Display information about WAF-triggered requests from the new WAF engine inside Cloudflare Logs

Since I switched to the new WAF 2 weeks ago, I noticed that all WAF-related information (incl. all requests blocked, challenged or logged by the WAF) is no longer displayed in Cloudflare logs - particularly WAFAction, WAFRuleID and WAFRuleMessage log fields.

We have everything sent to Elasticsearch and visualize the data in Kibana. Since April 1, no more WAF-related information included in these 3 log fields - the only information I have is WAFAction = unknown. WAFRuleID and WAFRuleMessage are only having blank values.

Instead, WAF-triggered requests are now classified as firewallManaged under FirewallMatchesSources log field, and we have a not really user friendly firewall rule ID included in FirewallMatchesRuleIDs:

If we want to know the underlying WAF rules that blocked the requests, then we need to either perform a rule name lookup in Cloudflare Dashboard using the rule ID, or perform an API request to retrieve all the WAF rules under a ruleset, then find out the name of the WAF rule. This definitely makes the analysis and investigation more difficult (unless you can memorize all the corresponding rule name for each rule ID, yeah)

Hopefully this can be fixed in the future - bring back WAFRuleID and WAFRuleMessage log fields so they can display the rule ID and rule message like the previous WAF.

1 Like

Maybe the logpush job needs deleting and re-creating like they did for the new logpush fields they added before ?

Heheh, I’m not using Logpush in this case. I use the script to pull the logs and process it.

Oh using log pull. So previously with new fields that required deleting logpush job and recreating it, did the log pull show those fields prior ?

I tried to include the new fields in the logpull requests few days ago, unfortunately logpull does not support the new fields yet.

Surprised the log pull fields are there even after all this time.

WAFAction, WAFRuleID and WAFRuleMessage are only populated for the legacy WAF.

As you mentioned, you can use FirewallMatchesActions and FirewallMatchesRuleIDs as a replacement for the first 2 fields in the new Managed Rulesets.

For WAFRuleMessage, there is no equivalent field right now but we are considering adding one.

3 Likes

Thanks for your reply @mdemoura

Hopefully there will be one, I don’t want to perform a WAF rule lookup for each rule ID that is displayed in the logs :laughing:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.