[Logs] Update Logpush dataset field definitions (2026-06-24)

[soheiokamoto]

New datasets

• WebSocket Analytics: A new dataset available for account and zone scopes.

Updated fields in existing datasets

• Firewall events (added): ZoneName. The Firewall events dataset is now also available for account-scope Logpush, in addition to the existing zone scope.
• Email Security Alerts (added): BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult.

Files changed

• src/content/docs/logs/logpush/logpush-job/datasets/account/ — dataset pages
• src/content/docs/logs/logpush/logpush-job/datasets/zone/ — dataset pages
• src/content/changelog/logs/2026-06-24-log-fields-updated.mdx — changelog

Documentation checklist

• Changelog entry added
• Content generated by code generator (DO NOT EDIT manually)

[soheiokamoto]

/bonk please review this automated sync of Logpush dataset field definitions.

Focus on the following:

1. Changelog quality — is the entry clear, accurate, and useful to end users?

2. Field description quality — are the descriptions accurate, clear, and complete?

3. Manual edits at risk of being overwritten — are there any field descriptions that appear
   to have been manually edited directly in cloudflare-docs (e.g. contain context or guidance
   not present in the machine-generated description format)? If so, flag them so the author can
   preserve those edits in the internal source YAML.

[cloudflare-docs-bot]

Review

⏸️ Automatic reviews for this PR are paused.

This PR has already received 2 automatic reviews. To run another review, a codeowner can comment /review or /full-review. To permanently lift the limit for this PR, a codeowner can comment /ignore-review-limit.

Tip: Keep PRs in draft mode until they are ready for review — the bot skips draft PRs automatically.

---

✅ No issues found in commit a96952c.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

✅ No code review issues found.

Style Guide Review

✅ No style-guide issues found.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command	Description
/review	Runs a review now. Incremental if a prior review exists, full if not.
/full-review	Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit	Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/changelog/	@cloudflare/pm-changelogs, @cloudflare/product-owners
/src/content/docs/logs/	@soheiokamoto, @angelampcosta, @rianvdm, @dcpena, @cloudflare/product-owners

[ask-bonk]

Review Summary

This PR adds two new Logpush datasets (Firewall events and WebSocket Analytics, both account- and zone-scoped), updates the Email Security Alerts dataset with five new fields, and adds a changelog entry. The changes follow the established code-generator pattern.

Issues that need attention

1. Changelog duplication — the "New datasets" section lists WebSocket Analytics twice (lines 12 and 13). This should be deduplicated; one entry is enough even though the dataset is available in both scopes.

2. Grammar issues in field descriptions — The new account/firewall_events.md contains several awkward or grammatically incorrect descriptions. Because these files are code-generated, the fixes need to be applied in the internal source YAML so they are not overwritten by future syncs. The same issues also exist in the zone-scoped file, so fixing upstream will improve both.

3. Changelog title length — The title is quite long and repeats "in Cloudflare Logs" at the end. Consider shortening it (for example, "New Logpush datasets and updated fields").

Please address the duplication in the changelog before merging.

[ask-bonk]

I've completed the review of PR #31674.

Labels applied

Added documentation (the PR already had product:logs, product:changelog, and size/l).

Summary of changes

The PR is an automated sync that introduces:

• New datasets — firewall_events and websocket_analytics for both account and zone scopes.
• Updated fields — Email Security Alerts gains BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult. The zone-scoped firewall_events gains ZoneName.
• Changelog entry — 2026-06-24-log-fields-updated.mdx documents the additions.

Issues flagged

I submitted a REQUEST CHANGES review with inline comments pointing out:

1. Changelog duplication — WebSocket Analytics is listed twice in the “New datasets” section (lines 12 and 13). This should be deduplicated before merging.
2. Grammar issues in generated field descriptions — Several descriptions in account/firewall_events.md need fixes in the internal source YAML so they aren’t overwritten by future syncs:
   • “The ASN of the visitor as string.” → missing article (“as a string”).
   • “The referer query-string was requested by the visitor.” and “The query-string was requested by the visitor.” → awkward passive voice.
   • “HTTP response status code returned to browser.” / “HTTP origin response status code returned to browser.” → missing “the” before “browser”.
3. Changelog title — It is very long and redundant (“in Cloudflare Logs” is unnecessary on the Logs changelog). Suggested shortening it.

