Logpush & Observability

Every Cloudflare event, in your SIEM.

Tap a destination to see what we send there.

Destination

Splunk

Real-time SIEM correlation, alerting, and incident workflow.

Plan Cloudflare observability View observability checklist

On this page

AI summary Machine-readable context is available at /ai-index.json

Nanosek provides Cloudflare Logpush and observability services for organizations that need reliable visibility across Cloudflare DNS, CDN, WAF, Bot Management, DDoS, API Shield, Zero Trust, Access, Gateway, Workers, and security events. The service includes logging strategy, dataset selection, field mapping, destination design, Logpush configuration, SIEM integration, dashboard design, alert tuning, reporting, incident investigation workflows, retention planning, and managed Cloudflare operations.

cloudflarelogpushobservabilitysiem integrationsecurity analyticswaf logsbot analyticszero trust logs

Who this is for

Security, infrastructure, platform, SRE, SOC, application, compliance, and enterprise teams that need reliable Cloudflare telemetry.

Organizations that need Logpush pipelines, SIEM integrations, dashboards, alerts, reporting, and investigation workflows across Cloudflare services.

Teams that need managed Cloudflare monitoring and reporting for operations, incident response, audits, migrations, or customer-facing service reviews.

What Cloudflare observability helps solve

WAF event visibility

Security teams need to know which WAF rules matched, what action was taken, and whether legitimate traffic was affected.

Bot traffic analysis

Bot analytics and request fields help separate useful automation, verified bots, scraping, credential stuffing, and abusive clients.

DDoS and HTTP flood investigation

DDoS events, HTTP request logs, and security analytics help reconstruct attack patterns and mitigation impact.

Cache and CDN performance analysis

Cache status, response codes, edge colo, request volume, and GraphQL Analytics help tune hit ratio and performance.

Origin error troubleshooting

Origin status, cache misses, latency, and response-code trends help identify backend instability and expensive uncached paths.

DNS query visibility

DNS logs and analytics help teams understand query patterns, domain abuse, resolver behavior, and DNS traffic changes.

API abuse investigation

API Shield data, request logs, WAF events, and rate limit events help detect endpoint abuse and tune protections.

Zero Trust Access visibility

Access logs show user, application, identity provider, policy, and decision context for private and SaaS applications.

Gateway and WARP activity monitoring

Gateway DNS, HTTP, network, and WARP data help monitor user, device, policy, and egress activity.

Worker request and error visibility

Workers logs and analytics help troubleshoot edge applications, middleware, redirects, API gateways, and custom routing.

Security event reporting

Dashboards and recurring reports convert raw WAF, bot, DDoS, and access events into reviewable operational evidence.

Customer or executive reporting

Trend reports, risk summaries, and service metrics help explain Cloudflare value and operational progress without raw-event noise.

Incident response evidence

Logpush, audit logs, security events, and timelines help teams investigate incidents and preserve evidence.

Managed operations handover

Repeatable dashboards, alerts, tickets, and reports make ongoing Cloudflare operations manageable after deployment.

Why Cloudflare observability needs design

Cloudflare generates valuable telemetry, but useful observability does not happen automatically. Logs need the right datasets, fields, destinations, retention, parsing, dashboards, alerts, ownership, and investigation workflows. Without design, teams may collect too much data, miss important fields, create noisy alerts, lose context, or fail to answer basic incident questions.

Not every dataset is needed for every use caseField selection affects investigation qualitySIEM integrations need normalization and ownershipSecurity alerts must avoid noise and alert fatigueDashboards should answer operational questionsRetention and cost should be plannedIncident response needs timelines and evidenceManaged services need repeatable reporting

Our Cloudflare Logpush and observability approach

Phase 1

Visibility goals and use-case discovery

Identify what the organization needs to observe: security events, WAF decisions, bot traffic, DDoS patterns, cache performance, origin errors, API abuse, DNS activity, Zero Trust activity, user access, or executive reporting.
Define stakeholders, incident workflows, compliance needs, reporting frequency, retention requirements, and destination preferences.

