vs. Dynamic Content) dashboard provides insights into the performance of your static and dynamic content, including slowest URLs.

Use this dashboard to:

• Compare your static and dynamic content performance.
• Investigate the cause of slow requested URLs in order to improve performance.