From 67011241a7066504a5de55561fc711aac3be8dd4 Mon Sep 17 00:00:00 2001 From: Sohei Gallagher Date: Thu, 25 Jun 2026 01:59:59 +0900 Subject: [PATCH] [Logs] Update Logpush dataset field definitions (2026-06-24) --- .../logs/2026-06-24-log-fields-updated.mdx | 18 ++ .../datasets/account/email_security_alerts.md | 30 ++ .../datasets/account/firewall_events.md | 274 ++++++++++++++++++ .../datasets/account/websocket_analytics.md | 112 +++++++ .../datasets/zone/firewall_events.md | 30 +- .../datasets/zone/websocket_analytics.md | 112 +++++++ 6 files changed, 564 insertions(+), 12 deletions(-) create mode 100644 src/content/changelog/logs/2026-06-24-log-fields-updated.mdx create mode 100644 src/content/docs/logs/logpush/logpush-job/datasets/account/firewall_events.md create mode 100644 src/content/docs/logs/logpush/logpush-job/datasets/account/websocket_analytics.md create mode 100644 src/content/docs/logs/logpush/logpush-job/datasets/zone/websocket_analytics.md diff --git a/src/content/changelog/logs/2026-06-24-log-fields-updated.mdx b/src/content/changelog/logs/2026-06-24-log-fields-updated.mdx new file mode 100644 index 00000000000..88230c8352c --- /dev/null +++ b/src/content/changelog/logs/2026-06-24-log-fields-updated.mdx @@ -0,0 +1,18 @@ +--- +title: New WebSocket Analytics Logpush dataset and updated fields +description: The WebSocket Analytics Logpush dataset is now available, the Firewall events dataset is now available for account-scope Logpush, and new fields have been added to Email Security Alerts. +date: 2026-06-24 +--- + +Cloudflare has updated [Logpush datasets](/logs/logpush/logpush-job/datasets/): + +### New datasets + +- **WebSocket Analytics**: A new dataset with fields including `BytesReceivedClient`, `BytesReceivedOrigin`, `BytesSentClient`, `BytesSentOrigin`, `ClientASN`, `ClientIP`, `ClientRequestHost`, `ClientRequestPath`, `ClientRequestUserAgent`, `ColoCode`, `ConnectionCloseReason`, `ConnectionCloseSource`, `ConnectionID`, `ConnectionTransportCloseCode`, `EdgeEndTimestamp`, `EdgeStartTimestamp`, and `RayID`. + +### Updated fields in existing datasets + +- **Firewall events** (added): `ZoneName`. The Firewall events dataset is now also available for [account-scope Logpush](/logs/logpush/logpush-job/datasets/account/firewall_events/), in addition to the existing zone scope. +- **Email Security Alerts** (added): `BCC`, `DKIMResult`, `DMARCPolicy`, `DMARCResult`, and `SPFResult`. + +For the complete field definitions for each dataset, refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/). diff --git a/src/content/docs/logs/logpush/logpush-job/datasets/account/email_security_alerts.md b/src/content/docs/logs/logpush/logpush-job/datasets/account/email_security_alerts.md index 03cb3c8655b..7c253043333 100644 --- a/src/content/docs/logs/logpush/logpush-job/datasets/account/email_security_alerts.md +++ b/src/content/docs/logs/logpush/logpush-job/datasets/account/email_security_alerts.md @@ -27,6 +27,12 @@ Type: `array[object]` List of objects containing metadata of attachments contained in this message (for example, [{"Md5": "91f073bd208689ddbd248e8989ecae90", "Sha1": "62b77e14e2c43049c45b5725018e78d0f9986930", "Sha256": "3b57505305e7162141fd898ed87d08f92fc42579b5047495859e56b3275a6c06", "Ssdeep": "McAQ8tPlH25e85Q2OiYpD08NvHmjJ97UfPMO47sekO:uN9M553OiiN/OJ9MM+e3", "Name": "attachment.gif", "ContentTypeProvided": "image/gif", "ContentTypeComputed": "application/x-msi", "Encrypted": true, "Decrypted": true}, ...]). +## BCC + +Type: `array[string]` + +Email address portions of the BCC header provided by the sender, if present (for example, 'firstlast@cloudflare.com'). + ## CC Type: `array[string]` @@ -39,6 +45,24 @@ Type: `array[string]` Email address portions of the CC header provided by the sender (for example, 'First Last'). +## DKIMResult + +Type: `string` + +Summary of the DKIM authentication result for the message.
Possible values are pass \| neutral \| fail \| error \| permerror \| temperror \| none. + +## DMARCPolicy + +Type: `string` + +Effective DMARC policy for the sending domain.
Possible values are none \| quarantine \| reject \| undefined. + +## DMARCResult + +Type: `string` + +Overall DMARC authentication result for the message.
Possible values are pass \| fail \| none. + ## FinalDisposition Type: `string` @@ -141,6 +165,12 @@ Type: `string` Hostname provided by the SMTP HELO server. +## SPFResult + +Type: `string` + +Summary of the SPF authentication result for the message.
