Cloudflare Gateway HTTP
Cloudflare Gateway HTTP logs capture details of HTTP and HTTPS requests made through Cloudflare’s secure web gateway. These logs include information such as the URLs accessed, the IP addresses of the requestors, HTTP methods used, and the response codes. They are valuable for monitoring web traffic, enforcing security and content filtering policies, detecting malicious or suspicious activity, and ensuring compliance with organizational web usage policies.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
- AWS S3 Bucket
- AWS S3 Bucket with Custom SQS
- Azure Blob Storage
- Google Cloud Storage
- Cloudflare R2 Bucket
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_cf_gateway_httpSNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.
Setup
Setting up Cloudflare gateway HTTP logs requires the use of Cloudflare Logpush.
Navigate to the Logpush setup page in your Cloudflare account and create a new logpush job that sends gateway HTTP logs to your storage bucket.
Once created Cloudflare will begin to push logs to your bucket and RunReveal will start to ingest them.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: cf_gateway_http_logs (67 columns)
cf_gateway_http_logs (67 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
| Column | Type |
|---|---|
rawLog | String |
AccountID | String |
Action | String |
BlockedFileHash | String |
BlockedFileName | String |
BlockedFileReason | String |
BlockedFileSize | Int64 |
Datetime | String |
DestinationIP | String |
DestinationPort | Int64 |
DeviceID | String |
DeviceName | String |
DownloadedFileNames | Array(String) |
Email | String |
FileInfo | String |
HTTPHost | String |
HTTPMethod | String |
HTTPStatusCode | Int64 |
HTTPVersion | String |
IsIsolated | UInt8 |
PolicyID | String |
PolicyName | String |
Referer | String |
RequestID | String |
SessionID | String |
SourceInternalIP | String |
SourceIP | String |
SourcePort | Int64 |
UntrustedCertificateAction | String |
UploadedFileNames | Array(String) |
URL | String |
UserAgent | String |
UserID | String |