Cloudflare Access provides two types of audit logs that teams can use to monitor and investigate authentication through the gateway and usage.
Access logs every authentication event each time one is made. An authentication event is defined as a user or service’s attempt to login to an application behind Access, whether allowed or denied. Authentication events do not capture what actions the user took after authenticating during the time when their token was valid.
All authentication event logs are available in the Access UI in the Cloudflare dashboard and can be exported via the API. Logs are retained for six months.
Captures any changes made to Access policies across the account.
Lists all unique users who have completed at least one allowed login during the current calendar month.
Lists every unique authentication event, regardless of whether the user was allowed or denied. Details include the identity provider or login method used and the IP address of the user attempting a login.
Audit logs are grouped across all applications for an account. They are available at the endpoint below:
Fields available include the following:
|Field||Example or Description|
|app_uid||The unique identifier for the protected application|
|app_domain||The URL of the protected application|
|action||The event that occurred, such as a login|
|allowed||The result of the authentication event|
|created_at||The event timestamp|
Per-request audit logs are part of the Cloudflare Logpush beta. Some column names or configuration details may be subject to change.
When a user authenticates successfully through the Access gateway, they can make requests to URL paths of the protected application for the duration of their session. When enterprise logging is enabled, Access captures every request made to a protected URL path during an active session and the identity of the user who made the request. Access integrates with Cloudflare’s Logpush API to share these per-request logs so that administrators can export them to a third-party SIEM.
Access cannot capture the details of certain user actions. For example, per-request audit logs can indicate that a
specific user visited
domain.com/admin and then
domain.com/admin/panel, but cannot log if the user took an action
such as clicking a button unless that action resulted in a new HTTP request.
Enterprise customers can enable Cloudflare logging to capture and export detailed logs of HTTP requests made to their domain. When used with Access, Cloudflare also logs the identity of the user who made the request.
In addition to the HTTP request fields available in Cloudflare enterprise logging, requests made to applications behind
Access include a field,
cf-access-user that consists of a string that contains the user identity who made the request.
Cloudflare Logpush will push the enterprise HTTP request logs, including the Access user identity, to a cloud storage provider every five minutes.