Access audit logs
Cloudflare Access generates two types of audit logs:
- Authentication audit logs maintain a record of authentication events.
- Per-request audit logs record requests to protected URI paths and infrastructure targets.
Cloudflare Access logs an authentication event whenever a user or service attempts to log in to an application, whether the attempt succeeds or not.
Identity-based authentication refers to login attempts that matched on user email, IdP group, SAML group, or OIDC claim.
Non-identity authentication refers to login attempts that matched a non-identity policy such as IP address, device posture, country, valid certificate, or service token.
To view logs for identity-based authentication events:
- In Zero Trust ↗, go to Logs > Access.
- Select a row to view details such as the login method, the IP address of the user, and more.
The Access authentication logs API endpoint provides a custom URL to export audit log events for your account.
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/logs/access_requests?limit=25&direction=desc&since=2020-07-01T05:20:00Z&until=2020-10-01T05:20:00Z" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"{ "success": true, "errors": [], "messages": [], "result": [ { "user_email": "michelle@example.com", "ip_address": "198.41.129.166", "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "app_domain": "test.example.com/admin", "action": "login", "connection": "saml", "allowed": false, "created_at": "2014-01-01T05:20:00.12345Z", "ray_id": "187d944c61940c77" } ]}Identity-based authentication logs contain the following fields:
| Field | Description |
|---|---|
| App | Name of the Access application. |
| User email | Email address of the authenticating user. |
| User ID | UUID of the authenticating user. |
| IP address | IP address of the authenticating user. |
| App UID | UUID of the Access application. |
| App domain | URL of the Access application. |
| App type | The type specifies if the Access application is self-hosted, SaaS, or infrastructure. |
| Event | Type of authentication event, such as a login attempt. |
| Connection | IdP used to authenticate. |
| Allow | Result of the authentication event. |
| Request time | Timestamp of the authentication event. |
| Ray ID | A unique identifier for every request through Cloudflare. |
| Country | Country associated with the user's IP address. |
Cloudflare Access logs the following information when the user authenticates to an infrastructure application:
| Field | Description |
|---|---|
| Hostname | Hostname of the infrastructure target. |
| Target ID | UUID of the infrastructure target. |
| SSH user | The UNIX user, such as root, that the authenticating user specified when connecting to the infrastructure target. |
| SSH logs | SSH commands that the user ran on the target. Requires configuring an SSH encryption key before the session begins. |
To retrieve logs for non-identity authentication events, use the GraphQL Analytics API. These logs are not available in Zero Trust.
Users who have authenticated through Access have access to authorized URL paths for the duration of their session. Cloudflare provides several ways to audit these requests.
Enterprise customers have access to detailed logs of requests on their Cloudflare dashboard. Enterprise customers also have access to Cloudflare's Logpush service, which can be configured from the Cloudflare dashboard or API. For more information about Cloudflare HTTP and infrastructure logging, refer to Cloudflare Logs.
Once a member of your team authenticates to reach an HTTP resource behind Access, Cloudflare generates a token for that user that contains their SSO identity. The token is structured as a JSON Web Token (JWT). Cloudflare relies on an RSA Signature with SHA-256, or RS256, an asymmetric algorithm, to perform that signature. Cloudflare also makes the public key available, so that you can validate their authenticity, as well.
When a user requests a given URL, Access appends the user identity from that token as a request header, which we then log as the request passes through our network. Your team can collect these logs in your preferred third-party Security information and event management (SIEM) software or storage destination by using Cloudflare Logpush. When enabled with the Access user identity field, the logs will export to your systems as JSON similar to the logs below.
{ "ClientIP": "198.51.100.206", "ClientRequestHost": "jira.widgetcorp.tech", "ClientRequestMethod": "GET", "ClientRequestURI": "/secure/Dashboard/jspa", "ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "EdgeEndTimestamp": "2019-11-10T09:51:07Z", "EdgeResponseBytes": 4600, "EdgeResponseStatus": 200, "EdgeStartTimestamp": "2019-11-10T09:51:07Z", "RayID": "5y1250bcjd621y99", "RequestHeaders":{"cf-access-user":"srhea"}},{ "ClientIP": "198.51.100.206", "ClientRequestHost": "jira.widgetcorp.tech", "ClientRequestMethod": "GET", "ClientRequestURI": "/browse/EXP-12", "ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "EdgeEndTimestamp": "2019-11-10T09:51:27Z", "EdgeResponseBytes": 4570, "EdgeResponseStatus": 200, "EdgeStartTimestamp": "2019-11-10T09:51:27Z", "RayID": "yzrCqUhRd6DVz72a", "RequestHeaders":{"cf-access-user":"srhea"}}In addition to the HTTP request fields available in Cloudflare Enterprise logging, requests made to applications behind Access include the cf-access-user field, which contains the user identity string. This offers another tool for auditing user behavior. To add the cf-access-user field to your HTTP request logs, you must add it as a custom field. Refer to Custom fields for instructions.
Keep in mind that Access does not log all interactions. For example, per-request audit logs can indicate that a specific user visited domain.com/admin and then domain.com/admin/panel, but the logs can only identify user interactions that result in a new HTTP request.