Skip to content
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Configure payload logging for a Managed Ruleset via API

You can use the Rulesets API to configure payload logging for a Managed Ruleset.

Configure and enable payload logging

To configure:

  1. Use the Update rule in ruleset API method to update the rule that executes the Managed Ruleset.

  2. In the configuration of the rule that executes the Managed Ruleset, include a matched_data object in action_parameters to configure payload logging.

    The matched_data object has the following structure:

    "action_parameters": {
    // ...
    "matched_data": {
    "public_key": "<PUBLIC_KEY_VALUE>"
    }
    }

    Replace <PUBLIC_KEY_VALUE> with the public key you want to use for payload logging.

You can generate a public key in the command line or in the Cloudflare dashboard.

Example

The following example updates rule {rule-id-1} that executes the Cloudflare Managed Ruleset for zone {zone-id}, configuring payload logging with the provided public key.

Request
curl -X PATCH \
-H "X-Auth-Email: user@cloudflare.com" \
-H "X-Auth-Key: REDACTED" \
"https://api.cloudflare.com/client/v4/zone/{zone-id}/rulesets/{ruleset-id}/rules/{rule-id-1}" \
-d '{
"action": "execute",
"action_parameters": {
"id": "{cloudflare-managed-ruleset-id}",
"matched_data": {
"public_key": "{your-public-key}"
}
},
"expression": "true",
"description": "Executes the Cloudflare Managed Ruleset"
}'

The response includes the complete ruleset after updating the rule.

Response
{
"result": {
"id": "{zone-level-phase-ruleset-id}",
"name": "Zone-level Ruleset 1",
"description": "",
"kind": "zone",
"version": "3",
"rules": [
{
"id": "{rule-id-1}",
"version": "1",
"action": "execute",
"action_parameters": {
"id": "{cloudflare-managed-ruleset-id}",
"version": "latest",
"matched_data": {
"public_key": "{your-public-key}"
}
},
"expression": "true",
"description": "Executes the Cloudflare Managed Ruleset",
"last_updated": "2021-06-28T18:08:14.003361Z",
"ref": "{ruleset-ref-1}",
"enabled": true
},
// ...
],
"last_updated": "2021-06-28T18:08:14.003361Z",
"phase": "http_request_firewall_managed"
},
"success": true,
"errors": [],
"messages": []
}

For more information on deploying Managed Rulesets via API, see Deploy a Managed Ruleset in the Ruleset Engine documentation.


Disable payload logging

To disable payload logging for a Managed Ruleset:

  1. Use the Update rule in ruleset API method to update the rule that executes the Managed Ruleset.

  2. Modify the rule definition so that there is no matched_data object in action_parameters.

The following example rule executes a Managed Ruleset with payload logging disabled:

{
"action": "execute",
"action_parameters": {
"id": "{managed-ruleset-id}"
},
"expression": "true",
"description": ""
}