Cloudflare Logs Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Cloudflare Logs sample messages
Sample 1: The following sample event message shows that an HTTP GET request is sent to the hostname host.domain.test, and the server response is status code 200.
{"ClientIP":"10.0.0.1","ClientRequestHost":"host.domain.test","ClientRequestMethod":"GET","Clien
tRequestURI":"/cdn-cgi/images/cf-iconcloud.
png","EdgeEndTimestamp":"2020-10-13T19:49:36Z","EdgeResponseBytes":1895,"EdgeResponseStatu
s":200,"EdgeStartTimestamp":"2020-10-13T19:49:36Z","RayID":"5e1b95b9ea390cc5","WAFAction":"unkno
wn","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"",
"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":fa
lse,"ClientASN":855,"ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord"
,"ClientRequestBytes":1049,"ClientRequestPath":"/cdn-cgi/images/cf-iconcloud.
png","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"http://host.domain.test/
cdn-cgi/styles/main.css","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X
10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/
537.36","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":53851,"ClientXReques
tedWith":"","EdgeColoCode":"EWR","EdgeColoID":11,"EdgePathingOp":"unknown","EdgePathingSrc":"und
ef","EdgePathingStatus":"cloudflareInternalEndpoint","EdgeRateLimitAction":"","EdgeRateLimitID":
0,"EdgeRequestHost":"","EdgeResponseCompressionRatio":1,"EdgeResponseContentType":"image/
png","EdgeServerIP":"","FirewallMatchesActions":[],"FirewallMatchesRuleIDs":
[],"FirewallMatchesSources":
[],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastM
odified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","Paren
tRayID":"00","SecurityLevel":"unk","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest"
:false,"WorkerSubrequestCount":0,"ZoneID":304427638}JSA field name |
Highlighted values in the event payload |
|---|---|
Event ID |
ClientRequestMethod + EdgeResponseStatus For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields. |
Source IP |
ClientIP |
Source Port |
ClientSrcPort |
Device Time |
EdgeStartTimestamp |
Sample 2: The following sample event message shows that an HTTP request matches a firewall rule and the connection request is dropped by the firewall.
{" Datetime ":"2020-11-12T02:52:18Z","RayName":"5f0cf4c5fc8ce76c","Source":"firewallrules",
"RuleId":"6e40b9ea4da54b22a112626996d3111f"," Action ":"drop","EdgeColoName":"EWR",
" ClientIP ":"10.0.0.1","ClientCountryName":"xx","ClientASNDescription":"ASN-DESCRIPTION",
"UserAgent":"curl/
7.29.0","ClientRequestHTTPMethodName":"GET","ClientRequestHTTPHost":"host.domain.test"}JSA field name |
Highlighted values in the event payload |
|---|---|
Event ID |
Action |
Source IP |
ClientIP |
Device Time |
Datetime |