Logpush
BetaAI Gateway allows you to securely export logs to an external storage location, where you can decrypt and process them. You can toggle Logpush on and off in the Cloudflare dashboard ↗ settings. This product is available on the Workers Paid plan. For pricing information, refer to Pricing.
This guide explains how to set up Logpush for AI Gateway, generate an RSA key pair for encryption, and decrypt the logs once they are received.
You can store up to 10 million logs per gateway. If your limit is reached, new logs will stop being saved and will not be exported through Logpush. To continue saving and exporting logs, you must delete older logs to free up space for new logs. Logpush has a limit of 4 jobs and a maximum request size of 1 MB per log.
We employ a hybrid encryption model efficiency and security. Initially, an AES key is generated for each log. This AES key is what actually encrypts the bulk of your data, chosen for its speed and security in handling large datasets efficiently.
Now, for securely sharing this AES key, we use RSA encryption. Here’s what happens: the AES key, although lightweight, needs to be transmitted securely to the recipient. We encrypt this key with the recipient’s RSA public key. This step leverages RSA’s strength in secure key distribution, ensuring that only someone with the corresponding RSA private key can decrypt and use the AES key.
Once encrypted, both the AES-encrypted data and the RSA-encrypted AES key are sent together. Upon arrival, the recipient’s system uses the RSA private key to decrypt the AES key. With the AES key now accessible, it’s straightforward to decrypt the main data payload.
This method combines the best of both worlds: the efficiency of AES for data encryption with the secure key exchange capabilities of RSA, ensuring data integrity, confidentiality, and performance are all optimally maintained throughout the data lifecycle.
To configure Logpush for AI Gateway, follow these steps:
You need to generate a key pair to encrypt and decrypt the logs. This script will output your RSA privateKey and publicKey. Keep the private key secure, as it will be used to decrypt the logs. Below is a sample script to generate the keys using Node.js and OpenSSL.
Run the script by executing the below code on your terminal. Replace file name
with the name of your JavaScript file.
-
Generate private key: Use the following command to generate a RSA private key:
-
Generate public key: After generating the private key, you can extract the corresponding public key using:
Once you have generated the key pair, upload the public key to your AI Gateway settings. This key will be used to encrypt your logs. In order to enable Logpush, you will need logs enabled for that gateway.
To set up Logpush, refer to Logpush Get Started.
After configuring Logpush, logs will be sent encrypted using the public key you uploaded. To access the data, you will need to decrypt it using your private key. The logs will be sent to the object storage provider that you have selected.
To decrypt the encrypted log bodies and metadata from AI Gateway, you can use the following Node.js script or OpenSSL:
To decrypt the encrypted log bodies and metadata from AI Gateway, download the logs to a folder, in this case its named my_log.log.gz
.
Then copy this javascript file into the same folder and place your private key in the top variable.
Run the script by executing the below code on your terminal. Replace file name
with the name of your JavaScript file.
The script reads the encrypted log file (my_log.log.gz)
, decrypts the metadata, request body, and response body, and prints the decrypted data.
Ensure you replace the privateKey
variable with your actual private RSA key that you generated in step 1.
- Decrypt the encrypted log file using the private key.
Assuming that the logs were encrypted with the public key (for example public_key.pem
), you can use the private key (private_key.pem
) to decrypt the log file.
For example, if the encrypted logs are in a file named encrypted_logs.bin
, you can decrypt it like this:
-decrypt
tells OpenSSL that we want to decrypt the file.-inkey private_key.pem
specifies the private key that will be used to decrypt the logs.-in encrypted_logs.bin
is the encrypted log file.-out decrypted_logs.txt
decrypted logs will be saved into this file.
- View the decrypted logs Once decrypted, you can view the logs by simply running:
This command will output the decrypted logs to the terminal.