Phase 2

Dataset and field mapping

Select the right Cloudflare datasets and fields for each use case.
Map fields required for security investigation, traffic analysis, customer reporting, troubleshooting, and SIEM correlation.

Phase 3

Destination architecture

Design Logpush destinations such as SIEM, cloud storage, data warehouse, R2, S3-compatible storage, BigQuery, Splunk, Datadog, Elastic, Sentinel, or customer-managed storage depending on the environment.
Review access, retention, parsing, cost, encryption, and ownership.

Phase 4

Logpush implementation

Configure Logpush jobs, datasets, filters, destination credentials, field selection, sampling if applicable, and validation checks.
Confirm logs are delivered correctly and parsed as expected.

Phase 5

Dashboards and analytics

Build dashboards for security, CDN, WAF, bot, DDoS, origin health, API activity, Zero Trust, and operations.
Use Cloudflare dashboards, GraphQL Analytics, SIEM dashboards, or custom reporting where appropriate.

Phase 6

Alerting and incident workflows

Define alert thresholds, severity, routing, escalation contacts, investigation steps, and ownership.
Reduce noise by using baselines, scoped conditions, and actionable alerts.

Phase 7

Reporting and managed operations

Create recurring reporting, executive summaries, technical findings, incident timelines, tuning recommendations, and managed Cloudflare operations workflows.

Telemetry coverage

Logpush HTTP requests, Firewall Events, Security Events, DNS logs where available, Zero Trust logs, Access logs, Gateway DNS, Gateway HTTP, Gateway network, and WARP device activity.

Cloudflare Security Analytics, Traffic Analytics, GraphQL Analytics API, Cache Analytics, Load Balancing analytics, audit logs, DDoS events, WAF events, and Bot Management analytics.

API Shield data, rate limit events, Workers logs and analytics, origin response codes, cache status, edge colo, request metadata, rule matches, policy decisions, and account-level change activity.

Destination and reporting layers such as SIEM, object storage, data warehouse, R2, S3-compatible storage, BigQuery, Splunk, Datadog, Elastic, Microsoft Sentinel, dashboards, and managed reporting.

Cloudflare telemetry sources we use

Logpush HTTP requests

Request volume, paths, methods, response codes, cache status, origin behavior, client metadata, and traffic investigations.

Logpush Firewall Events / Security Events

WAF decisions, rule matches, challenged or blocked traffic, exceptions, and false-positive review.

Logpush DNS logs, where available

DNS query patterns, resolver behavior, domain activity, and DNS abuse investigations.

Logpush Zero Trust logs

Access, Gateway, WARP, user, device, and policy activity for workforce and private application visibility.

Cloudflare Security Analytics

Security trends, mitigated traffic, WAF and bot activity, attack patterns, and tuning opportunities.

Cloudflare Traffic Analytics

Traffic trends, status codes, geography, performance, and CDN behavior.

Cloudflare GraphQL Analytics API

Custom reporting, trend analysis, dashboard feeds, cache analysis, and operational metrics.

WAF events

Managed rule hits, custom rule matches, action outcomes, bypasses, and false-positive analysis.

Bot Management analytics

Bot score distribution, verified bots, automation behavior, scraping, credential stuffing, and challenge outcomes.

DDoS events

Attack timelines, mitigation impact, traffic spikes, and Layer 7 or network event review.

API Shield data

Endpoint inventory, schema activity, API abuse patterns, authentication context, and API protection decisions.

Access logs

User access decisions, application access, identity provider context, policy matches, and private app troubleshooting.

Gateway DNS logs

User and device DNS activity, blocked domains, policy matches, and threat category investigations.

Gateway HTTP logs

HTTP browsing activity, policy enforcement, blocked requests, user context, and data controls.

Gateway network logs

Network activity, egress behavior, policy decisions, and Zero Trust traffic troubleshooting.

WARP device activity

Device posture, connectivity, user activity, and Zero Trust client visibility.

