Cloudflare Firewall (WAF) Logs

Cloudflare Firewall logs provide detailed information about actions taken by Cloudflare’s WAF on traffic to your services behind Cloudflare.

These logs capture data such as the action the Cloudflare Firewall took on a request, the rule ID that was triggered, as well as client IPs, request URLs, response status codes, request method (GET, POST, etc.).

Ingest Methods

Setup the ingestion of this source using one of the following guides.

AWS S3 Bucket
AWS S3 Bucket with Custom SQS
Azure Blob Storage
Google Cloud Storage
Cloudflare R2 Bucket

If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.

arn:aws:sns:<REGION>:253602268883:runreveal_cf_firewall

Setup

Setting up Cloudflare Firewall logs requires the use of Cloudflare Logpush.

Navigate to the Logpush setup page in your Cloudflare account and create a new logpush job that sends your HTTP logs to your storage bucket.

Once created Cloudflare will begin to push logs to your bucket and RunReveal will start to ingest them.

Audit Gateway DNS