Possible values are pass \| neutral \| fail \| softfail \| permerror \| temperror \| none. + ## Subject Type: `string` diff --git a/src/content/docs/logs/logpush/logpush-job/datasets/account/firewall_events.md b/src/content/docs/logs/logpush/logpush-job/datasets/account/firewall_events.md new file mode 100644 index 00000000000..63e2d7fd2cc --- /dev/null +++ b/src/content/docs/logs/logpush/logpush-job/datasets/account/firewall_events.md @@ -0,0 +1,274 @@ +--- +# Code generator. DO NOT EDIT. + +title: Firewall events +pcx_content_type: configuration +sidebar: + order: 21 +--- + +The descriptions below detail the fields available for `firewall_events`. + +## AISecurityInjectionScore + +Type: `int` + +The score indicating the likelihood of a prompt injection attack in the request, as determined by AI Security. + +## AISecurityPIICategories + +Type: `array[string]` + +List of PII categories detected in the request by AI Security. + +## AISecurityTokenCount + +Type: `int` + +The number of tokens in the request, as counted by AI Security. + +## AISecurityUnsafeTopicCategories + +Type: `array[string]` + +List of unsafe topic categories detected in the request by AI Security. + +## Action + +Type: `string` + +The code of the first-class action the Cloudflare Firewall took on this request.
Possible actions are unknown \| allow \| block \| challenge \| jschallenge \| log \| connectionclose \| challengesolved \| challengebypassed \| jschallengesolved \| jschallengebypassed \| bypass \| managedchallenge \| managedchallengenoninteractivesolved \| managedchallengeinteractivesolved \| managedchallengebypassed. + +## ClientASN + +Type: `int` + +The ASN of the visitor. + +## ClientASNDescription + +Type: `string` + +The ASN of the visitor as a string. + +## ClientCountry + +Type: `string` + +Country from which the request originated. + +## ClientIP + +Type: `string` + +The IP address of the visitor (IPv4 or IPv6). + +## ClientIPClass + +Type: `string` + +The classification of the visitor's IP address, possible values are: unknown \| badHost \| searchEngine \| allowlist \| monitoringService \| noRecord \| scan \| tor. + +## ClientRefererHost + +Type: `string` + +The referer host. + +## ClientRefererPath + +Type: `string` + +The referer path requested by the visitor. + +## ClientRefererQuery + +Type: `string` + +The referer query string requested by the visitor. + +## ClientRefererScheme + +Type: `string` + +The referer URL scheme requested by the visitor. + +## ClientRequestHost + +Type: `string` + +The HTTP hostname requested by the visitor. + +## ClientRequestMethod + +Type: `string` + +The HTTP method used by the visitor. + +## ClientRequestPath + +Type: `string` + +The path requested by the visitor. + +## ClientRequestProtocol + +Type: `string` + +The version of HTTP protocol requested by the visitor. + +## ClientRequestQuery + +Type: `string` + +The query string requested by the visitor. + +## ClientRequestScheme + +Type: `string` + +The URL scheme requested by the visitor. + +## ClientRequestUserAgent + +Type: `string` + +The user-agent string of the visitor. + +## ContentScanObjResults + +Type: `array[string]` + +List of content scan results. + +## ContentScanObjSizes + +Type: `array[int]` + +List of content object sizes. + +## ContentScanObjTypes + +Type: `array[string]` + +List of content types. + +## Datetime + +Type: `int or string` + +The date and time the event occurred at the edge. To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types). + +## Description + +Type: `string` + +The description of the rule triggered by this request. + +## EdgeColoCode + +Type: `string` + +The airport code of the Cloudflare data center that served this request. + +## EdgeResponseStatus + +Type: `int` + +HTTP response status code returned to the browser. + +## FirewallForAIInjectionScore (deprecated) + +Type: `int` + +The score indicating the likelihood of a prompt injection attack in the request, as determined by Firewall for AI. Deprecated: Use AISecurityInjectionScore instead. + +## FirewallForAIPIICategories (deprecated) + +Type: `array[string]` + +List of PII categories detected in the request by Firewall for AI. Deprecated: Use AISecurityPIICategories instead. + +## FirewallForAITokenCount (deprecated) + +Type: `int` + +The number of tokens in the request, as counted by Firewall for AI. Deprecated: Use AISecurityTokenCount instead. + +## FirewallForAIUnsafeTopicCategories (deprecated) + +Type: `array[string]` + +List of unsafe topic categories detected in the request by Firewall for AI. Deprecated: Use AISecurityUnsafeTopicCategories instead. + +## FraudUserID + +Type: `string` + +A unique identifier generated by the Fraud Detection system for each user, generated during any action determined by the fraud event type. + +## Kind + +Type: `string` + +The kind of event, currently only possible values are: firewall. + +## LeakedCredentialCheckResult + +Type: `string` + +Result of the check for [leaked credentials](/waf/detections/leaked-credentials/).
