Log fields

The tables below describe the fields available by log category. The list of fields is also accessible directly from the API: https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/datasets/<dataset>/fields, where the dataset argument indicates the log category (either http_requests, spectrum_events, or firewall_events).

HTTP requests

BotScoreCloudflare Bot Score (available for Bot Management customers; please contact your account team to enable)int
BotScoreSrcUnderlying detection engine or source on where a Bot Score is calculated.
Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot
CacheCacheStatusunknown | miss | expired | updating | stale | hit | ignored | bypass | revalidatedstring
CacheResponseBytesNumber of bytes returned by the cacheint
HTTP status code returned by the cache to the edge; all requests (including non-cacheable ones) go through the cache; also see CacheStatus field
CacheTieredFillTiered Cache was used to serve this requestbool
ClientASNClient AS numberint
ClientCountryCountry of the client IP addressstring
ClientDeviceTypeClient device typestring
ClientIPIP address of the clientstring
unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService | securityScanner | noRecord | scan |backupService | mobilePlatform | tor
ClientRequestBytesNumber of bytes in the client requestint
ClientRequestHostHost requested by the clientstring
ClientRequestMethodHTTP method of client requeststring
ClientRequestPathURI path requested by the clientstring
ClientRequestProtocolHTTP protocol of client requeststring
ClientRequestRefererHTTP request referrerstring
ClientRequestURIURI requested by the clientstring
ClientRequestUserAgentUser agent reported by the clientstring
ClientSSLCipherClient SSL cipherstring
ClientSSLProtocolClient SSL (TLS) protocolstring
ClientSrcPortClient source portint
ClientXRequestedWithX-Requested-With HTTP headerstring
EdgeColoCodeIATA airport code of data center that received the requeststring
EdgeColoIDCloudflare edge colo idint
EdgeEndTimestampTimestamp at which the edge finished sending response to the clientint or string
EdgePathingOpIndicates what type of response was issued for this request (unknown = no specific action)string
EdgePathingSrcDetails how the request was classified based on security checks (unknown = no specific classification)string
EdgePathingStatusIndicates what data was used to determine the handling of this request (unknown = no data)string
EdgeRateLimitActionThe action taken by the blocking rule; empty if no action takenstring
EdgeRateLimitIDThe internal rule ID of the rate-limiting rule that triggered a block (ban) or simulate action. 0 if no action takenint
EdgeRequestHostHost header on the request from the edge to the originstring
EdgeResponseBytesNumber of bytes returned by the edge to the clientint
EdgeResponseCompressionRatioEdge response compression ratiofloat
EdgeResponseContentTypeEdge response Content-Type header valuestring
EdgeResponseStatusHTTP status code returned by Cloudflare to the clientint
EdgeServerIPIP of the edge server making a request to the originstring
EdgeStartTimestampTimestamp at which the edge received request from the clientint or string
FirewallMatchesActionsArray of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources.
Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
array of actions (strings)
FirewallMatchesRuleIDsArray of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.array of RuleIDs (strings)
FirewallMatchesSourcesThe firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions.
Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
array of product names (strings)
OriginIPIP of the origin serverstring
OriginResponseBytes (deprecated)Number of bytes returned by the origin serverint
OriginResponseHTTPExpiresValue of the origin 'expires' header in RFC1123 formatstring
OriginResponseHTTPLastModifiedValue of the origin 'last-modified' header in RFC1123 formatstring
OriginResponseStatusStatus returned by the origin serverint
OriginResponseTimeNumber of nanoseconds it took the origin to return the response to edgeint
OriginSSLProtocolSSL (TLS) protocol used to connect to the originstring
ParentRayIDRay ID of the parent request if this request was made using a Worker scriptstring
RayIDID of the requeststring
SecurityLevelThe security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation systemstring
WAFActionAction taken by the WAF, if triggeredstring
WAFFlagsAdditional configuration flags: simulate (0x1) | nullstring
WAFMatchedVarThe full name of the most-recently matched variablestring
WAFProfilelow | med | highstring
WAFRuleIDID of the applied WAF rulestring
WAFRuleMessageRule message associated with the triggered rulestring
WorkerCPUTimeAmount of time in microseconds spent executing a worker, if anyint
WorkerStatusStatus returned from worker daemonstring
WorkerSubrequestWhether or not this request was a worker subrequestbool
WorkerSubrequestCountNumber of subrequests issued by a worker when handling this requestint
ZoneIDInternal zone IDint