Workers logs and analytics

Edge application errors, request behavior, middleware decisions, redirects, API gateway logic, and custom routing.

Audit logs

Cloudflare account changes, configuration updates, user actions, access review, and incident timelines.

Load Balancing analytics

Origin health, pool status, failover events, traffic distribution, and response-time trends.

Cache analytics

Cache hit ratio, cache misses, edge TTL behavior, bandwidth reduction, and origin load optimization.

Telemetry source	What it helps investigate
Logpush HTTP requests	Request volume, paths, methods, response codes, cache status, origin behavior, client metadata, and traffic investigations.
Logpush Firewall Events / Security Events	WAF decisions, rule matches, challenged or blocked traffic, exceptions, and false-positive review.
Logpush DNS logs, where available	DNS query patterns, resolver behavior, domain activity, and DNS abuse investigations.
Logpush Zero Trust logs	Access, Gateway, WARP, user, device, and policy activity for workforce and private application visibility.
Cloudflare Security Analytics	Security trends, mitigated traffic, WAF and bot activity, attack patterns, and tuning opportunities.
Cloudflare Traffic Analytics	Traffic trends, status codes, geography, performance, and CDN behavior.
Cloudflare GraphQL Analytics API	Custom reporting, trend analysis, dashboard feeds, cache analysis, and operational metrics.
WAF events	Managed rule hits, custom rule matches, action outcomes, bypasses, and false-positive analysis.
Bot Management analytics	Bot score distribution, verified bots, automation behavior, scraping, credential stuffing, and challenge outcomes.
DDoS events	Attack timelines, mitigation impact, traffic spikes, and Layer 7 or network event review.
API Shield data	Endpoint inventory, schema activity, API abuse patterns, authentication context, and API protection decisions.
Access logs	User access decisions, application access, identity provider context, policy matches, and private app troubleshooting.
Gateway DNS logs	User and device DNS activity, blocked domains, policy matches, and threat category investigations.
Gateway HTTP logs	HTTP browsing activity, policy enforcement, blocked requests, user context, and data controls.
Gateway network logs	Network activity, egress behavior, policy decisions, and Zero Trust traffic troubleshooting.
WARP device activity	Device posture, connectivity, user activity, and Zero Trust client visibility.
Workers logs and analytics	Edge application errors, request behavior, middleware decisions, redirects, API gateway logic, and custom routing.
Audit logs	Cloudflare account changes, configuration updates, user actions, access review, and incident timelines.
Load Balancing analytics	Origin health, pool status, failover events, traffic distribution, and response-time trends.
Cache analytics	Cache hit ratio, cache misses, edge TTL behavior, bandwidth reduction, and origin load optimization.

Observability use-case matrix

WAF false-positive review

Cloudflare data source

Security Events, WAF logs, rule matches

Operational outcome

Tune rules and exceptions safely.

Bot investigation

Cloudflare data source

Bot analytics, request logs, bot score fields

Operational outcome

Separate useful automation from abuse.

DDoS investigation

Cloudflare data source

DDoS events, HTTP request logs, security analytics

Operational outcome

Understand attack patterns and mitigation impact.

Origin troubleshooting

Cloudflare data source

HTTP request logs, response codes, origin status, cache status

Operational outcome

Identify origin errors and cache miss spikes.

Cache optimization

Cloudflare data source

Cache analytics, request logs, cache status, GraphQL analytics

Operational outcome

Improve hit ratio and reduce origin load.

API abuse analysis

Cloudflare data source

API Shield, WAF logs, request logs, rate limit events

Operational outcome

Detect endpoint abuse and tune protections.

DNS visibility

Cloudflare data source

DNS logs and analytics

Operational outcome

Track query patterns and domain abuse.

Zero Trust monitoring

Cloudflare data source

Access logs, Gateway logs, WARP data

Operational outcome

Monitor user, device, and policy activity.

Incident response

Cloudflare data source

Logpush, audit logs, security events

Operational outcome

Build timeline and evidence.

