Cloudflare Logs sample event messages

Use these sample event messages to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cloudflare Logs sample messages

Sample 1: The following sample event message shows that an HTTP GET request is sent to the hostname host.domain.test, and the server response is status code 200.

{"ClientIP":"10.0.0.1","ClientRequestHost":"host.domain.test","ClientRequestMethod":"GET","ClientRequestURI":"/cdn-cgi/images/cf-icon-cloud.png","EdgeEndTimestamp":"2020-10-13T19:49:36Z","EdgeResponseBytes":1895,"EdgeResponseStatus":200,"EdgeStartTimestamp":"2020-10-13T19:49:36Z","RayID":"5e1b95b9ea390cc5","SecurityAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","SecurityRuleID":"","SecurityRuleDescription":"","CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":855,"ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientRequestBytes":1049,"ClientRequestPath":"/cdn-cgi/images/cf-icon-cloud.png","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"http://host.domain.test/cdn-cgi/styles/main.css","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":53851,"ClientXRequestedWith":"","EdgeColoCode":"EWR","EdgeColoID":11,"EdgePathingOp":"unknown","EdgePathingSrc":"undef","EdgePathingStatus":"cloudflareInternalEndpoint","EdgeRequestHost":"","EdgeResponseCompressionRatio":1,"EdgeResponseContentType":"image/png","EdgeServerIP":"","SecurityActions":[],"SecurityRuleIDs":[],"SecuritySources":[],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":304427638}
Table 1. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID ClientRequestMethod + EdgeResponseStatus

For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields.

Source IP ClientIP
Source Port ClientSrcPort
Device Time EdgeStartTimestamp

Sample 2: The following sample event message shows that an HTTP POST request is sent to the hostname host.domain.test, and the server response is status code 200.

{"ClientRequestMethod":"POST","ClientIP":"10.0.0.1","ClientSrcPort":53851,"CacheCacheStatus":"dynamic","ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRegionCode":"xx","ClientRequestBytes":2935,"ClientRequestHost":"host.domain.test","ClientRequestPath":"/console/test/QRadar.getAlertMessages","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"https://host.domain.test/console/qradar/jsp/test.jsp","ClientRequestScheme":"https","ClientRequestSource":"eyeball","ClientRequestURI":"/console/test/QRadar.getAlertMessages","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","ClientSSLCipher":"None","ClientSSLProtocol":"TLSv1.3","ClientXRequestedWith":"","EdgeRequestHost":"host.domain.test","EdgeResponseBodyBytes":50,"EdgeResponseBytes":805,"EdgeServerIP":"10.0.0.1","SecurityActions":["allow"],"SecurityRuleIDs":["66668d0ae9c2222222222a600d17448"],"SecuritySources":["firewallRules"],"OriginIP":"10.0.0.1","OriginResponseStatus":200,"OriginSSLProtocol":"TLSv1.2","ParentRayID":"00","RayID":"78b4476e33333af2","SecurityAction":"unknown","WAFAttackScore":0,"SecurityRuleID":"","SecurityRuleDescription":"","WAFSQLiAttackScore":0,"WAFXSSAttackScore":0,"EdgeEndTimestamp":"2023-01-19T11:37:33Z","EdgeStartTimestamp":"2023-01-19T11:37:33Z","EdgeResponseStatus":200}
Table 2. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID ClientRequestMethod + EdgeResponseStatus

For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields.

Source IP ClientIP
Source Port ClientSrcPort
Device Time EdgeStartTimestamp

Sample 3: The following sample event message shows that an HTTP GET Forbidden request is sent to the hostname host.domain.test, and the server response is status code 403.

{"ClientRequestMethod":"GET","ClientIP":"10.0.0.1","ClientSrcPort":53851,"CacheCacheStatus":"unknown","ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRegionCode":"xx","ClientRequestBytes":2927,"ClientRequestHost":"host.domain.test","ClientRequestPath":"/api/gui_app_framework/test","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","ClientSSLCipher":"None","ClientSSLProtocol":"TLSv1.3","ClientXRequestedWith":"","EdgeRequestHost":"","EdgeResponseBodyBytes":1751,"EdgeResponseBytes":2166,"EdgeServerIP":"","SecurityActions":["allow","block"],"SecurityRuleIDs":["66668d0ae9c2222222222a600d17448","111106BNULL"],"SecuritySources":["firewallRules","waf"],"OriginIP":"","OriginResponseStatus":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"78b4476e33333af2","SecurityAction":"drop","WAFAttackScore":0,"SecurityRuleID":"111106BNULL","SecurityRuleDescription":"SQLi - IS NULL","WAFSQLiAttackScore":0,"WAFXSSAttackScore":0,"EdgeEndTimestamp":"2023-01-19T13:06:18Z","EdgeStartTimestamp":"2023-01-19T13:06:18Z","EdgeResponseStatus":403}
Table 3. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID ClientRequestMethod + EdgeResponseStatus

For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields.

