Since I switched to the new WAF 2 weeks ago, I noticed that all WAF-related information (incl. all requests blocked, challenged or logged by the WAF) is no longer displayed in Cloudflare logs - particularly
WAFRuleMessage log fields.
We have everything sent to Elasticsearch and visualize the data in Kibana. Since April 1, no more WAF-related information included in these 3 log fields - the only information I have is
WAFAction = unknown.
WAFRuleMessage are only having blank values.
Instead, WAF-triggered requests are now classified as
FirewallMatchesSources log field, and we have a not really user friendly firewall rule ID included in
If we want to know the underlying WAF rules that blocked the requests, then we need to either perform a rule name lookup in Cloudflare Dashboard using the rule ID, or perform an API request to retrieve all the WAF rules under a ruleset, then find out the name of the WAF rule. This definitely makes the analysis and investigation more difficult (unless you can memorize all the corresponding rule name for each rule ID, yeah)
Hopefully this can be fixed in the future - bring back
WAFRuleMessage log fields so they can display the rule ID and rule message like the previous WAF.