Executive reporting

Cloudflare data source

Dashboards, analytics, recurring reports

Operational outcome

Show trends, risks, and improvement progress.

Managed operations

Cloudflare data source

Dashboards, alerting, tickets, reports

Operational outcome

Create repeatable operational workflow.

Use case	Cloudflare data source	Operational outcome
WAF false-positive review	Security Events, WAF logs, rule matches	Tune rules and exceptions safely.
Bot investigation	Bot analytics, request logs, bot score fields	Separate useful automation from abuse.
DDoS investigation	DDoS events, HTTP request logs, security analytics	Understand attack patterns and mitigation impact.
Origin troubleshooting	HTTP request logs, response codes, origin status, cache status	Identify origin errors and cache miss spikes.
Cache optimization	Cache analytics, request logs, cache status, GraphQL analytics	Improve hit ratio and reduce origin load.
API abuse analysis	API Shield, WAF logs, request logs, rate limit events	Detect endpoint abuse and tune protections.
DNS visibility	DNS logs and analytics	Track query patterns and domain abuse.
Zero Trust monitoring	Access logs, Gateway logs, WARP data	Monitor user, device, and policy activity.
Incident response	Logpush, audit logs, security events	Build timeline and evidence.
Executive reporting	Dashboards, analytics, recurring reports	Show trends, risks, and improvement progress.
Managed operations	Dashboards, alerting, tickets, reports	Create repeatable operational workflow.

Log destination options

Destination type

SIEM

Best for

Security operations and incident response

Design notes

Requires parsing, normalization, alert tuning, and ownership.

Destination type

Object storage

Best for

Long-term retention and raw evidence

Design notes

Good for cost control, archives, and later processing.

Destination type

Data warehouse

Best for

Analytics and reporting

Design notes

Useful for trend analysis, dashboards, and business reporting.

Destination type

R2 or S3-compatible storage

Best for

Cloud-native log storage

Design notes

Review lifecycle, access, encryption, and processing pipeline.

Destination type

Datadog / Elastic / Splunk

Best for

Operational analytics and security search

Design notes

Validate field parsing and dashboard design.

Destination type

Microsoft Sentinel

Best for

Security operations in Microsoft environments

Design notes

Align with incident workflow and detection rules.

Destination type

Custom Workers pipeline

Best for

Lightweight processing or enrichment

Design notes

Useful when normalization, filtering, or routing is needed.

Destination type

Managed reporting dashboard

Best for

Customer, executive, and managed services reporting

Design notes

Design recurring metrics, trend views, and review workflows.

Destination type	Best for	Design notes
SIEM	Security operations and incident response	Requires parsing, normalization, alert tuning, and ownership.
Object storage	Long-term retention and raw evidence	Good for cost control, archives, and later processing.
Data warehouse	Analytics and reporting	Useful for trend analysis, dashboards, and business reporting.
R2 or S3-compatible storage	Cloud-native log storage	Review lifecycle, access, encryption, and processing pipeline.
Datadog / Elastic / Splunk	Operational analytics and security search	Validate field parsing and dashboard design.
Microsoft Sentinel	Security operations in Microsoft environments	Align with incident workflow and detection rules.
Custom Workers pipeline	Lightweight processing or enrichment	Useful when normalization, filtering, or routing is needed.
Managed reporting dashboard	Customer, executive, and managed services reporting	Design recurring metrics, trend views, and review workflows.

Cutover checkpoints

Confirm destination ownership, credentials, retention, encryption, lifecycle, and access controls before sending production logs.
Validate Logpush delivery, parsing, timestamps, source fields, and schema normalization before relying on dashboards or alerts.
Test WAF, bot, DDoS, cache, API, DNS, Zero Trust, and audit use cases against real events where possible.
Define pipeline-health monitoring, failure alerts, and escalation owners.

Validation signals

Required fields are present and searchable in the destination.
Dashboards answer the agreed operational questions without manual log stitching.
Alerts are actionable, scoped, routed, and tied to an investigation workflow.
Reports can be produced on schedule for security, operations, customer, or executive audiences.