These issues are minor but the duplication in the changelog is worth fixing before merge.

github run

[github-actions]

Preview URL: https://2d9ec43d.preview.developers.cloudflare.com
Preview Branch URL: https://sync-log-fields-2026-06-24.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/changelog/post/2026-06-24-log-fields-updated/	https://sync-log-fields-2026-06-24.preview.developers.cloudflare.com/changelog/post/2026-06-24-log-fields-updated/

[soheiokamoto]

/review

[ask-bonk]

Review of PR #31674

Labels

documentation, product:logs, product:changelog (already present and appropriate).

Summary of changes

This PR is an automated sync of Logpush dataset field definitions that:

• Introduces websocket_analytics as a new dataset for both account and zone scopes.
• Introduces firewall_events for account scope (it already existed at zone scope).
• Adds ZoneName to the zone-scoped firewall_events dataset.
• Adds five new fields to email_security_alerts: BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult.
• Creates a changelog entry at 2026-06-24-log-fields-updated.mdx.
• Fixes several grammar issues in zone firewall_events.md (adding missing articles and cleaning up awkward phrasing).

The diff matches the stated intent, and the changelog entry is clear and accurate.

---

Issues that need attention

1. PR description lists WebSocket Analytics twice

The pull request body under ### New datasets duplicates the WebSocket Analytics bullet. This appears to be a code-generator artifact (the dataset was generated for both account and zone scopes). It does not affect the committed changelog file, but cleaning up the PR description will avoid confusion for reviewers.

Suggested fix: Remove the duplicate line in the PR body.

---

2. PR description calls Firewall events a "New dataset"

The PR body frames Firewall events as a completely new dataset, but it is actually a new account-scope availability for an existing zone-scoped dataset. The committed changelog correctly clarifies this, so this is only a minor accuracy issue in the PR description itself.

---

3. Remaining grammar issues in generated field descriptions

A few descriptions were inherited from the upstream source and were not fixed in this sync. Because these files are code-generated, the corrections must be applied in the internal source YAML or they will be overwritten by future syncs.

src/content/docs/logs/logpush/logpush-job/datasets/account/firewall_events.md

• Line 82 (ClientRefererPath): The referer path requested by visitor. → should be The referer path requested by **the** visitor.
• Line 112 (ClientRequestPath): The path requested by visitor. → should be The path requested by **the** visitor.
• Line 58 (ClientCountry): Country from which request originated. → should be Country from which **the** request originated.

src/content/docs/logs/logpush/logpush-job/datasets/zone/firewall_events.md

• Same three descriptions appear here and need the same upstream fixes.

src/content/docs/logs/logpush/logpush-job/datasets/account/email_security_alerts.md

• Line 52 (DKIMResult): Summary DKIM authentication result for the message. → consider Summary **of the** DKIM authentication result for the message.
• Line 172 (SPFResult): Summary SPF authentication result for the message. → consider Summary **of the** SPF authentication result for the message.

---

Verdict

Approve with minor notes. The committed code is accurate and the changelog is well-structured. The remaining issues are cosmetic grammar gaps that should be fixed upstream to survive future automated syncs.

github run

[ask-bonk]

Review of PR #31674

Labels

The existing labels are appropriate for this change:

• product:logs
• product:changelog
• size/l
• documentation (already applied)

Summary of changes

This PR is an automated sync of Logpush dataset field definitions that:

• Introduces websocket_analytics as a new dataset for both account and zone scopes.
• Introduces firewall_events for account scope (previously only available at zone scope).
• Adds ZoneName to the zone-scoped firewall_events dataset.
• Adds five new fields to email_security_alerts: BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult.
• Creates a changelog entry at src/content/changelog/logs/2026-06-24-log-fields-updated.mdx.

The diff is clean, follows the established code-generator format, and the committed files no longer contain the grammar issues flagged in earlier reviews.

---

Issues that need attention

1. Redundant phrasing in field descriptions (fix upstream)

Both account/firewall_events.md and zone/firewall_events.md contain the following description under ClientASN:

The ASN number of the visitor.

Because "ASN" stands for "Autonomous System Number", the word "number" is redundant. These files are code-generated, so the fix must be applied in the internal source YAML or it will be overwritten by future syncs.

Suggested upstream fix:

- The ASN number of the visitor.
+ The ASN of the visitor.

