Yup very handy https://community.centminmod.com/threads/Cloudflare-custom-nginx-logging.14790/#post-66843
for top 20 IATA airport code based CF Datacenter connections to my origin
pzcat -f cf-access.log{,-*} | awk '{print $NF}' | awk -F '-' '{print $2}' | sed -e 's|\"||g' | sort | uniq -c | sort -rn | awk '{print $1, $2, "https://google.com/search?q=iata+code:+"$2}' | head -n20
166880 SEA https://google.com/search?q=iata+code:+SEA
108610 FRA https://google.com/search?q=iata+code:+FRA
72431 DFW https://google.com/search?q=iata+code:+DFW
47621 IAD https://google.com/search?q=iata+code:+IAD
47618 AMS https://google.com/search?q=iata+code:+AMS
38194 SIN https://google.com/search?q=iata+code:+SIN
30617 LHR https://google.com/search?q=iata+code:+LHR
27575 ORD https://google.com/search?q=iata+code:+ORD
24423 SYD https://google.com/search?q=iata+code:+SYD
23454 EWR https://google.com/search?q=iata+code:+EWR
23165 SJC https://google.com/search?q=iata+code:+SJC
18757 NRT https://google.com/search?q=iata+code:+NRT
17968 DME https://google.com/search?q=iata+code:+DME
15119 LAX https://google.com/search?q=iata+code:+LAX
10865 CDG https://google.com/search?q=iata+code:+CDG
9130 HKG https://google.com/search?q=iata+code:+HKG
8139 KBP https://google.com/search?q=iata+code:+KBP
7935 ARN https://google.com/search?q=iata+code:+ARN
7225 MCI https://google.com/search?q=iata+code:+MCI
4088 HEL https://google.com/search?q=iata+code:+HEL
top TLS protocol/ciphers communicated over for CF to origin connections
pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
753574 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
107 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
81 - -
19 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
7 TLSv1 ECDHE-ECDSA-AES128-SHA
eventually we shall see TLS 1.3 in that mix for CF to origin communication Cloudflare speak TLS 1.3 0-RTT with Origin Backend? 