Tunnel diagnostic logs
Cloudflare Tunnel generates a set of diagnostic logs that can be used to troubleshoot issues with cloudflared. A diagnostic report collects data from a single instance of cloudflared running on the local machine.
The steps for getting diagnostic logs depend on your cloudflared deployment environment.
cloudflaredversion 2024.12.2 or later installed on the host
These instructions apply to remotely-managed and locally-managed tunnels running directly on the host machine.
-
(Linux only) To include network diagnostics in the logs, allow the
cloudflareduser to create RAW and PACKET sockets without root permissions:Terminal window sudo setcap cap_net_raw+ep /usr/bin/traceroute && sudo setcap cap_net_raw+ep /usr/bin/tracerouteIf you do not set
cap_net_raw, then traceroute data will be unavailable. -
Get diagnostic logs:
Terminal window cloudflared tunnel diagIf multiple instances of
cloudflaredare running on the same host, specify the metrics server IP and port for the instance you want to diagnose. For example:Terminal window cloudflared tunnel diag --metrics 127.0.0.1:20241
This command will output the status of each diagnostic task and place a cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip file in your working directory.
cloudflared reads diagnostic data from the tunnel metrics server. To get diagnostic logs, the metrics server must be exposed from the Docker container and reachable from the host machine.
-
Determine the metrics server port for the
cloudflaredinstance running in Docker. -
Ensure the container is deployed with port forwarding enabled. The diagnostic feature will request information from the Docker instance using local port
20241, therefore you should forward port20241to the container port obtained in Step 1:Terminal window docker run -d -p 20241:<metrics_port> docker.io/cloudflare/cloudflared tunnel ... -
Verify that you can reach the metrics server address from the Docker host environment:
curl localhost:20241/diag/tunnelThis command should return a JSON:
{"tunnelID": "ef96b330-a7f5-4bce-a00e-827ce5be077f","connectorID": "d236670a-9f74-422f-adf1-030f5c5f0523","connections": [{ "isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.167"},{"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.113", "index": 1},{"isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.47", "index": 2},{"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.73", "index": 3}],"icmp_sources": ["192.168.1.243", "fe80::c59:bd4a:e815:ed6"]} -
Run the diagnostic using the Docker container ID:
Terminal window cloudflared tunnel diag --diag-container-id=<containerID>Alternatively, you can specify the container's name instead of its ID:
Terminal window cloudflared tunnel diag --diag-container-id=<containerName>Running the diagnostic command with the container ID allows
cloudflaredto collect information from the Docker environment such as logs and container details.
This command will output the status of each diagnostic task and place a cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip file in your working directory.
The diagnostic feature will request data from the tunnel metrics server using ports 20241 to 20245. You will need to use port forwarding to allow the local cloudflared instance to connect to the metrics server on one of these ports.
-
Determine the tunnel's metrics server port.
-
Enable port forwarding:
Terminal window kubectl port-forward <pod> <diagnostic_port>:<metrics_port><pod>: Name of the pod where the tunnel is running<diagnostic_port>is any local port in the range20241to20245.<metrics_port>is the Kubernetes pod port for thecloudflaredinstance you want to diagnose (obtained in Step 1).
For example, if you set the metrics server address to
0.0.0.0:12345:Terminal window kubectl port-forward cloudflared-6d4897585b-r8kfz 20244:12345Connections made to local port
20244are forwarded to port12345of the pod that is running the tunnel. -
Run the diagnostic:
Terminal window cloudflared tunnel diag --diag-pod-id=<podID>If the pod has multiple applications/services running and
cloudflaredis not the first in the pod, you must specify either the container ID or name:Terminal window cloudflared tunnel diag --diag-pod-id=<podID> --diag-container-id=<containerName>
This command will output the status of each diagnostic task and place a cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip file in your working directory.
The cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip archive contains the files listed below. The data in a file either applies to the cloudflared instance being diagnosed (diagnosee) or the instance that triggered the diagnosis (diagnoser). For example, if your tunnel is running in a Docker container, the diagnosee is the Docker instance and the diagnoser is the host instance.
| File name | Description | Instance |
|---|---|---|
cli-configuration.json | Tunnel run parameters used when starting the tunnel | diagnosee |
cloudflared_logs.txt | Tunnel log file1 | diagnosee |
configuration.json | Tunnel configuration parameters | diagnosee |
goroutine.pprof | goroutine profile made available by pprof | diagnosee |
heap.pprof | heap profile made available by pprof | diagnosee |
metrics.txt | Snapshot of Tunnel metrics at the time of diagnosis | diagnosee |
network.txt | JSON traceroutes to Cloudflare's global network using IPv4 and IPv6 | diagnoser |
raw-network.txt | Raw traceroutes to Cloudflare's global network using IPv4 and IPv6 | diagnoser |
systeminformation.json | Operating system information and resource usage | diagnosee |
task-result.json | Result of each diagnostic task | diagnoser |
tunnelstate.json | Tunnel connections at the time of diagnosis | diagnosee |
-
If the log file is blank, you may need to set
--logleveltodebugwhen you start the tunnel. The--loglevelparameter is only required if you ran the tunnel from the CLI using acloudflared tunnel runcommand. It is not necessary if the tunnel runs as a Linux/macOS service or runs in Docker/Kubernetes. ↩