Logging options

Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. DLP offers three logging approaches, each suited to different needs:

Approach	What it captures	Encryption	Availability
Payload logging	Redacted match + 75 bytes of surrounding context	Encrypted with your public key	All plans
AI prompt logging	Generative AI prompt topic, user prompt, and model response	Encrypted with your public key	All plans
Logpush forensic copies	Complete HTTP request (headers + body)	Encrypted in transit only (TLS)	Enterprise

Users on all plans can log the payload or generative AI prompt content of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can configure a Logpush job to send copies of entire matched HTTP requests to storage destinations.

The data that triggers a DLP policy is stored in the body of the HTTP request — the part that carries content such as file uploads, form submissions, and chat messages. This body is referred to as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match.

Set a DLP payload encryption public key

Before you begin logging DLP payloads, you will need to set a DLP payload encryption public key. DLP uses public-key encryption so that matched sensitive data is readable only by you — Cloudflare does not have access to your private key and cannot decrypt your logs.

Generate a key pair

You will generate two keys: a public key (uploaded to Cloudflare to encrypt log data) and a private key (kept by you to decrypt log data later).

To generate a public/private key pair in the command line, refer to Generate a key pair.

Upload the public key to Cloudflare

1. In the Cloudflare dashboard ↗, go to Zero Trust > Data loss prevention > DLP settings.
2. In the Set a DLP payload and prompt encryption public key field, select Edit.
3. Paste your public key.
4. Select Save.

Note

The matching private key is required to view logs. If you lose your private key, you will need to generate and upload a new public key. The payload of new requests will be encrypted with the new public key. Previously logged data encrypted with the old key will be permanently unreadable.

Configure payload log masking

You can control how sensitive data appears in your DLP payload logs by selecting a masking level. This determines how much of the matched content is visible after decryption.

1. In the Cloudflare dashboard ↗, go to Zero Trust > Data loss prevention > DLP settings.
2. Go to the Payload log masking card.
3. Choose one of the following masking levels:
   • Full Mask (default): Masks the match while preserving character count and visual formatting. For example, a Social Security Number appears as ***-**-****.
   • Partial Mask: Reveals 25% of the matched content while masking the remainder. For example, ***-**-6789.
   • Clear Text: Stores the full, unmasked match for detailed investigation. For example, 123-45-6789.

Note

The masking level is applied at detection time, before the payload is encrypted. Your team will see the selected format when they decrypt the log with your private key.

Warning

The selected masking level applies to all sensitive data matches found within a payload window — not just the match that triggered the policy.

Log the payload of matched rules

DLP can log the payload of matched HTTP requests in your Cloudflare logs. Use payload logging to verify what content triggered a DLP detection — for example, to confirm whether a match was a real finding or a false positive.

Turn on payload logging for a DLP policy

You can enable payload logging for any Allow or Block HTTP policy that uses the DLP Profile selector — the filter condition that matches traffic against your DLP detection profiles.

1. Go to Traffic policies > Firewall policies > HTTP.
2. Edit an existing Allow or Block DLP policy, or create a new policy.
3. In the policy builder, scroll down to Configure policy settings and turn on Log the payload of matched rules.
4. Select Save.

Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy.

View payload logs

To view DLP payload logs:

1. Go to Insights > Logs > HTTP request logs.
2. Go to the DLP log you are interested in reviewing and expand the row.
3. Select Decrypt payload log.
4. Enter your private key and select Decrypt.

You will see the ID of the matched DLP Profile followed by the decrypted payload.

Note

Cloudflare does not store the key or the decrypted payload.

Report false and true positives to AI context analysis

When you have AI context analysis turned on for a DLP profile, you can improve detection accuracy over time by reporting false and true positives. A false positive is a match that DLP flagged incorrectly (the content was not actually sensitive). A true positive confirms that DLP correctly identified sensitive data. These reports train the AI model to adjust its confidence threshold.

To report a DLP match payload as a false or true positive:

1. Find and decrypt the payload log you want to report.
2. In Log details, choose a detected context match.
3. In Context, select the redacted match data.
4. In Match details, choose whether you want to report the match as a false positive or a true positive.

Based on your report, DLP's machine learning will adjust its confidence in future matches for the associated profile.

Data privacy

• All Cloudflare logs are encrypted at rest (encrypted while stored on disk). Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule.
• Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key.
• By default, DLP uses Full Mask to redact alphanumeric characters in the matched pattern, replacing them with * while preserving the format. For example, 123-45-6789 becomes ***-**-****. You can configure the masking level to show partial or full matches if your incident response workflow requires more context.
  • You can define sensitive data with Exact Data Match (EDM). EDM match logs will redact your defined strings.

Log generative AI prompt content

DLP can detect and log the prompt topic sent to an AI tool.

Turn on AI prompt content logging for a DLP policy

You can enable AI prompt content logging for any Allow or Block HTTP policy that uses the Application selector with a supported Application Granular Controls application. This means your policy must target a specific AI application (such as ChatGPT) that Gateway can inspect at a granular level.

1. Go to Traffic policies > Firewall policies > HTTP.
2. Edit an existing Allow or Block DLP policy, or create a new policy.
3. In the policy builder, scroll down to Configure policy settings and turn on Capture generative AI prompt content in logs.
4. Select Save.

Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.

View prompt logs

To view generative AI prompt log details:

1. Go to Insights > Logs > HTTP request logs.
2. Go to the DLP log you are interested in reviewing and expand the row.
3. Select Decrypt payload log.
4. Enter your private key and select Decrypt.
5. In Summary > GenAI prompt captured, select View prompt.

Gateway logs will provide a summary of the conversation, including the topic and AI model used, and the user prompt and AI model's raw response if available. A text prompt must be present for DLP to capture the prompt.

Send DLP forensic copies to Logpush destination

Availability

Only available on Enterprise plans.

Unlike payload logging (which stores encrypted excerpts of matched content), forensic copies send the complete, unaltered HTTP request — including all headers and the full body — to an external storage destination.

Gateway allows you to send copies of entire HTTP requests matched in HTTP Allow and Block policies to storage destinations configured in Logpush (Cloudflare's log delivery service), including third-party destinations. Forensic copies include unaltered payloads and headers which may include sensitive data. Logpush logs are encrypted in transit only, such as when sent as TLS traffic. Once the data reaches your storage destination, it is stored according to that destination's encryption policies — not encrypted by Cloudflare.

To set up the DLP Forensic Copy Logpush job:

1. In Cloudflare One ↗, go to Insights >Logs, and select Manage Logpush.
2. In Logpush, select Create a Logpush job.
3. Choose a Logpush destination.
4. In Configure logpush job, choose the DLP forensic copies dataset. Select Create Logpush job.
5. Return to Cloudflare One and go to Traffic policies > Firewall policies > HTTP.
6. Edit an existing Allow or Block policy, or create a new policy. Your policy does not need to include a DLP profile — any Gateway HTTP policy can send forensic copies.
7. In the policy builder, scroll down to Configure policy settings and turn on Send DLP forensic copies to storage.
8. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests.
9. Select Save policy.

DLP will now send a copy of HTTP requests that match this policy to your Logpush destination.

Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure Log filters. If the request contains an archive file, DLP will only send up to 100 MB of uncompressed content to your configured storage.