Configure payload logging via API
Use the Rulesets API to configure payload logging for a managed ruleset via API.
-
Use the Get a zone entry point ruleset operation to obtain the following IDs:
- The ID of the entry point ruleset of the
http_request_firewall_managed
phase. - The ID of the rule deploying the WAF managed ruleset (an
execute
rule) for which you want to configure payload logging.
- The ID of the entry point ruleset of the
-
Use the Update a zone ruleset rule operation to update the rule you identified in the previous step.
Include a
matched_data
object in the rule'saction_parameters
object to configure payload logging. Thematched_data
object has the following structure:Replace
<PUBLIC_KEY_VALUE>
with the public key you want to use for payload logging. You can generate a public key in the command line or in the Cloudflare dashboard.
This example configures payload logging for the Cloudflare Managed Ruleset, which is already deployed for a zone with ID {zone_id}
.
-
Invoke the Get a zone entry point ruleset operation (a
GET
request) to obtain the rules currently configured in the entry point ruleset of thehttp_request_firewall_managed
phase. -
Save the following IDs for the next step:
- The ID of the entry point ruleset:
060013b1eeb14c93b0dcd896537e0d2c
- The ID of the
execute
rule deploying the Cloudflare Managed Ruleset:1bdb49371c1f46958fc8b985efcb79e7
To find the correct rule in the
rules
array, search for anexecute
rule containing the ID of the Cloudflare Managed Ruleset (...376e9aee
) inaction_parameters
>id
. - The ID of the entry point ruleset:
-
Invoke the Update a zone ruleset rule operation (a
PATCH
request) to update the configuration of the rule you identified. The rule will now include the payload logging configuration (matched_data
object).The response will include the complete ruleset after updating the rule.
For more information on deploying managed rulesets via API, refer to Deploy a managed ruleset in the Ruleset Engine documentation.
To disable payload logging for a managed ruleset:
-
Use the Update a zone ruleset rule operation (a
PATCH
request) to update the rule deploying the managed ruleset (anexecute
rule). -
Modify the rule definition so that there is no
matched_data
object inaction_parameters
.
For example, the following PATCH
request updates rule with ID {rule_id}
deploying the Cloudflare Managed Ruleset so that payload logging is disabled:
For details on obtaining the entry point ruleset ID and the ID of the rule to update, refer to Configure and enable payload logging.