Skip to content

Cloudflare Docs

Products Learning Status Support Log in

GitHub X YouTube

Select theme

Cloudflare Zero Trust

Overview
Get started
Implementation guides
Identity
- Overview
- One-time PIN login
- Device posture
  - Overview
  - WARP client checks
    
    Overview
    Application check
    Carbon Black
    Client certificate
    Device serial numbers
    Device UUID
    Disk encryption
    Domain joined
    File check
    Firewall
    OS version
    Require Gateway
    Require WARP
    SentinelOne
  - Service providers
    
    Overview
    CrowdStrike
    Kolide
    Microsoft Endpoint Manager
    SentinelOne
    Tanium
    Uptycs
    Workspace ONE
  - Access integrations
    
    Overview
    Mutual TLS
    Tanium
- User management
- Service tokens
- Authorization cookie
- SSO integration
Connections
- Overview
- Cloudflare Tunnel
  - Overview
  - Get started
    
    Overview
    Create a remotely-managed tunnel (dashboard)
    Create a locally-managed tunnel (CLI)
    Useful terms
  - Downloads
    
    Overview
    Update cloudflared
    License
    Copyrights
  - Configure a tunnel
    
    Overview
    Remotely-managed tunnel
    
    Locally-managed tunnel
    
    Overview
    Configuration file
    
    Run as a service
    
    Overview
    Linux
    macOS
    Windows
    
    Useful commands
    Tunnel permissions
    
    Origin configuration
    Tunnel run parameters
  - Deploy a tunnel
    
    Overview
    Tunnel with firewall
    Tunnel availability and failover
    System requirements
    
    Environments
    
    Overview
    Ansible
    AWS
    Azure
    GCP
    Kubernetes
    Terraform
  - Use cases
    
    Overview
    
    SSH
    
    Overview
    SSH with Access for Infrastructure New
    Self-managed SSH keys
    Browser-rendered SSH terminal
    SSH with client-side cloudflared
    
    RDP
    SMB
    gRPC
  - Private networks
    
    Overview
    
    Connect private networks
    
    Overview
    Private DNS
    Virtual networks
    Load balancing
    
    Peer-to-peer connectivity
    
    WARP Connector
    
    Overview Beta
    Site-to-Internet
    Site-to-site
    User-to-site
    VPC deployments
  - Public hostnames
    
    Overview
    DNS records
    Load balancing
  - Monitor tunnels
    
    Overview
    Logs
    Notifications
    Metrics
  - Troubleshoot tunnels
    
    Overview
    Private network connectivity
    Common errors
  - Do more with Tunnel
    
    Overview
    Migrate legacy tunnels
    Quick Tunnels
- Connect devices
  - Overview
  - WARP
    
    Overview
    First-time setup
    
    Download WARP
    
    Overview
    Update WARP
    Migrate 1.1.1.1 app
    
    Deploy WARP
    
    Overview
    
    Managed deployment
    
    Overview
    
    Partners
    
    Overview
    Fleet
    Hexnode
    Intune
    Jamf
    JumpCloud
    Kandji
    
    Parameters
    Connect WARP before Windows login
    Switch between Zero Trust organizations
    
    Manual deployment
    Device enrollment permissions
    WARP with firewall
    WARP with legacy VPN
    
    Configure WARP
    
    Overview
    Device profiles
    
    WARP modes
    
    Overview
    Enable Device Information Only
    
    WARP settings
    
    Overview
    Captive portal detection
    
    Managed networks
    
    Route traffic
    
    Overview
    Local Domain Fallback
    Split Tunnels
    WARP architecture
    
    WARP sessions
    
    Troubleshoot WARP
    
    Overview
    Common issues
    Client errors
    Diagnostic logs
    Known limitations
    
    Remove WARP
  - User-side certificates
    
    Overview
    Install certificate using WARP
    Install certificate manually
    Deploy custom certificate
  - Agentless options
    
    Overview
    
    DNS
    
    Locations
    
    Add locations
    DNS resolver IPs and hostnames
    
    DNS over TLS (DoT)
    DNS over HTTPS (DoH)
    
    HTTP
Applications
- Overview
- Add web applications
- Non-HTTP applications
  - Overview
  - Add an infrastructure application New
  - Browser-rendered terminal
  - Client-side cloudflared
    
    Overview
    Enable automatic cloudflared authentication
    Arbitrary TCP
  - Short-lived certificates (legacy)
- Scan SaaS applications
  - Overview
  - Manage findings
  - Available integrations
    
    Overview
    Amazon Web Services (AWS) S3
    Atlassian Confluence
    Atlassian Jira
    Bitbucket Cloud
    Box
    Dropbox
    GitHub
    
    Google Workspace
    
    Overview
    Google Drive
    Gmail
    Google Admin
    Google Calendar
    
    Microsoft 365
    
    Overview
    Admin Center
    OneDrive
    SharePoint
    Outlook
    
    Salesforce
    ServiceNow
    Slack
  - Scan for sensitive data
  - Troubleshoot integrations
- Login page
- Block page
- Add bookmarks
- App Launcher
Policies
- Overview
- Secure Web Gateway
  - Overview
  - Get started
    