Source IP ClientIP
Source Port ClientSrcPort
Device Time EdgeStartTimestamp

Sample 4: The following sample event message shows that an HTTP GET Not Modified request is sent to the hostname host.domain.test, and the server response is status code 304.

{"ClientRequestMethod":"GET","ClientIP":"10.0.0.1","ClientSrcPort":53851,"CacheCacheStatus":"miss","ClientCountry":"xx","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRegionCode":"xx","ClientRequestBytes":2682,"ClientRequestHost":"host.domain.test","ClientRequestPath":"/console/test/1057/static/js/test.js","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"https://host.domain.test/console/plugins/1057/","ClientRequestScheme":"https","ClientRequestSource":"eyeball","ClientRequestURI":"/console/test/1057/static/js/test.js","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","ClientSSLCipher":"None","ClientSSLProtocol":"TLSv1.3","ClientXRequestedWith":"","EdgeRequestHost":"host.domain.test","EdgeResponseBodyBytes":0,"EdgeResponseBytes":366,"EdgeServerIP":"10.0.0.1","SecurityActions":["allow"],"SecurityRuleIDs":["6666d0ae9c2222222222a600d17448"],"SecuritySources":["firewallRules"],"OriginIP":"10.0.0.1","OriginResponseStatus":304,"OriginSSLProtocol":"TLSv1.2","ParentRayID":"00","RayID":"78b4476e33333af2","SecurityAction":"unknown","WAFAttackScore":0,"SecurityRuleID":"","SecurityRuleDescription":"","WAFSQLiAttackScore":0,"WAFXSSAttackScore":0,"EdgeEndTimestamp":"2023-01-19T13:06:15Z","EdgeStartTimestamp":"2023-01-19T13:06:14Z","EdgeResponseStatus":304}
Table 4. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID ClientRequestMethod + EdgeResponseStatus

For HTTP Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields.

Source IP ClientIP
Source Port ClientSrcPort
Device Time EdgeStartTimestamp

Sample 5: The following sample event message shows that an HTTP POST firewall request is sent to the hostname host.domain.test, and the server response is status code 200.

{"Action":"allow","ClientIP":"10.0.0.1","ClientASN":45116,"ClientASNDescription":"GTPL-AS-AP Gujarat Telelink Pvt Ltd","ClientCountry":"xx","ClientIPClass":"noRecord","ClientRefererHost":"host.domain.test","ClientRefererPath":"/console/test/jsp/test.jsp","ClientRefererQuery":"","ClientRefererScheme":"https","ClientRequestHost":"host.domain.test","ClientRequestMethod":"POST","ClientRequestPath":"/console/test/QRadar.getIngressNewVersion","ClientRequestProtocol":"HTTP/2","ClientRequestQuery":"","ClientRequestScheme":"https","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) Firefox/108.0","EdgeColoCode":"BOM","EdgeResponseStatus":200,"Kind":"firewall","MatchIndex":0,"Metadata":{"filter":"007b761e8a762222222f4528222ebe67","type":"customer"},"OriginResponseStatus":200,"OriginatorRayID":"00","RayID":"78b4476e33333af2","RuleID":"6538d0a111114f6aad22222600d17448","Source":"firewallrules","Datetime":"2023-01-19T11:58:00Z"}
Table 5. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID ClientRequestMethod + EdgeResponseStatus

For Firewall Request events as shown in the sample, the Event ID is constructed by using the ClientRequestMethod field and the EdgeResponseStatus field. They are concatenated together with an underscore between the fields.

Source IP ClientIP
Device Time Datetime

Sample 6: The following sample event message shows that an HTTP request matches a firewall rule and the connection request is dropped by the firewall.

{"Datetime":"2020-11-12T02:52:18Z","RayName":"5f0cf4c5fc8ce76c","Source":"firewallrules","RuleId":"6e40b9ea4da54b22a112626996d3111f","Action":"drop","EdgeColoName":"EWR","ClientIP":"10.0.0.1","ClientCountryName":"xx","ClientASNDescription":"ASN-DESCRIPTION","UserAgent":"curl/7.29.0","ClientRequestHTTPMethodName":"GET","ClientRequestHTTPHost":"host.domain.test"}
Table 6. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID Action
Source IP ClientIP
Device Time Datetime