Cloudflare Logs sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Cloudflare Logs sample messages
Sample 1: The following sample event message shows that an HTTP GET request is sent to the hostname host.domain.test, and the server response is status code 200.
{"ClientIP":"10.0.0.1","ClientRequestHost":"host.domain.test","ClientRequestMethod":"GET","ClientRequestURI":"/cdn-cgi/images/cf-icon-cloud.png","EdgeEndTimestamp":"2020-10-13T19:49:36Z","EdgeResponseBytes":1895,"EdgeResponseStatus":200,"EdgeStartTimestamp":"2020-10-13T19:49:36Z","RayID":"5e1b95b9ea390cc5","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":855,"ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientRequestBytes":1049,"ClientRequestPath":"/cdn-cgi/images/cf-icon-cloud.png","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"http://host.domain.test/cdn-cgi/styles/main.css","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":53851,"ClientXRequestedWith":"","EdgeColoCode":"EWR","EdgeColoID":11,"EdgePathingOp":"unknown","EdgePathingSrc":"undef","EdgePathingStatus":"cloudflareInternalEndpoint","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseCompressionRatio":1,"EdgeResponseContentType":"image/png","EdgeServerIP":"","FirewallMatchesActions":[],"FirewallMatchesRuleIDs":[],"FirewallMatchesSources":[],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","SecurityLevel":"unk","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":304427638}| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | ClientRequestMethod + EdgeResponseStatus For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields. |
| Source IP | ClientIP |
| Source Port | ClientSrcPort |
| Device Time | EdgeStartTimestamp |
Sample 2: The following sample event message shows that an HTTP POST request is sent to the hostname host.domain.test, and the server response is status code 200.
{"ClientRequestMethod":"POST","ClientIP":"10.0.0.1","ClientSrcPort":53851,"CacheCacheStatus":"dynamic","ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRegionCode":"xx","ClientRequestBytes":2935,"ClientRequestHost":"host.domain.test","ClientRequestPath":"/console/test/QRadar.getAlertMessages","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"https://host.domain.test/console/qradar/jsp/test.jsp","ClientRequestScheme":"https","ClientRequestSource":"eyeball","ClientRequestURI":"/console/test/QRadar.getAlertMessages","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","ClientSSLCipher":"None","ClientSSLProtocol":"TLSv1.3","ClientXRequestedWith":"","EdgeRateLimitID":0,"EdgeRequestHost":"host.domain.test","EdgeResponseBodyBytes":50,"EdgeResponseBytes":805,"EdgeServerIP":"10.0.0.1","FirewallMatchesActions":["allow"],"FirewallMatchesRuleIDs":["66668d0ae9c2222222222a600d17448"],"FirewallMatchesSources":["firewallRules"],"OriginIP":"10.0.0.1","OriginResponseStatus":200,"OriginSSLProtocol":"TLSv1.2","ParentRayID":"00","RayID":"78b4476e33333af2","SecurityLevel":"med","WAFAction":"unknown","WAFAttackScore":0,"WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WAFSQLiAttackScore":0,"WAFXSSAttackScore":0,"EdgeEndTimestamp":"2023-01-19T11:37:33Z","EdgeStartTimestamp":"2023-01-19T11:37:33Z","EdgeRateLimitAction":"","EdgeResponseStatus":200}| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | ClientRequestMethod + EdgeResponseStatus For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields. |
| Source IP | ClientIP |
| Source Port | ClientSrcPort |
| Device Time | EdgeStartTimestamp |
Sample 3: The following sample event message shows that an HTTP GET Forbidden request is sent to the hostname host.domain.test, and the server response is status code 403.
{"ClientRequestMethod":"GET","ClientIP":"10.0.0.1","ClientSrcPort":53851,"CacheCacheStatus":"unknown","ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRegionCode":"xx","ClientRequestBytes":2927,"ClientRequestHost":"host.domain.test","ClientRequestPath":"/api/gui_app_framework/test","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","ClientSSLCipher":"None","ClientSSLProtocol":"TLSv1.3","ClientXRequestedWith":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseBodyBytes":1751,"EdgeResponseBytes":2166,"EdgeServerIP":"","FirewallMatchesActions":["allow","block"],"FirewallMatchesRuleIDs":["66668d0ae9c2222222222a600d17448","111106BNULL"],"FirewallMatchesSources":["firewallRules","waf"],"OriginIP":"","OriginResponseStatus":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"78b4476e33333af2","SecurityLevel":"med","WAFAction":"drop","WAFAttackScore":0,"WAFProfile":"off","WAFRuleID":"111106BNULL","WAFRuleMessage":"SQLi - IS NULL","WAFSQLiAttackScore":0,"WAFXSSAttackScore":0,"EdgeEndTimestamp":"2023-01-19T13:06:18Z","EdgeStartTimestamp":"2023-01-19T13:06:18Z","EdgeRateLimitAction":"","EdgeResponseStatus":403}| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | ClientRequestMethod + EdgeResponseStatus For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields. |
| Source IP | ClientIP |
| Source Port | ClientSrcPort |
| Device Time | EdgeStartTimestamp |
Sample 4: The following sample event message shows that an HTTP GET Not Modified request is sent to the hostname host.domain.test, and the server response is status code 304.
