Audit Logs

Cloudflare Access provides two types of audit logs that teams can use to monitor and investigate authentication through the gateway and usage.

Authentication Audit Logs

Access logs every authentication event each time one is made. An authentication event is defined as a user or service’s attempt to login to an application behind Access, whether allowed or denied. Authentication events do not capture what actions the user took after authenticating during the time when their token was valid.

All authentication event logs are available in the Access UI in the Cloudflare dashboard and can be exported via the API. Logs are retained for six months.

Policy changes

Captures any changes made to Access policies across the account.

Current monthly users

Lists all unique users who have completed at least one allowed login during the current calendar month.

All access requests

Lists every unique authentication event, regardless of whether the user was allowed or denied. Details include the identity provider or login method used and the IP address of the user attempting a login.

API Export

Audit logs are grouped across all applications for an account. They are available at the endpoint below:

https://api.cloudflare.com/client/v4/zones/<zone_id>/access/logs/access-requests?direction=desc&limit=15&page=1

Fields available include the following:

Field Example or Description
user_email [email protected]
ip_address 1.1.1.1
app_uid The unique identifier for the protected application
app_domain The URL of the protected application
action The event that occurred, such as a login
allowed The result of the authentication event
created_at The event timestamp

Per-Request Audit Logs (Beta)

Per-request audit logs are part of the Cloudflare Logpush beta. Some column names or configuration details may be subject to change.

When a user authenticates successfully through the Access gateway, they can make requests to URL paths of the protected application for the duration of their session. When enterprise logging is enabled, Access captures every request made to a protected URL path during an active session and the identity of the user who made the request. Access integrates with Cloudflare’s Logpush API to share these per-request logs so that administrators can export them to a third-party SIEM.

Access cannot capture the details of certain user actions. For example, per-request audit logs can indicate that a specific user visited domain.com/admin and then domain.com/admin/panel, but cannot log if the user took an action such as clicking a button unless that action resulted in a new HTTP request.

Cloudflare Logging

Enterprise customers can enable Cloudflare logging to capture and export detailed logs of HTTP requests made to their domain. When used with Access, Cloudflare also logs the identity of the user who made the request.

Per-Request Logging

In addition to the HTTP request fields available in Cloudflare enterprise logging, requests made to applications behind Access include a field, cf-access-user that consists of a string that contains the user identity who made the request.

Cloudflare Logpush

Cloudflare Logpush will push the enterprise HTTP request logs, including the Access user identity, to a cloud storage provider every five minutes.

To push the per-request Access logs, follow the Logpush API instructions and include RequestHeaders in addition to other available fields captured in the Logpush configuration.