If you haven’t used Cloudflare Logs before, visit our logs documentation for more details. Contact your Cloudflare Customer Account Team to enable logs for your account.
This tutorial describes how to use Cloudflare Logpush to send logs to AWS S3 and the AWS S3 source collector to get logs into Sumo Logic. To learn how to use Logpush to send logs to AWS S3, refer to the Logpush documentation. Alternatively, you can use Logpull to get logs to your Sumo Logic instance directly and skip Task 1.
Before sending your Cloudflare log data to Sumo Logic, make sure that you:
Cloudflare logs are HTTP/HTTPS request logs in JSON format and are gathered from our 194+ data centers globally. By default, timestamps are returned as Unix nanosecond integers. We recommend using the RFC 3339 format for sending logs to Sumo Logic.
You can use either Cloudflare Logpush or AWS S3 to send your Cloudflare Logs data to Sumo Logic.
To enable Cloudflare Logpush in Sumo Logic:
Configure a Hosted Collector.
Configure an HTTP Logs and Metrics Source.
Provide the HTTP Source Address (URL) required by the Cloudflare Logpush API or Cloudflare dashboard UI.
Enable Cloudflare Logpush to Sumo Logic via either:
To connect AWS S3 to Sumo Logic:
Begin collecting Cloudflare logs data.
If you have Cloudflare Workers enabled and want to filter them out from the logs, do the following:
Under Processing Rules for Logs create a Filter (processing rule regex on our Cloudflare collector) to exclude any log data where WorkerSubrequest is true, as illustrated below:
To install the Cloudflare App for Sumo Logic:
Click Add to Library and specify the Source category Cloudflare, which was completed in Step 1.
You should now be able to see the Cloudflare dashboards populated with your Cloudflare log data.
There are nine dashboards to help you analyze Cloudflare logs. You can also use filters within the dashboards to help narrow the analysis by date and time, device type, country, user agent, client IP, hostname, and more, to further help with debugging and tracing.
Get insights on the availability of your websites and Applications. Metrics include origin response error ratio, origin response status over time, percentage of 3xx/4xx/5xx errors over time, and more.
Get insights on threat identification and mitigation by our Web Application Firewall, including events like SQL injections, XSS, and more. Use this data to fine tune the firewall to target obvious threats and prevent false positives.
All dashboards have a set of filters that you can apply to the entire dashboard, as shown below.
Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.
You can use filters to drill down and examine the data at a granular level. Filters include client country, client device type, client IP, client request host, client request URI, client request user agent, edge response status, origin IP, and origin response status.
Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.
The default time interval is set to 24 hours. Note that for correct filter calculations, you need to exclude Worker subrequests (WorkerSubrequest = false) and purge requests (ClientRequestMethod is not PURGE).
The Sumo Logic Cloudflare App relies on data from the Cloudflare Enterprise Logs fields outlined below. Depending on which fields you have enabled, certain dashboards might not populate fully.
If that is the case, verify and test the Cloudflare App filters below each dashboard (these filters are the same across all dashboards). You can delete any filters that you don’t need, even if such filters include data fields already contained in your logs.
The available fields are: