Cloudflare WAF and Logs Integration
Overview
Cloudflare provides WAF, DDoS protection, and CDN services with comprehensive logging. KYRA MDR collects Cloudflare logs via Logpush for web security monitoring and threat analysis. Supports Cloudflare Enterprise plan.
Prerequisites
- A KYRA MDR Collector installed and running
- Cloudflare Enterprise plan (Logpush requires Enterprise)
- Cloudflare API token with Logs:Edit permission
- Storage destination (S3, GCS, or HTTP endpoint)
Configuration
Configure Cloudflare Logpush:
curl -X POST https://api.cloudflare.com/client/v4/zones/<zone-id>/logpush/jobs \ -H "Authorization: Bearer <api-token>" \ -H "Content-Type: application/json" \ -d '{ "destination_conf": "https://<collector-url>/webhook/cloudflare", "dataset": "http_requests", "enabled": true, "logpull_options": "fields=ClientIP,EdgeResponseStatus,FirewallMatchesActions×tamps=rfc3339" }'Repeat for firewall_events dataset.
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| HTTP Requests | Web request metadata | Traffic analysis, anomaly detection |
| Firewall Events | WAF rule match events | Web attack detection |
| Bot Management | Bot score and classification | Automated threat detection |
| DDoS Events | DDoS attack mitigation events | Volumetric attack detection |
| Access Logs | Zero Trust access events | Access control monitoring |
| DNS Logs | DNS query logs | DNS security analysis |
Troubleshooting
Logpush not available: Cloudflare Logpush requires an Enterprise plan.
Missing fields: Specify the required fields in the logpull_options parameter.
Delivery failures: Cloudflare Logpush retries failed deliveries automatically.
Contact kyra@seekerslab.com for support.