Configuring Cloudflare Logs to send events to IBM QRadar when you use the Amazon S3 REST API protocol

When you use the Amazon S3 REST API protocol, IBM QRadar collects Cloudflare Log events from an Amazon S3 bucket.

Before you begin

Complete the following steps:
  1. Configure your Cloudflare instance to push events by creating a Logpush job. For more information, see Manage via the Cloudflare UI (https://developers.cloudflare.com/logs/logpush/logpush-dashboard).
  2. To create a Logpush job to send Firewall events, you need to configure and manage jobs by using the Logpush API. For more information, see Manage via the Logpush API (https://developers.cloudflare.com/logs/logpush/logpush-configuration-api).

About this task

If the Logpush job is created in the Cloudflare UI or by using the Logpush REST API, you must complete the following procedure.

Procedure

  1. Log in to the Cloudflare UI (https://dash.cloudflare.com/login).
  2. Select the site where you are configuring logs.
  3. Click Analysis > Logs.
  4. If the Pushing switch is in the off position, toggle the switch to On.
  5. Click Edit and then ensure that the appropriate fields are selected, based on which data set is selected.
    • HTTP requests - ClientRequestMethod, Client IP, ClientSrcPort, EdgeResponseStatus, EdgeStartTimestamp
    • Firewall events - Action, Datetime, ClientIP

What to do next

Create an SQS Queue and configure S3 ObjectCreated Notifications.