Store decrypted matched payloads in logs
You can include the encrypted matched payload in your Logpush jobs by adding the General > Metadata field from the Firewall Events dataset to your job.
The payload, in its encrypted form, is available in the encrypted_matched_data
property of the Metadata
field.
However, you may want to decrypt the matched payload before storing the logs in your SIEM system of choice. Cloudflare provides a sample Worker project ↗ on GitHub that does the following:
- Behaves as an S3-compatible storage to receive logs from Logpush. These logs will contain encrypted matched payload data.
- Decrypts matched payload data using your private key.
- Sends the logs to the final log storage system with decrypted payload data.
You will need to make some changes to the sample project to push the logs containing decrypted payload data to your log storage system.
Refer to the Worker project's README ↗ for more information on configuring and deploying this Worker project.