Skip to main content


The Cloudflare web application firewall (WAF) protects your internet property against malicious attacks that aim to exploit vulnerabilities such as SQL injection attacks, cross-site scripting, and cross-site forgery requests.

For an overview of Cloudflare logs, and the related S3 and Logpush configuration procedures, click here.

To send firewall event logs to Cloud SIEM, you'll first configure a Logpush job to send your Cloudflare data to a dedicated S3 bucket, then configure to collect and ingest that data from the S3 bucket.


Before you begin, ensure that you have:

  • Admin access to Cloudflare.
  • Enterprise account with Cloudflare.
  • Admin access to your AWS environment.
  • Configured an S3 bucket for your Cloudflare logs. To create an S3 bucket, see the instructions from Amazon.
  • Logs of your HTTP requests uploaded to Amazon S3.
  • Enabled the Cloudflare Logppush service for the assets you want to monitor in Cloudflare, via Analytics > Logs > Connect a service.
Configure Logpush to send logs to the S3 bucket

To configure Logpush to stream logs of Cloudflare's datasets to your cloud service in batches, follow the Cloudflare procedure to enable the Logpush service to access Amazon S3.

For an overview of the Logpush service, click here

Configure to collect logs from the S3 bucket.

Use our procedure to configure to fetch logs from your S3 bucket.

Check for your logs

Give your Cloudflare data some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your data, see log shipping troubleshooting.