Cloudflare HTTP Logs
Cloudflare HTTP logs provide detailed information about HTTP and HTTPS requests passing through Cloudflare’s reverse proxy and content delivery network (CDN). These logs capture data such as client IPs, request URLs, response status codes, caching status, request method (GET, POST, etc.), and performance metrics like latency. They are useful for monitoring web traffic, troubleshooting website performance, detecting security threats such as DDoS attacks, and optimizing content delivery.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
- AWS S3 Bucket
- AWS S3 Bucket with Custom SQS
- Azure Blob Storage
- Google Cloud Storage
- Cloudflare R2 Bucket
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_cloudflarehttpSetup
Setting up Cloudflare HTTP logs requires the use of Cloudflare Logpush.
Navigate to the Logpush setup page in your Cloudflare account and create a new logpush job that sends your HTTP logs to your storage bucket.
Once created Cloudflare will begin to push logs to your bucket and RunReveal will start to ingest them.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: cf_http_logs (57 columns)
cf_http_logs (57 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
| Column | Type |
|---|---|
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
rawLog | String |
clientIP | String |
clientRequestHost | String |
clientRequestMethod | String |
clientRequestURI | String |
edgeEndTimestamp | DateTime |
edgeResponseBytes | UInt64 |
edgeResponseStatus | UInt64 |
edgeResponseTimestamp | DateTime |
rayID | String |
securityAction | String |
securityRuleID | String |
securityRuleDescription | String |
parentRayID | String |
clientASN | String |
clientCountry | String |
clientDeviceType | String |
clientRegionCode | String |
cacheCacheStatus | String |
clientRequestUserAgent | String |
originResponseDurationMs | String |
originResponseStatus | String |
cookies | Map(String, String) |