Spectrum events

ApplicationThe unique public ID of the application on which the event occurredstring
ClientAsnClient AS numberint
ClientBytesThe number of bytes read from the client by the Spectrum serviceint
ClientCountryCountry of the client IP addressstring
ClientIPClient IP addressstring
ClientPortClient portint
Transport protocol used by client; tcp | udp | unix
ClientTcpRttThe TCP round-trip time in nanoseconds between the client and Spectrumint
ClientTlsCipherThe cipher negotiated between the client and Spectrumstring
ClientTlsClientHelloServerNameThe server name in the Client Hello message from client to Spectrumstring
The TLS version negotiated between the client and Spectrum; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
Indicates state of TLS session from the client to Spectrum; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
ColoCodeIATA airport code of data center that received the requeststring
ConnectTimestampTimestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were establishedint or string
DisconnectTimestampTimestamp at which the connection was closedint or string
connect | disconnect | clientFiltered | tlsError | resolveOrigin | originError
IpFirewallWhether IP Firewall was enabled at time of connectionbool
OriginBytesThe number of bytes read from the origin by Spectrumint
OriginIPOrigin IP addressstring
OriginPortOrigin portint
Transport protocol used by origin; tcp | udp | unix
OriginTcpRttThe TCP round-trip time in nanoseconds between Spectrum and the originint
OriginTlsCipherThe cipher negotiated between Spectrum and the originstring
OriginTlsFingerprintSHA256 hash of origin certificatestring
If and how the upstream connection is encrypted; unknown | off | flexible | full | strict
The TLS version negotiated between Spectrum and the origin; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
The state of the TLS session from Spectrum to the origin; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
Which form of proxy protocol is applied to the given connection; off | v1 | v2 | simple
StatusA code indicating reason for connection closureint
TimestampTimestamp at which the event took placestring

Firewall events

ActionThe code of the first-class action the Cloudflare Firewall took on this requeststring
ClientASNThe ASN number of the visitorint
ClientASNDescriptionThe ASN of the visitor as stringstring
ClientCountryCountry from which request originatedstring
ClientIPThe visitor's IP address (IPv4 or IPv6)string
ClientIPClassThe classification of the visitor's IP address, possible values are: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService |securityScanner | noRecord | scan | backupService | mobilePlatform | torstring
ClientRefererHostThe referer hoststring
ClientRefererPathThe referer path requested by visitorstring
ClientRefererQueryThe referer query-string was requested by the visitorstring
ClientRefererSchemeThe referer url scheme requested by the visitorstring
ClientRequestHostThe HTTP hostname requested by the visitorstring
ClientRequestMethodThe HTTP method used by the visitorstring
ClientRequestPathThe path requested by visitorstring
ClientRequestProtocolThe version of HTTP protocol requested by the visitorstring
ClientRequestQueryThe query-string was requested by the visitorstring
ClientRequestSchemeThe url scheme requested by the visitorstring
ClientRequestUserAgentVisitor's user-agent stringstring
DatetimeThe date and time the event occurred at the edgeint or string
EdgeColoCodeThe airport code of the Cloudflare datacenter that served this requeststring
EdgeResponseStatusHTTP response status code returned to browserint
KindThe kind of event, currently only possible values are: firewallstring
MatchIndexRules match index in the chainint
MetadataAdditional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over timeobject
OriginResponseStatusHTTP origin response status code returned to browserint
OriginatorRayIDThe RayID of the request that issued the challenge/jschallengestring
RayIDThe RayID of the requeststring
RuleIDThe Cloudflare security product-specific RuleID triggered by this requeststring
SourceThe Cloudflare security product triggered by this requeststring