Collect Cloudflare WAF logs
This document describes how you can collect Cloudflare WAF logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser with the CLOUDFLARE_WAF
ingestion label.
Configure Cloudflare WAF using the API
After activating the Cloudflare log, use the following parameters to enable the integration:
Auth email - the Cloudflare account email address.
Auth key - the Cloudflare API token.
Zone ID - the Cloudflare zone ID.
To obtain the Zone ID and Auth Key, perform the following steps:
- Sign in to the Cloudflare dashboard.
- Click the website that needs to be monitored.
- Click Get your API key to get Auth Key.
- Select API Token.
- Click Create Token.
- Provide the following values in the Create Token page:
- In the Token name field, provide the token name.
- In the Permissions section, do the following:
- Select Zone, Logs, and Read in the first, second, and third lists, respectively.
- Click Add more. Select Zone, Analytics, and Read in the first, second and third lists, respectively.
- Click Add more. Select Zone, Firewall Services and Read in the first, second and third lists, respectively.
- In the Zone Resources section, select Include and All zones in the first and second lists, respectively.
- Click Continue to Summary.
- Click Create Token.
- Copy the displayed token, which is required to configure the Google Security Operations feed.
Configure Cloudflare WAF using the Cloudflare dashboard
- Sign in to the Cloudflare dashboard.
- Click the website that needs to be monitored.
- Go to Analytics & Logs > Logpush.
- Select Create a Logpush job.
- In Select a destination, choose Google Cloud Storage.
- Enter or select the following destination details:
- Bucket - Google Cloud bucket name
- Path - bucket location within the storage container
- Organize logs into daily subfolders (recommended)
- For Grant Cloudflare access to upload files to your bucket, make sure your bucket has added Cloudflare IAM as a user with a Storage Object Admin role.
- When you are done entering the destination details, select Continue.
- To prove ownership, Cloudflare will send a file to your designated destination. To find the token, select the Open button in the Overview tab of the ownership challenge file, then paste it into the Cloudflare dashboard to verify your access to the bucket. Enter the Ownership Token and select Continue.
- Select the dataset to push to the storage service.
- Configure your Logpush job:
- Enter the Job name.
- In If logs match, select events to include or remove from your logs. Not all datasets have this option available.
- In Send the following fields, choose to either push all logs to your storage destination or selectively choose which logs you want to push.
- Select Submit once you are done configuring your Logpush job.
Configure a feed in Google Security Operations to ingest Cloudflare WAF logs
- From the Google Security Operations menu, select Settings, and then click Feeds.
- Click Add New.
- Select Google Cloud Storage for Source Type.
- Select Cloudflare WAF as the Log Type to create a feed for Cloudflare WAF.
- Click Get Service Account. Google Security Operations provides a unique service account that Google Security Operations uses to ingest data.
- Configure access for the service account to access the Cloud Storage objects. For more information, see Grant access to the Google Security Operations service account.
- Click Next.