{"ClientRequestMethod":"GET","ClientIP":"10.0.0.1","ClientSrcPort":53851,"CacheCacheStatus":"miss","ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRegionCode":"xx","ClientRequestBytes":2682,"ClientRequestHost":"host.domain.test","ClientRequestPath":"/console/test/1057/static/js/test.js","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"https://host.domain.test/console/plugins/1057/","ClientRequestScheme":"https","ClientRequestSource":"eyeball","ClientRequestURI":"/console/test/1057/static/js/test.js","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","ClientSSLCipher":"None","ClientSSLProtocol":"TLSv1.3","ClientXRequestedWith":"","EdgeRateLimitID":0,"EdgeRequestHost":"host.domain.test","EdgeResponseBodyBytes":0,"EdgeResponseBytes":366,"EdgeServerIP":"10.0.0.1","FirewallMatchesActions":["allow"],"FirewallMatchesRuleIDs":["6666d0ae9c2222222222a600d17448"],"FirewallMatchesSources":["firewallRules"],"OriginIP":"10.0.0.1","OriginResponseStatus":304,"OriginSSLProtocol":"TLSv1.2","ParentRayID":"00","RayID":"78b4476e33333af2","SecurityLevel":"med","WAFAction":"unknown","WAFAttackScore":0,"WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WAFSQLiAttackScore":0,"WAFXSSAttackScore":0,"EdgeEndTimestamp":"2023-01-19T13:06:15Z","EdgeStartTimestamp":"2023-01-19T13:06:14Z","EdgeRateLimitAction":"","EdgeResponseStatus":304}| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | ClientRequestMethod + EdgeResponseStatus For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields. |
| Source IP | ClientIP |
| Source Port | ClientSrcPort |
| Device Time | EdgeStartTimestamp |
Sample 5: The following sample event message shows that an HTTP POST firewall request is sent to the hostname host.domain.test, and the server response is status code 200.
{"Action":"allow","ClientIP":"10.0.0.1","ClientASN":45116,"ClientASNDescription":"GTPL-AS-AP Gujarat Telelink Pvt Ltd","ClientCountry":"xx","ClientIPClass":"noRecord","ClientRefererHost":"host.domain.test","ClientRefererPath":"/console/test/jsp/test.jsp","ClientRefererQuery":"","ClientRefererScheme":"https","ClientRequestHost":"host.domain.test","ClientRequestMethod":"POST","ClientRequestPath":"/console/test/QRadar.getIngressNewVersion","ClientRequestProtocol":"HTTP/2","ClientRequestQuery":"","ClientRequestScheme":"https","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","EdgeColoCode":"BOM","EdgeResponseStatus":200,"Kind":"firewall","MatchIndex":0,"Metadata":{"filter":"007b761e8a762222222f4528222ebe67","type":"customer"},"OriginResponseStatus":200,"OriginatorRayID":"00","RayID":"78b4476e33333af2","RuleID":"6538d0a111114f6aad22222600d17448","Source":"firewallrules","Datetime":"2023-01-19T11:58:00Z"}| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | ClientRequestMethod + EdgeResponseStatus For Firewall Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields. |
| Source IP | ClientIP |
| Device Time | Datetime |
Sample 6: The following sample event message shows that an HTTP request matches a firewall rule and the connection request is dropped by the firewall.
{"Datetime":"2020-11-12T02:52:18Z","RayName":"5f0cf4c5fc8ce76c","Source":"firewallrules","RuleId":"6e40b9ea4da54b22a112626996d3111f","Action":"drop","EdgeColoName":"EWR","ClientIP":"10.0.0.1","ClientCountryName":"xx","ClientASNDescription":"ASN-DESCRIPTION","UserAgent":"curl/7.29.0","ClientRequestHTTPMethodName":"GET","ClientRequestHTTPHost":"host.domain.test"}| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | Action |
| Source IP | ClientIP |
| Device Time | Datetime |