Logpush integration
With Cloudflare’s Logpush service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to security information and event management (SIEM) tools. Once exported, your team can analyze and audit the data as needed.
To enable Logpush for Zero Trust logs:
- In Zero Trust ↗, go to Logs > Logpush.
- Select Add Logpush job.
- Enter a Job name.
- From the drop-down menu, choose the dataset to export.
- Next, select the data fields you want to include in the log.
- In Advanced settings, choose the timestamp format you prefer, and whether you want to enable logs sampling.
- Select Next.
- Select the service you want to export your logs to.
- Follow the service-specific instructions in Zero Trust to validate your destination.
The setup of your Logpush integration is now complete. Logpush will send updated logs every five minutes to your selected destination.
You can configure multiple destinations and add additional fields to your logs by returning to the Logpush page.
Refer to the Logpush documentation for a list of available fields.
| Dataset | Description |
|---|---|
| Gateway DNS | DNS queries inspected by Cloudflare Gateway |
| Gateway HTTP | HTTP requests inspected by Cloudflare Gateway |
| Gateway Network | Network packets inspected by Cloudflare Gateway |
| Audit Logs | Authentication events through Cloudflare Access |
| Access Requests | HTTP requests to sites protected by Cloudflare Access |
| CASB Findings | Security issues detected by Cloudflare CASB |
| Device Posture | Device posture status from the WARP client |
| Session Logs | Network session logs for traffic proxied by Cloudflare Gateway |
Cloudflare Gateway logs DNS query information in resource record format ↗, a Base64-encoded binary format. The following resource record fields are available for each query:
- Query name
- Query type
- Query class
- Response TTL
- Response data
To parse resource record logs from Logpush, run the following Python script with your desired samples:
import dnslibimport base64
# The samples from your Logpush outputsamples = [ {"type":"1","data":"BnJlZGRpdANjb20AAAEAAQAAALwABJdlwYw="}, {"type":"5","data":"BnNlY3VyZQV3bHhycwNjb20AAAUAAQAADggAIgZzZWN1cmUEYmFzZQV3bHhycwNjb20GYWthZG5zA25ldAA="}, {"type":"28","data":"Bmdvb2dsZQNjb20AABwAAQAAAGkAECYH+LBAIxAJAAAAAAAAAGU="}]
# Parse the Logpush RData.data field into Resource Records# See section "4.1.3. Resource record format" of https://www.ietf.org/rfc/rfc1035.txt# Includes Query Name, Query Type, Query Class, Response TTL, Response Datafor sample in samples: decoded = base64.b64decode(sample["data"]) buffer = dnslib.DNSBuffer(decoded) r = dnslib.RR.parse(buffer) print("== Print the full Resource Record ==") print(r) print("== Print individual components of the Resource Record ==") query_name = r.rname query_type = r.rtype query_class = r.rclass response_ttl = r.ttl response_data = r.rdata print(f"query name: {query_name} | query type: {query_type} | query class: {query_class} | ttl: {response_ttl} | rdata: {response_data}\n")The script will print a list of your samples. For example:
== Print the full Resource Record ==reddit.com. 188 IN A 151.101.193.140== Print individual components of the Resource Record ==query name: reddit.com. | query type: 1 | query class: 1 | ttl: 188 | rdata: 151.101.193.140
== Print the full Resource Record ==secure.wlxrs.com. 3592 IN CNAME secure.base.wlxrs.com.akadns.net.== Print individual components of the Resource Record ==query name: secure.wlxrs.com. | query type: 5 | query class: 1 | ttl: 3592 | rdata: secure.base.wlxrs.com.akadns.net.
== Print the full Resource Record ==google.com. 105 IN AAAA 2607:f8b0:4023:1009::65== Print individual components of the Resource Record ==query name: google.com. | query type: 28 | query class: 1 | ttl: 105 | rdata: 2607:f8b0:4023:1009::65