CloudFlare LogPush
This document describes configuring and receiving LogPush logs to Guance. Currently supported data types are:
- HTTP Requests
- DNS Logs
When configuring the HTTP Destination, three request parameters must be provided: - source: Data source tag (supports http_requests or dns_logs) - service: Service tag (recommended: domain name, e.g., service=domain.com) - token: Authentication token.
HTTP Requests¶
HTTP request logs. Configure the target URL with source=http_requests.
Creating a Job¶
- Log in to Cloudflare Dashboard → Select target domain → Navigate to
Analytics & Logs→ ClickAdd Logpush Job. - Select dataset:
HTTP Requests. - Configure destination:
HTTP Destination. - Enter URL:
https://<endpoint>/v1/write/cf-logpush?source=http_requests&domain=<domain.com>&token=tkn_abcxxx - Job name: Any valid format.
- Fields to send: Users can customize their choices, and any field that is not empty will be parsed into a field.
- Advanced options: Set timestamp format to unitnano.
Note:
- The URL must include source, domain, and token for data filtering.
- Timestamps must use unitnano.
Supported Fields(part of fields):
| Cloudflare Field | Target Field | Description |
|---|---|---|
| ClientIP | ClientIP | client ip |
| EdgeResponseStatus | EdgeResponseStatus | HTTP status code returned by Cloudflare to the client. |
| - | duration | request duration,nano |
| - | country | country name |
| RayID | RayID | Identifier of the request |
| ClientCity | ClientCity | Approximate city of the client. |
| ClientCountry | ClientCountry | 2-letter ISO-3166 country code of the client IP address. |
| ClientRegionCode | ClientRegionCode | The ISO-3166-2 region code of the client IP address. |
| ClientRequestHost | ClientRequestHost | Host requested by the client. |
| ClientRequestMethod | ClientRequestMethod | HTTP method of client request. |
| ClientRequestURI | ClientRequestURI | URI requested by the client. |
| ClientDeviceType | ClientDeviceType | Client device type |
| ClientRequestBytes | ClientRequestBytes | Number of bytes in the client request. |
| ClientRequestPath | ClientRequestPath | URI path requested by the client. |
| ClientRequestProtocol | ClientRequestProtocol | HTTP protocol of client request. |
| ClientRequestScheme | ClientRequestScheme | The URL scheme requested by the visitor. |
| ClientRequestUserAgent | ClientRequestUserAgent | User agent reported by the client. |
| EdgeTimeToFirstByteMs | EdgeTimeToFirstByteMs | Total view of Time To First Byte as measured at Cloudflare's edge. |
| EdgeResponseBodyBytes | EdgeResponseBodyBytes | Size of the HTTP response body returned to clients. |
| EdgeResponseBytes | EdgeResponseBytes | Number of bytes returned by the edge to the client. |
| - | message | log json |
DNS Logs¶
Similar steps to HTTP, but configure source=dns_logs in the target URL.
Creating a Job¶
- Log in to Cloudflare Dashboard → Select target domain → Navigate to
Analytics & Logs→ ClickAdd Logpush Job. - Select dataset: DNS Logs.
- Configure destination: HTTP Destination.
- Enter URL:
https://<endpoint>/v1/write/cf-logpush?source=dns_logs&domain=<domain.com>&token=tkn_abcxxx - Job name: Any valid format.
- Fields to send: See supported fields below.
- Advanced options: Set timestamp format to nanosecond unit.
Note:
- The URL must include source, domain, and token.
- Timestamps must use nanosecond units.
Supported Fields:
| Cloudflare Field | Target Field | Description |
|---|---|---|
| ColoCode | ColoCode | IATA airport code of the data center that received the request. |
| EDNSSubnet | EDNSSubnet | IPv4 or IPv6 address information corresponding to the EDNS Client Subnet (ECS) forwarded by recursive resolvers. Not all resolvers send this information. |
| EDNSSubnetLength | EDNSSubnetLength | Size of the EDNS Client Subnet (ECS) in bits. For example, if the last octet of an IPv4 address is omitted (192.0.2.x.), the subnet length will be 24. |
| QueryName | QueryName | Name of the query that was sent. |
| QueryType | QueryType | Integer value of query type. For more information refer to Query type |
| - | query_type | String value of query type:A,AAAA,NS,CNAME,SOA,PTR,MX,TXT,DNSKEY,HTTPS.other is "unknown" |
| ResponseCached | ResponseCached | Whether the response was cached or not. |
| ResponseCode | ResponseCode | Integer value of response code. For more information refer to Response code ↗. |
| SourceIP | SourceIP | IP address of the client (IPv4 or IPv6). |
| Timestamp | time_ns | Timestamp at which the query occurred. |
Additional Notes¶
- Sampling recommended: Enable sampling to manage data volume.
- Field customization: Use pipelines to add/modify/remove fields.
- API configuration: Jobs can be created/modified: LogPush API