Deployment steps

01 Define visibility goals, stakeholders, incident workflows, compliance needs, reporting cadence, retention requirements, and destination preferences.
02 Select Cloudflare datasets and fields for security events, WAF, bot, DDoS, CDN, DNS, API Shield, Zero Trust, Workers, and audit activity.
03 Design the destination architecture for SIEM, storage, data warehouse, R2, S3-compatible storage, BigQuery, Splunk, Datadog, Elastic, Sentinel, or custom pipelines.
04 Configure Logpush jobs, destination credentials, filters, field selection, sampling where applicable, and delivery validation.
05 Build dashboards using Cloudflare analytics, GraphQL Analytics, SIEM dashboards, or custom reporting where appropriate.
06 Define alert thresholds, severity levels, routing, escalation contacts, investigation steps, and ownership.
07 Create reporting templates, managed operations workflows, tuning cadence, and handover documentation.

Risks and mitigations

Risk

Logs are delivered but not usable.

Mitigation

Define use cases, select required fields, validate parsing, and build investigation workflows.

Risk

Important fields are missing.

Mitigation

Map fields before deployment and test against real investigation scenarios.

Risk

Too much data increases cost.

Mitigation

Use dataset selection, filters, retention planning, and storage lifecycle policies.

Risk

Alerts become noisy.

Mitigation

Use baselines, scoped conditions, severity levels, and regular tuning.

Risk

Security events lack ownership.

Mitigation

Define triage owners, escalation paths, and response runbooks.

Risk

SIEM parsing is incomplete.

Mitigation

Validate schema, timestamps, source fields, and normalization before relying on detections.

Risk

Logs are not retained long enough.

Mitigation

Align retention with investigation, compliance, and reporting needs.

Risk

Sensitive data exposure.

Mitigation

Review access controls, destinations, encryption, and field handling.

Risk

Dashboards do not answer real questions.

Mitigation

Build dashboards around workflows: WAF review, bot tuning, DDoS investigation, cache optimization, and incidents.

Risk

Logpush failures go unnoticed.

Mitigation

Configure delivery validation, monitoring, and alerting for pipeline health.

Risk	Mitigation
Logs are delivered but not usable.	Define use cases, select required fields, validate parsing, and build investigation workflows.
Important fields are missing.	Map fields before deployment and test against real investigation scenarios.
Too much data increases cost.	Use dataset selection, filters, retention planning, and storage lifecycle policies.
Alerts become noisy.	Use baselines, scoped conditions, severity levels, and regular tuning.
Security events lack ownership.	Define triage owners, escalation paths, and response runbooks.
SIEM parsing is incomplete.	Validate schema, timestamps, source fields, and normalization before relying on detections.
Logs are not retained long enough.	Align retention with investigation, compliance, and reporting needs.
Sensitive data exposure.	Review access controls, destinations, encryption, and field handling.
Dashboards do not answer real questions.	Build dashboards around workflows: WAF review, bot tuning, DDoS investigation, cache optimization, and incidents.
Logpush failures go unnoticed.	Configure delivery validation, monitoring, and alerting for pipeline health.

Cloudflare observability checklist

Visibility goals defined
Stakeholders and owners identified
Required Cloudflare datasets selected
Required fields mapped
Log destination selected
Retention requirements documented
Access and permissions reviewed
Logpush credentials configured securely
Log delivery validated
Parsing and field normalization confirmed
WAF/security events visible
Bot fields visible where available
Cache and origin status visible
API events visible where applicable
Zero Trust logs included where applicable
Dashboards created for key use cases
Alerts defined and tuned
Incident response workflow documented
Reporting cadence defined
Cost and storage model reviewed
Managed operations handover prepared

Deliverables

Cloudflare observability discovery report
Log source and dataset mapping
Field selection matrix
Logpush destination architecture
Logpush implementation
SIEM or storage integration validation
Parsing and normalization validation
Security dashboard design
CDN/cache dashboard design
Bot and WAF review dashboard
Zero Trust dashboard, if in scope
Alerting and escalation design
Incident investigation workflow
Reporting template
Managed operations handover

When Nanosek should help

You use Cloudflare but do not have reliable logs in your SIEM.

