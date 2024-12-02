Tunnel diagnostic logs
Cloudflare Tunnel generates a set of diagnostic logs that can be used to troubleshoot issues with
cloudflared. A diagnostic report collects data from a single instance of
cloudflared running on the local machine.
The steps for getting diagnostic logs depend on your
cloudflared deployment environment.
cloudflaredversion 2024.12.2 or later installed on the host
These instructions apply to remotely-managed and locally-managed tunnels running directly on the host machine.
-
(Linux only) To include network diagnostics in the logs, allow the
cloudflareduser to create RAW and PACKET sockets without root permissions:
If you do not set
cap_net_raw, then traceroute data will be unavailable.
-
Get diagnostic logs:
If multiple instances of
cloudflaredare running on the same host, specify the metrics server IP and port for the instance you want to diagnose. For example:
This command will output the status of each diagnostic task and place a
cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip file in your working directory.
cloudflared reads diagnostic data from the tunnel metrics server. To get diagnostic logs, the metrics server must be exposed from the Docker container and reachable from the host machine.
-
Determine the metrics server port for the
cloudflaredinstance running in Docker.
-
Ensure the container is deployed with port forwarding enabled. The diagnostic feature will request information from the Docker instance using local port
20241, therefore you should forward port
20241to the container port obtained in Step 1:
-
Verify that you can reach the metrics server address from the Docker host environment:
This command should return a JSON:
-
Run the diagnostic using the Docker container ID:
Alternatively, you can specify the container's name instead of its ID:
Running the diagnostic command with the container ID allows
cloudflaredto collect information from the Docker environment such as logs and container details.
This command will output the status of each diagnostic task and place a
cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip file in your working directory.
The diagnostic feature will request data from the tunnel metrics server using ports
20241 to
20245. You will need to use port forwarding to allow the local
cloudflared instance to connect to the metrics server on one of these ports.
-
Determine the tunnel's metrics server port.
-
Enable port forwarding:
<pod>: Name of the pod where the tunnel is running
<diagnostic_port>is any local port in the range
20241to
20245.
<metrics_port>is the Kubernetes pod port for the
cloudflaredinstance you want to diagnose (obtained in Step 1).
For example, if you set the metrics server address to
0.0.0.0:12345:
Connections made to local port
20244are forwarded to port
12345of the pod that is running the tunnel.
-
-
Run the diagnostic:
If the pod has multiple applications/services running and
cloudflaredis not the first in the pod, you must specify either the container ID or name:
This command will output the status of each diagnostic task and place a
cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip file in your working directory.
The
cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip archive contains the files listed below. The data in a file either applies to the
cloudflared instance being diagnosed (
diagnosee) or the instance that triggered the diagnosis (
diagnoser). For example, if your tunnel is running in a Docker container, the diagnosee is the Docker instance and the diagnoser is the host instance.
|File name
|Description
|Instance
cli-configuration.json
|Tunnel run parameters used when starting the tunnel
|diagnosee
cloudflared_logs.txt
|Tunnel log file1
|diagnosee
configuration.json
|Tunnel configuration parameters
|diagnosee
goroutine.pprof
|goroutine profile made available by
pprof
|diagnosee
heap.pprof
|heap profile made available by
pprof
|diagnosee
metrics.txt
|Snapshot of Tunnel metrics at the time of diagnosis
|diagnosee
network.txt
|JSON traceroutes to Cloudflare's global network using IPv4 and IPv6
|diagnoser
raw-network.txt
|Raw traceroutes to Cloudflare's global network using IPv4 and IPv6
|diagnoser
systeminformation.json
|Operating system information and resource usage
|diagnosee
task-result.json
|Result of each diagnostic task
|diagnoser
tunnelstate.json
|Tunnel connections at the time of diagnosis
|diagnosee
-
If the log file is blank, you may need to set
--loglevelto
debugwhen you start the tunnel. The
--loglevelparameter is only required if you ran the tunnel from the CLI using a
cloudflared tunnel runcommand. It is not necessary if the tunnel runs as a Linux/macOS service or runs in Docker/Kubernetes. ↩