Traffice Log not showing in security/events

We are getting too many requst to Get .env file’s and our server is also denind the requst with 404 error but the same is not showing in Cloudflare security/events.

Are your DNS records set to “DNS only”? If so, requests are not passing through Cloudflare and are going direct to your origin.

If they are “proxied”, then if your origin responds with a 404 the request was allowed through by Cloudflare so there won’t be an entry in the security event log. You can add WAF rules to block/challenge/allow requests according to your preferences.

What is the domain name?

Hi Sjr,

Domain is business.payswap.in.

DNS is proxied and we are getting log on orign server only. we want to get the same log on Cloudflare so we can take action on them and block to access the URL.

Unless you have an enterprise account, Cloudflare will only log security events that are blocked/challenged by Cloudflare - there is no general connection log unless you use a worker to create your own log feed.

If you see requests reaching your origin that you want Cloudflare to block from reaching your origin, just add rules to the WAF here to block or challenge them to your needs…
https://dash.cloudflare.com/?to=/:account/:zone/security/waf/custom-rules

what type of Rule configuration i use to block below type requst.

54.153.57.179 - - [21/Dec/2023:06:22:55 +0530] “GET /.env.uat HTTP/1.1” 400 650 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36”
Context:

{
“ip”: “54.153.57.179”,
“identity”: “-”,
“remote_user”: “-”,
“datetime”: “21/Dec/2023:06:22:55 +0530”,
“method”: “GET”,
“path”: “/.env.uat”,
“http_version”: “HTTP/1.1”,
“status_code”: 400,
“content_length”: 650,
“referrer”: “-”,
“user_agent”: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36”
}

If the env is your concern, something simple like this…

…or you can block/challenge by IP, ASN, etc…

Thanks @sjr

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.