How to see which individual IP successfully passed captcha challenge

Is there a way I can see which individual IPs passed the captcha challenge, all I can see is the % but not which IPs passed

You can filter in the “firewall events” tab with “action” equals “challenge” to see which IPs triggered the captcha, however whether or not they passed the captcha isn’t included.

is there some indirect way to work out which specfic IP’s have successfully passed the challenge ? thx

You’d have to match them up with the access log on your server.

Thats a great suggestion but unfortunately I don’t have access to the server access logs because its third part hosted (Yola) , I have asked them (Yola) for access but in the absence of this is there an indirect technique using Cloudflare ? thx

Maybe @chasers knows how this would look through the https://logflare.app

Definitely need access to your Cloudflare logs. Cloudflare Enterprise plan gives access to your logs via API or logpush. I use logpush to AWS S3 bucket and then can parse and inspect my CF logs via a custom log parser I wrote which can filter on ip or all ips, firewall match action and Enterprise plan’s Bot Management bot score and by url path and date using logpush fields outlined at https://developers.cloudflare.com/logs/log-fields

For example to return all IP addresses which had a FirewallMatchesActions = challengesolved for August 15, 2020 for domain.com at url path /find-new/posts (forum search) with a Bot Management bot score of <=42 would return something like

./cflog-parser.sh parse domain.com/find-new/posts allips 20200815 42 challengesolved 
h=domain.com
ip=allips
datedir=20200815
botscore=42
firewall=challengesolved
path=/find-new/posts
/usr/bin/pzcat /home/cfcmm-logs/20200815/*.log.gz | jq -r --arg host $h --arg bs $botscore --arg c $fwmatch --arg reqpath $path 'select(.BotScore <=($bs | tonumber) and .ClientRequestHost == $host and .FirewallMatchesActions[] == $c and .ClientRequestPath == $reqpath) | "\(.EdgeStartTimestamp) \(.ClientIP) \(.RayID) \(.ParentRayID) \(.ClientRequestURI) \(.ClientRequestMethod) \(.ClientRequestReferer) \(.EdgeResponseStatus) \(.OriginResponseStatus) \(.EdgeRequestHost) \(.EdgeColoCode) \(.ClientCountry) \(.ClientIPClass) [\(.WorkerStatus)-\(.WorkerSubrequest)-\(.WorkerSubrequestCount)] \(.EdgePathingOp)-\(.EdgePathingSrc)-\(.EdgePathingStatus)-\(.EdgeRateLimitAction) \(.FirewallMatchesActions):\(.FirewallMatchesRuleIDs):\(.FirewallMatchesSources) \(.WAFAction)-\(.WAFRuleID) \(.BotScore) x \(.BotScoreSrc) \(.ClientRequestUserAgent)"' | egrep -i -v 'cdn-cgi|index.rss|xidel|UptimeRobot|HetrixTools|CloudFlare-Prefetch'

2020-08-15T02:25:16Z xxx.xxx.xxx.xxx.xxx 5c2f76ccefdd0e56 00 /find-new/posts GET  303 0 domain.com DFW us noRecord [exception-false-2] tempOk-filterBasedFirewall-captchaSucc- ["challengeSolved"]:["RULEID"]:["firewallRules"] unknown- 3 x Machine Learning Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
2020-08-15T04:24:12Z xxx.xxx.xxx.xxx.xxx 5c302505fa25ec8a 00 /find-new/posts GET  303 0 domain.com DFW us noRecord [exception-false-2] tempOk-filterBasedFirewall-captchaSucc- ["challengeSolved"]:["RULEID"]:["firewallRules"] unknown- 3 x Machine Learning Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
2020-08-15T21:12:25Z yyy.yyy.yyy.yyy 5c35e9e93bb21476 00 /find-new/posts GET https://domain.com/threads/xxxxxx/ 303 0 domain.com SEA us noRecord [exception-false-2] tempOk-filterBasedFirewall-captchaSucc- ["challengeSolved"]:["RULEID"]:["firewallRules"] unknown- 3 x Machine Learning Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

all returned results had a Bot Management score of 3 via Machine Learning as I setup a Bot Management firewall rule to challenge when Bot Score was <=6

3 x Machine Learning
1 Like

This is very useful but I was hoping to stay on the free plan for the moment. Was hoping there was some parameter that would be an indication that a captcha had been passed.

If I switched to the JS captcha would that help

This topic was automatically closed after 30 days. New replies are no longer allowed.