Just wanted to confirm that in firewall logs from Cloudflare we have an event field “action”, if we get a value “log” in it what does that actually mean? We can see traffic from unknown(malicious) IP only a few of the events have action as block in it rest of the events have action as a log.
I went through cloudflare documentation but could not understand whether the traffic was allowed or blocked.
Can anyone give his/her opinion?
In Cloudflare’s firewall logs, an “action” value of “log” means that the request was allowed through but noted in the logs for review. It was not blocked.
You have a Custom Rule or setting set to “Log” rather then block. If you expand the event, it should tell you which service/rule was the one set to do that. Most likely, it’s a custom rule you created with an action of Log.
Thank you so much for looking into it. I got your point, so log does not mean allow right ? We can see further what service/rule was set. Is it possible that few events from the same source IP had action as block and few had action as log?
Yes that is definitely possible depending on the rules in question.
It is also possible for a custom rule to log a request and then a later feature like managed rules to block the that request.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.