Cloudflare WAF Log Enablement And Extraction Guide

Enable Logging

1. Confirm the protected zone is using Cloudflare WAF and that Security Events are visible in the Cloudflare dashboard.
2. For bulk export, configure Cloudflare Logs using Logpush at the zone or account level.
3. Choose a supported destination such as Amazon S3, Azure, Google Cloud Storage, HTTP, Splunk, Elastic, or another supported sink.
4. Allowlist Cloudflare Logpush egress IPs or use dedicated egress IPs if your log destination requires a fixed source address.

Extract or Export the Logs

5. If you need a near-real-time export feed, use Logpush and write the logs to an object store or SIEM-compatible destination.
6. If you only need ad hoc retrieval and have the required plan, Cloudflare Logpull can retrieve request logs over HTTP, but Cloudflare recommends Logpush for better performance and functionality.
7. Download or copy the exported JSON, JSONL, or CSV data into the aiFObserve workspace before conversion.

Important Fields to Preserve

• Ray ID / request ID
• client IP
• host
• URI/path
• action
• rule/ruleset
• user agent
• timestamp
• bytes if available