Logpush integration
With Cloudflare's Logpush service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to third-party security information and event management (SIEM) solutions. Once exported, your team can analyze and audit the data as needed.
To configure Logpush for Zero Trust logs:
- In Cloudflare One ↗, go to Insights > Logs.
- Select Manage Logpush.
- In Logpush, select Create a Logpush job.
- Choose a Logpush destination.
- Follow the service-specific instructions to configure and validate your destination.
- Choose the Zero Trust datasets to export.
- Enter a Job name, any filters you would like to add, and the data fields you want to include in the logs.
- (Optional) In Advanced settings, choose the timestamp format you prefer and whether you want to enable log sampling.
- Select Submit.
The setup of your Logpush integration is now complete. Logpush will send updated logs every five minutes to your selected destination. You can configure multiple destinations and add additional fields to your logs by returning to the Logpush page.
For more information on supported destinations, refer to Enable destinations.
Refer to Logpush datasets for a list of all available fields.
| Dataset | Description |
|---|---|
| Access Requests | HTTP requests to sites protected by Cloudflare Access |
| Audit Logs | Authentication events through Cloudflare Access |
| Browser Isolation User Actions | Data transfer actions performed by a user in the remote browser |
| CASB Findings | Security issues detected by Cloudflare CASB |
| Device Posture Results | Device posture status from the WARP client |
| DEX Application Tests | Device application synthetic test results from the WARP client |
| DEX Device State Events | Device event data like connectivity, CPU usage, and Disk I/O from the WARP client |
| Gateway DNS | DNS queries inspected by Cloudflare Gateway |
| Gateway HTTP | HTTP requests inspected by Cloudflare Gateway |
| Gateway Network | Network packets inspected by Cloudflare Gateway |
| SSH Logs | SSH command logs for Access for Infrastructure targets |
| WARP Config Changes | Event logs that are generated whenever a WARP device changes profiles |
| WARP Toggle Events | Event logs that are generated whenever a WARP device toggles WARP on or off |
| Zero Trust Network Session Logs | Network session logs for traffic proxied by Cloudflare Gateway |
If you are using Regional Services with Cloudflare One, you can configure which subset of Cloudflare data centers decrypt and route your traffic. This allows you to accommodate regional restrictions like GDPR or meet compliance requirements that include geographic restrictions on data flows or processing.
To verify that your regional map is being applied correctly, check the IngressColoName field in your Zero Trust Network Session logs. This field shows the name of the Cloudflare data center where traffic ingressed. Since regionalization is applied upstream from Gateway, the ingress data center will be located within your configured regional map, confirming that traffic is being processed in the correct region.
Logpush logs the following fields for each DNS query:
- Query name
- Query type
- Query class
- Response TTL
- Response data
DNS query resource records are available in Base64-encoded binary format ↗ and JSON. For example:
{ "ResourceRecords": [ { "type": "5", "data": "d3d3LmV4YW1wbGUuY29tAAABAAUAAABleGFtcGxlLmNvbQ==" }, { "type": "1", "data": "ZXhhbXBsZS5jb20AAAEAAQAAAQIDBAUGBwgJ" } ], "ResourceRecordsJSON": "[{\"name\":\"www.example.com\",\"type\":\"CNAME\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"example.com.\"},{\"name\":\"example.com\",\"type\":\"A\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"203.0.113.0\"}]"}Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