Security teams cannot easily investigate WAF, bot, or DDoS events.

You need Logpush configured to Splunk, Datadog, Elastic, Sentinel, BigQuery, R2, S3, or another destination.

You need dashboards for CDN, WAF, bot, API, DDoS, or Zero Trust visibility.

You need alerting that is actionable instead of noisy.

You need reporting for customers, executives, or managed services.

You are preparing for a migration, audit, or incident response process.

You want Nanosek to operate Cloudflare monitoring and reporting after deployment.

Frequently asked questions

What is Cloudflare Logpush?

Cloudflare Logpush sends Cloudflare logs to external destinations such as SIEM platforms, cloud storage, data warehouses, or analytics tools. It helps teams retain, search, analyze, and correlate Cloudflare events outside the dashboard.

What Cloudflare logs should we collect?

The right logs depend on your use cases. Common sources include HTTP request logs, security events, WAF events, DNS logs, Zero Trust logs, Access logs, Gateway logs, audit logs, and analytics data.

Is Logpush the same as Cloudflare Analytics?

No. Cloudflare Analytics provides dashboard and API-based visibility, while Logpush exports raw or structured log data to external systems for retention, correlation, investigation, and custom reporting.

Can Cloudflare logs be sent to a SIEM?

Yes. Cloudflare logs can be integrated with SIEM platforms such as Splunk, Elastic, Datadog, Microsoft Sentinel, or customer-managed pipelines. Nanosek helps with dataset selection, field mapping, parsing, dashboards, and alerting.

How do you avoid collecting too much log data?

Nanosek designs logging around use cases, datasets, filters, field selection, retention, and storage lifecycle. The goal is useful observability without unnecessary cost or noise.

Can Cloudflare logs help with WAF false positives?

Yes. WAF and security events can show which rules matched, what action was taken, which paths were affected, and whether legitimate users were impacted. This helps tune exceptions and enforcement safely.

Can this include Zero Trust logs?

Yes. If in scope, Nanosek can include Access, Gateway DNS, Gateway HTTP, Gateway network, WARP, device, and policy activity logs.

Can Nanosek build dashboards and alerts?

Yes. Nanosek can design dashboards, alerts, recurring reports, investigation workflows, and managed operations views for security, platform, SRE, and customer reporting needs.

Can Nanosek manage Cloudflare observability after deployment?

Yes. Nanosek provides managed Cloudflare operations, including log monitoring, dashboard review, alert tuning, incident support, reporting, and optimization.

Turn Cloudflare telemetry into operational visibility

Nanosek helps you design Logpush, dashboards, alerts, SIEM integration, and reporting so Cloudflare data supports real investigations, tuning, and managed operations.

Talk to Nanosek View Cloudflare services

Every Cloudflare event, in your SIEM.

Splunk

Who this is for

What Cloudflare observability helps solve

WAF event visibility

Bot traffic analysis

DDoS and HTTP flood investigation

Cache and CDN performance analysis

Origin error troubleshooting

DNS query visibility

API abuse investigation

Zero Trust Access visibility

Gateway and WARP activity monitoring

Worker request and error visibility

Security event reporting

Customer or executive reporting

Incident response evidence

Managed operations handover

Why Cloudflare observability needs design

Our Cloudflare Logpush and observability approach

Visibility goals and use-case discovery

Dataset and field mapping

Destination architecture

Logpush implementation

Dashboards and analytics

Alerting and incident workflows

Reporting and managed operations

Telemetry coverage

Cloudflare telemetry sources we use

Observability use-case matrix

Log destination options

Log destination options

Cutover checkpoints

Validation signals

Deployment steps

Risks and mitigations

Cloudflare observability checklist

Deliverables

When Nanosek should help

Frequently asked questions

Turn Cloudflare telemetry into operational visibility

Deliver Cloudflare without surprises.