What is the name of the domain?
.com
What is the error number?
NA
What is the error message?
NA
What is the issue you’re encountering
SIEM ingestion questions - LogPush HTTP Requests do not include rule details, and fw_event use-case information
What steps have you taken to resolve the issue?
Hi everyone,
Not sure where this belong so apologize if this isn’t the correct space. We are ingesting our Cloudflare HTTP Requests into a SIEM product. The issue we are running into is that the HTTP Request data shows null values for all rule related fields.
E.g HTTP requests · Cloudflare Logs docs
SecurityAction
Type: string
Action of the security rule that triggered a terminating action, if any.
SecurityActions
Type: array[string]
Array of actions the Cloudflare security products performed on this request. The individual security products associated with this action be found in SecuritySources and their respective rule Ids can be found in SecurityRuleIDs. The length of the array is the same as SecurityRuleIDs and SecuritySources.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionClose | challengeSolved | challengeBypassed | jschallengeSolved | jschallengeBypassed | bypass | managedChallenge | managedChallengeNonInteractiveSolved | managedChallengeInteractiveSolved | managedChallengeBypassed | rewrite | forceConnectionClose | skip.
SecurityRuleDescription
Type: string
Description of the security rule that triggered a terminating action, if any.
SecurityRuleID
Type: string
Rule ID of the security rule that triggered a terminating action, if any.
SecurityRuleIDs
Type: array[string]
Array of rule IDs of the security product that matched the request. The security product associated with the rule ID can be found in SecuritySources. The length of the array is the same as SecurityActions and SecuritySources
There are managed rule sets that are blocking a lot of the vuln probing activity we see, but the rule data isn’t being populated within the payload being sent through LogPush. The Logpush settings are configured to include them, but the values are always null.
How can I get the managed rule or custom rule information to populate these HTTP Requests? Alternativly, what could I ingest that I could use to correlate the fw actions vs the HTTP request data.
For every mitigating action, Cloudflare does create a Security Event. I do not see a programatic way to ingest this data however. I’ve also tested ingesting fw_events, but that data is always null.
What are the use-cases for ingesting fw_events, and what service do these logs populate off of?
Thanks in advance!