- Configure the following input parameters:
- Storage bucket URI
- URI is a
- Source deletion option
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser extracts fields from Cloudflare Web Application Firewall (WAF) JSON logs, transforming them into the Unified Data Model (UDM). It handles various log fields, including network information, HTTP details, security results, and metadata, mapping them to corresponding UDM fields for consistent representation and analysis within Google Security Operations.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
Action | security_result.action_details | The raw log "Action" field value is mapped to security_result.action_details . |
Action | security_result.action | The security_result.action field is derived based on the value of the "Action" field. "allow" maps to ALLOW. "challengeSolved", "jschallengeSolved", "managedchallengenoninteractivesolved", and "managedchallengeinteractivesolved" map to ALLOW_WITH_MODIFICATION. "drop", "block", and "connectionclose" map to BLOCK. "challengefailed" and "jschallengefailed" map to FAIL. Any other non-empty value or "unknown" maps to UNKNOWN_ACTION. |
ClientASN | network.asn | The raw log "ClientASN" field value is converted to a string and mapped to network.asn . |
ClientASNDescription | additional.fields.key | Set to "ClientASNDescription". |
ClientASNDescription | additional.fields.value.string_value | The raw log "ClientASNDescription" field value is mapped to additional.fields.value.string_value . |
ClientCountry | principal.location.country_or_region | The raw log "ClientCountry" field value is mapped to principal.location.country_or_region . |
ClientIP | principal.ip | The raw log "ClientIP" field value is mapped to principal.ip . |
ClientRefererHost | intermediary.hostname | The raw log "ClientRefererHost" field value is mapped to intermediary.hostname . |
ClientRefererPath | network.http.referral_url | The raw log "ClientRefererPath" field value is mapped to network.http.referral_url . |
ClientRequestMethod | network.http.method | The raw log "ClientRequestMethod" field value is mapped to network.http.method . |
ClientRequestHost | target.hostname | The raw log "ClientRequestHost" field value is mapped to target.hostname . |
ClientRequestPath | target.file.full_path | The raw log "ClientRequestPath" field value is mapped to target.file.full_path if it's not empty or "/". |
ClientRequestProtocol | network.application_protocol | The protocol part of the "ClientRequestProtocol" field value (e.g., "HTTP" from "HTTP/1.1") is extracted, converted to uppercase, and mapped to network.application_protocol . |
ClientRequestUserAgent | network.http.user_agent | The raw log "ClientRequestUserAgent" field value is mapped to network.http.user_agent . |
Datetime | metadata.event_timestamp | The raw log "Datetime" field value is parsed as an RFC 3339 timestamp and mapped to metadata.event_timestamp . |
EdgeColoCode | additional.fields.key | Set to "EdgeColoCode". |
EdgeColoCode | additional.fields.value.string_value | The raw log "EdgeColoCode" field value is mapped to additional.fields.value.string_value . |
EdgeResponseStatus | network.http.response_code | The raw log "EdgeResponseStatus" field value is converted to an integer and mapped to network.http.response_code . |
Kind | metadata.product_event_type | The raw log "Kind" field value is mapped to metadata.product_event_type . |
Metadata.filter | target.resource.attribute.labels.key | Set to "Metadata filter". |
Metadata.filter | target.resource.attribute.labels.value | The raw log "Metadata.filter" field value is mapped to target.resource.attribute.labels.value . |
Metadata.type | target.resource.attribute.labels.key | Set to "Metadata type". |
Metadata.type | target.resource.attribute.labels.value | The raw log "Metadata.type" field value is mapped to target.resource.attribute.labels.value . |
RayID | metadata.product_log_id | The raw log "RayID" field value is mapped to metadata.product_log_id . |
RuleID | security_result.rule_id | The raw log "RuleID" field value is mapped to security_result.rule_id . |
Source | security_result.rule_name | The raw log "Source" field value is mapped to security_result.rule_name . |
N/A | metadata.vendor_name | Hardcoded to "Cloudflare". |
N/A | metadata.product_name | Hardcoded to "Cloudflare log Aggregator". |
N/A | metadata.log_type | Hardcoded to "CLOUDFLARE_WAF". |
N/A | metadata.event_type | Determined by the parser logic based on the presence of "ClientIP", "ClientRequestHost", and the value of "app_protocol". Possible values are NETWORK_HTTP, NETWORK_CONNECTION, STATUS_UPDATE, and GENERIC_EVENT. |
Changes
2023-08-30
- Initialized field "ClientRequestPath".
2023-02-02
- Validated the 'security_result' value before its getting merged to event.
2022-09-16
- Mapped the field 'Action' to 'security_result.action_details'.
- Mapped 'security_result.action' to 'ALLOW_WITH_MODIFICATION' when action contains "challengeSolved", "jschallengeSolved", "managedchallengenoninteractivesolved", "managedchallengeinteractivesolved".
- Mapped 'security_result.action' to 'BLOCK' when action contains "drop", "block", "connectionclose".
- Mapped 'security_result.action' to 'FAIL' when action contains "challengefailed", "jschallengefailed".
2022-07-25
- Description- Newly created parser