The Cloudflare web application firewall (WAF) protects your internet property against malicious attacks that aim to exploit vulnerabilities such as SQL injection attacks, cross-site scripting, and cross-site forgery requests.

For an overview of Cloudflare logs, and the related S3 and Logpush configuration procedures, click here.

Setup

To send firewall event logs to Logz.io Cloud SIEM, you’ll first configure a Logpush job to send your Cloudflare data to a dedicated S3 bucket, then configure Logz.io to collect and ingest that data from the S3 bucket.

Prerequisites

Before you begin, ensure that you have:

  • Admin access to Cloudflare.
  • Enterprise account with Cloudflare.
  • Admin access to your AWS environment.
  • Configured an S3 bucket for your Cloudflare logs. To create an S3 bucket, see the instructions from Amazon.
  • Logs of your HTTP requests uploaded to Amazon S3.
  • Enabled the Cloudflare Logppush service for the assets you want to monitor in Cloudflare, via Analytics > Logs > Connect a service.
Configure Logpush to send logs to the S3 bucket

To configure Logpush to stream logs of Cloudflare’s datasets to your cloud service in batches, follow the Cloudflare procedure to enable the Logpush service to access Amazon S3.

For an overview of the Logpush service, click here

Configure Logz.io to collect logs from the S3 bucket.

Use our procedure to configure Logz.io to fetch logs from your S3 bucket.

Check Logz.io for your logs

Give your Cloudflare data some time to get from your system to ours, and then open Open Search Dashboards.

If you still don’t see your data, see log shipping troubleshooting.