• Files: src/content/docs/logs/logpush/logpush-job/datasets/account/firewall_events.md:46, src/content/docs/logs/logpush/logpush-job/datasets/zone/firewall_events.md:46

2. Changelog title length (optional)

The changelog title is functional but verbose:

New WebSocket Analytics Logpush dataset and updated fields in Cloudflare Logs

Since this post lives on the Logs product changelog, the trailing phrase "in Cloudflare Logs" is redundant. Consider shortening it upstream (e.g., "New WebSocket Analytics Logpush dataset and updated fields").

• File: src/content/changelog/logs/2026-06-24-log-fields-updated.mdx:2

---

Inline review comments

src/content/docs/logs/logpush/logpush-job/datasets/account/firewall_events.md:46

The ASN number of the visitor.

Fix upstream: "ASN number" is redundant. Consider "The ASN of the visitor."

src/content/docs/logs/logpush/logpush-job/datasets/zone/firewall_events.md:46

The ASN number of the visitor.

Fix upstream: Same redundancy as the account-scoped file.

---

Verdict

Approve with minor notes.

All previously reported grammar issues ("as a string", "returned to the browser", "requested by the visitor") have been resolved in the committed files. The changelog is clear and accurate, the new fields are correctly alphabetized, and the frontmatter is valid. The remaining "ASN number" redundancy is the only item that should be corrected upstream to survive future automated syncs.

github run

[ask-bonk]

I've completed the review of PR #31674 by reading all changed files and verifying the current state against prior review feedback and the style guide.

Labels

The existing labels are appropriate:

• product:logs
• product:changelog
• size/l
• documentation

Summary of changes

This PR is an automated sync of Logpush dataset field definitions that:

• Introduces websocket_analytics as a new dataset for both account and zone scopes.
• Introduces firewall_events for account scope (previously only available at zone scope).
• Adds ZoneName to the zone-scoped firewall_events dataset.
• Adds five new fields to email_security_alerts: BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult.
• Creates a changelog entry at src/content/changelog/logs/2026-06-24-log-fields-updated.mdx.

All previously reported grammar issues ("as a string," "returned to the browser," "requested by the visitor") have been resolved in both the account and zone firewall_events files. The changelog no longer contains the WebSocket Analytics duplication. Internal links (/waf/detections/leaked-credentials/, /ruleset-engine/rulesets-api/, /logs/logpush/logpush-job/datasets/) are valid.

---

Issues that need attention

1. Enum formatting inconsistency in WebSocket Analytics (fix upstream)

Every other Logpush dataset page uses <br />Possible values are before listing enum options. The new websocket_analytics files omit the line break and use inconsistent phrasing.

account/websocket_analytics.md & zone/websocket_analytics.md

• Line 76 (ConnectionCloseReason): Possible values are → should be <br />Possible values are
• Line 82 (ConnectionCloseSource): Which side initiated the connection close; → should use <br />Possible values are with a colon instead of a semicolon

Fix in upstream source YAML so it survives future automated syncs.

2. Ambiguous enum value me in ConnectionCloseSource (fix upstream)

The ConnectionCloseSource field lists me as a possible value:

Which side initiated the connection close; <em>upstream</em> \| <em>downstream</em> \| <em>me</em> \| <em>both</em>...

From an end-user perspective, me is unclear. It should be clarified upstream that me refers to the Cloudflare edge/proxy.

3. Missing timestamp format reference in WebSocket Analytics (fix upstream)

EdgeStartTimestamp and EdgeEndTimestamp are typed int or string but do not reference the output-types documentation, unlike the Timestamp field in email_security_alerts:

To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types).

Consider adding that reference upstream for consistency.

4. Inconsistent description style in new Email Security fields (fix upstream)

The newly added DKIM/SPF fields use "Summary of the ... authentication result" while the new DMARC fields do not:

• DKIMResult: "Summary of the DKIM authentication result for the message."
• SPFResult: "Summary of the SPF authentication result for the message."
• DMARCPolicy: "Effective DMARC policy for the sending domain."
• DMARCResult: "Overall DMARC authentication result for the message."

Consider aligning the description style upstream for consistency.

5. PR description minor inaccuracy

The PR body under ### New datasets frames Firewall events as a brand-new dataset, when it is actually a new account-scope availability for an existing dataset. The committed changelog correctly clarifies this, so this is only a minor PR-description issue.

---

Verdict

Approve with minor notes.

The committed code is accurate, the grammar fixes are in place, the changelog is clear and deduplicated, and the frontmatter is valid. The remaining items are upstream generator inconsistencies in the new websocket_analytics dataset and minor description-style gaps that should be corrected in the internal source YAML so they are not overwritten by future syncs.

github run