    DNS filtering
    Network filtering
    HTTP filtering
  - DNS policies
    
    Overview
    Common policies
    Test DNS filtering
    Timed DNS policies
  - Network policies
    
    Overview
    Common policies
    Protocol detection
    SSH proxy and command logs
  - HTTP policies
    
    Overview
    Common policies
    TLS decryption
    HTTP/3
    Tenant control
    AV scanning
    File sandboxing
    WebSocket traffic
  - Egress policies
    
    Overview
    Dedicated egress IPs
  - Resolver policies Beta
  - Global policies
  - Applications and app types
  - Domain categories
  - Identity-based policies
  - Block page
  - Order of enforcement
  - Lists
  - Proxy
- Access
- Browser Isolation
  - Overview
  - Set up Browser Isolation
    
    Get started
    Clientless Web Isolation
    Non-identity on-ramps
  - Isolation policies
  - Extensions
  - Accessibility
  - Browser Isolation with firewall
  - Known limitations
- Data Loss Prevention
  - Overview
  - Scan HTTP traffic
    
    Create DLP policies
    Common policies
    Logging options
  - Scan SaaS apps ↗
  - DLP profiles
    
    Configure DLP profiles
    Predefined profiles
    Integration profiles
    Profile settings
  - DLP datasets
Insights
- Analytics
  - Shadow IT Discovery
  - Gateway analytics
- Email monitoring
- Digital Experience Monitoring
- Logs
  - Overview
  - User logs
  - Access audit logs
  - Gateway activity logs
    
    Overview
    Manage PII
  - Tunnel audit logs
  - Posture logs
  - Logpush integration
- Risk score
Email Security
- Overview
- Setup
  - Overview
  - Post-delivery deployment
    
    API deployment
    
    Overview
    Set up with Microsoft 365
    
    BCC/Journaling
    
    BCC setup
    
    Microsoft Exchange BCC setup
    
    Journaling setup
    
    Office 365 journaling setup
    Manually add domains
    Manage domains
- Directories
  - Overview
  - Manage Microsoft directories
    
    Overview
    Manage groups in your directory
    Manage users in your directory
  - Manage Email Security directories
- Detection settings
- Auto-move events
- PhishGuard
- Outbound Data Loss Prevention (DLP) Beta
- Reference
API and Terraform
- Overview
- Access API examples
- Gateway API examples
- Scoped API tokens
- Terraform
Reference architecture ↗
Tutorials
Account limits
Roles and permissions
Glossary
Changelog
FAQ

Products Learning Status Support Log in

GitHub X YouTube

Select theme

On this page

Overview
Prerequisites
Enable Logpush jobs
Audit logs

On this page

Overview
Prerequisites
Enable Logpush jobs
Audit logs

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!

Products
Cloudflare Zero Trust
Insights
Email monitoring
Email Security logs

Email Security logs

Email Security allows you to configure Logpush to send detection data to an endpoint of your choice.

Prerequisites

Before you can enable Logpush for Email Security, you will have to:

Create an R2 bucket.
Once you have created your R2 bucket, create an API token. Under Permissions, ensure you select Admin Read & Write.
Once you have created your R2 API Token, the dashboard will display an Access Key ID and a Secret Access Key. Save these two, as you will need them to set up Logpush later.

Enable Logpush jobs

To enable Logpush for Email Security:

Log in to the Cloudflare dashboard ↗.
Select Analytics & Logs > Logpush.
Select Create a Logpush job, then select S3-Compatible.
Enter the destination details:
- Bucket (required): Enter the bucket name.
- Endpoint URL: Enter your endpoint URL. To find your endpoint URL:
  - On the Cloudflare dashboard, go to R2 Object Storage > Overview > Select your bucket.
  - Go to Settings, and copy and paste the S3 API URL.
- Bucket region: Enter the region of your bucket. To find the bucket region:
  - On the dashboard, go to R2 Object Storage > Overview > Select your bucket.
  - Go to Settings, and find your region in Location.
- Access Key ID: Enter the Access Key ID you created as a prerequisite.
- Secret Access Key: Enter the Secret Access Key you created as a prerequisite.
Select Continue.

Your destination has now been configured.

To view the job you created:

Log in to the Cloudflare dashboard ↗.
Go to R2 Object Storage, select your bucket.
Select Objects.

Audit logs

Once you have configured your destination, you can audit logs:

Log in to the Cloudflare dashboard ↗.
Select Analytics & Logs > Logpush.
Select Audit logs.
Under Configure logpush job:

Job name: Enter the job name.
If logs match: Select Filtered logs:
- Field: Choose ResourceType.
- Operator: Choose starts with.
- Value: Enter email_security.

Select Submit.

Your job has now been created successfully.

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings