Manage Logpush with cURL
You can manage your Cloudflare Logpush service from the command line using cURL.
Before getting started, review the following documentation:
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/ownership \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2"}'- destination_conf - Refer to Destination for details.
A challenge file will be written to the destination, and the filename will be in the response (the filename may be expressed as a path if appropriate for your destination). For example:
{ "success": true, "errors": [], "messages": [], "result": { "filename": "burritobot/logs/ownership-challenge.txt", "valid": true, "message": "" }}You will need to provide the token contained in this file when creating a job in the next step.
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "name": "<DOMAIN_NAME>", "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "dataset": "http_requests", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "ownership_challenge": "<OWNERSHIP_CHALLENGE_TOKEN>"}'- name (optional) - We suggest using your domain name as the job name; the name cannot be changed after the job is created.
- destination_conf - Refer to Destination for details.
- dataset - The category of logs you want to receive. Refer to Log fields for the full list of supported datasets; this parameter cannot be changed after the job is created.
- output_options (optional) - Refer to Log Output Options.
- Typically includes the desired fields and timestamp format.
- Set the timestamp format to
RFC 3339(×tamps=rfc3339) for:- Google BigQuery usage.
- Automated timestamp parsing within Sumo Logic; refer to timestamps from Sumo Logic ↗ for details.
- ownership_challenge - Challenge token required to prove destination ownership.
- kind (optional) - Used to differentiate between Logpush and Edge Log Delivery jobs. Refer to Kind for details.
- filter (optional) - Refer to Filters for details.
In the response, you get a newly-created job ID. For example:
{ "errors": [], "messages": [], "result": { "id": <JOB_ID>, "dataset": "http_requests", "enabled": false, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": null, "last_error": null, "error_message": null }, "success": true}Start by retrieving information about a specific job, using a job ID:
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs/{job_id} \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"{ "errors": [], "messages": [], "result": { "id": <JOB_ID>, "dataset": "http_requests", "enabled": false, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": null, "last_error": null, "error_message": null }, "success": true}Note that by default a job is not enabled ("enabled": false).
If you do not remember your job ID, you can retrieve it using your zone ID:
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"Next, to enable the job, send an update request:
curl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs/{job_id} \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "enabled": true}'{ "errors": [], "messages": [], "result": { "id": <JOB_ID>, "dataset": "http_requests", "enabled": true, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": null, "last_error": null, "error_message": null }, "success": true}Once the job is enabled, you will start receiving logs within a few minutes and then in batches as soon as possible until you disable the job. For zones with very high request volume, it may take several hours before you start receiving logs for the first time.
In addition to modifying enabled, you can also update the value for output_options. To modify destination_conf, you will need to request an ownership challenge and provide the associated token with your update request. You can also delete your current job and create a new one.
Once a job has been enabled and has started executing, the last_complete field will show the time when the last batch of logs was successfully sent to the destination:
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs/{job_id} \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"{ "errors": [], "messages": [], "result": { "id": <JOB_ID>, "dataset": "http_requests", "enabled": true, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": "2018-08-09T21:26:00Z", "last_error": null, "error_message": null }, "success": true}curl --request DELETE \https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs/{job_id} \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"Be careful when deleting a job because this action cannot be reversed.
{ "errors": [], "messages": [], "result": {}, "success": true}Retrieve a specific job, using the job ID:
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs/{job_id} \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"{ "errors": [], "messages": [], "result": [ { "id": <JOB_ID>, "dataset": "http_requests", "enabled": true, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": null, "last_error": null, "error_message": null } ], "success": true}Retrieve all jobs for all datasets:
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"{ "errors": [], "messages": [], "result": [ { "id": <JOB_ID>, "dataset": "spectrum_events", "enabled": true, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["Application", "ClientAsn", "ClientIP", "ColoCode", "Event", "OriginIP", "Status"], }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": "2019-10-01T00:25:00Z", "last_error": null, "error_message": null }, { "id": <JOB_ID>, "dataset": "http_requests", "enabled": false, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": "2019-09-24T21:15:00Z", "last_error": null, "error_message": null } ]}If you want to add (or remove) fields, change the timestamp format, or enable protection against the Log4j - CVE-2021-44228 vulnerability, first retrieve the current output_options for your zone.
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs/{job_id} \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"{ "errors": [], "messages": [], "result": { "id": <JOB_ID>, "dataset": "http_requests", "logstream": true, "kind": "", "enabled": true, "name": "<DOMAIN_NAME>", "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": "2021-12-14T19:56:49Z", "last_error": null, "error_message": null }, "success": true}Next, edit the output_options as desired and create a PUT request. The following example enables the CVE-2021-44228 redaction option.
curl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/logpush/jobs/{job_id} \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }}Note that at this time, the CVE-2021-44228 option is not available through the UI, and updating your Logpush job through the UI will remove this option.
{ "errors": [], "messages": [], "result": { "id": <JOB_ID>, "dataset": "http_requests", "logstream": true, "kind": "", "enabled": true, "name": null, "output_options": { "field_names": ["ClientIP", "ClientRequestHost", "ClientRequestMethod", "ClientRequestURI", "EdgeEndTimestamp","EdgeResponseBytes", "EdgeResponseStatus", "EdgeStartTimestamp", "RayID"], "timestamp_format": "rfc3339" }, "destination_conf": "s3://<BUCKET_PATH>?region=us-west-2", "last_complete": "2021-12-14T20:02:19Z", "last_error": null, "error_message": null }, "success": true}