Possible results are: password_leaked \| username_and_password_leaked \| username_password_similar \| username_leaked \| clean. + +## MatchIndex + +Type: `int` + +Rules match index in the chain. The last matching rule will have MatchIndex 0. If another rule matched before the last one, it will have MatchIndex 1. The same applies to any other matching rules, which will have a MatchIndex value of 2, 3, and so on. + +## Metadata + +Type: `object` + +Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time. + +## OriginResponseStatus + +Type: `int` + +HTTP origin response status code returned to the browser. + +## OriginatorRayID + +Type: `string` + +The RayID of the request that issued the challenge/jschallenge. + +## RayID + +Type: `string` + +The RayID of the request. + +## Ref + +Type: `string` + +The user-defined identifier for the rule triggered by this request. Use refs to label your rules individually alongside the Cloudflare-provided RuleID. You can set refs via the [Rulesets API](/ruleset-engine/rulesets-api/) for some security products. + +## RuleID + +Type: `string` + +The Cloudflare security product-specific RuleID triggered by this request. + +## Source + +Type: `string` + +The Cloudflare security product triggered by this request.
Possible sources are unknown \| asn \| country \| ip \| iprange \| securitylevel \| zonelockdown \| waf \| firewallrules \| uablock \| ratelimit \| bic \| hot \| l7ddos \| validation \| botfight \| apishield \| botmanagement \| dlp \| firewallmanaged \| firewallcustom \| apishieldschemavalidation \| apishieldtokenvalidation \| apishieldsequencemitigation. + +## ZoneName + +Type: `string` + +The human-readable name of the zone (for example, 'cloudflare.com'). diff --git a/src/content/docs/logs/logpush/logpush-job/datasets/account/websocket_analytics.md b/src/content/docs/logs/logpush/logpush-job/datasets/account/websocket_analytics.md new file mode 100644 index 00000000000..5a7d728be5b --- /dev/null +++ b/src/content/docs/logs/logpush/logpush-job/datasets/account/websocket_analytics.md @@ -0,0 +1,112 @@ +--- +# Code generator. DO NOT EDIT. + +title: WebSocket Analytics +pcx_content_type: configuration +sidebar: + order: 21 +--- + +The descriptions below detail the fields available for `websocket_analytics`. + +## BytesReceivedClient + +Type: `int` + +Number of bytes received from the client. + +## BytesReceivedOrigin + +Type: `int` + +Number of bytes received from the origin. + +## BytesSentClient + +Type: `int` + +Number of bytes sent to the client. + +## BytesSentOrigin + +Type: `int` + +Number of bytes sent to the origin. + +## ClientASN + +Type: `int` + +The client's autonomous system number (ASN). + +## ClientIP + +Type: `string` + +The client IP address. + +## ClientRequestHost + +Type: `string` + +The host requested by the client in the WebSocket upgrade request. + +## ClientRequestPath + +Type: `string` + +The path requested by the client in the WebSocket upgrade request. + +## ClientRequestUserAgent + +Type: `string` + +The user agent reported by the client. + +## ColoCode + +Type: `string` + +IATA airport code of the data center that handled the connection. + +## ConnectionCloseReason + +Type: `string` + +The reason the WebSocket connection ended.
Possible values are none \| unspecifiedError \| timedOut \| peerReset \| upstreamReset \| protocolViolation \| peerNoError. + +## ConnectionCloseSource + +Type: `string` + +Which side initiated the connection close.
Possible values are upstream \| downstream \| me \| both, or the raw internal value if unrecognized. + +## ConnectionID + +Type: `string` + +Unique identifier of the WebSocket connection, hex-encoded. + +## ConnectionTransportCloseCode + +Type: `int` + +The first transport-level close code observed. For TLS connections this is the TLS alert code; for plain TCP connections (no TLS) it is always 0. The most significant bit indicates the source: 0 = proxy-initiated, 1 = eyeball-initiated. + +## EdgeEndTimestamp + +Type: `int or string` + +Timestamp at which the WebSocket connection closed. To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types). + +## EdgeStartTimestamp + +Type: `int or string` + +Timestamp at which the WebSocket connection was established. To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types). + +## RayID + +Type: `string` + +The Ray ID of the WebSocket upgrade request. diff --git a/src/content/docs/logs/logpush/logpush-job/datasets/zone/firewall_events.md b/src/content/docs/logs/logpush/logpush-job/datasets/zone/firewall_events.md index 3bae6bc4940..63e2d7fd2cc 100644 --- a/src/content/docs/logs/logpush/logpush-job/datasets/zone/firewall_events.md +++ b/src/content/docs/logs/logpush/logpush-job/datasets/zone/firewall_events.md @@ -43,25 +43,25 @@ The code of the first-class action the Cloudflare Firewall took on this request. Type: `int` -The ASN number of the visitor. +The ASN of the visitor. ## ClientASNDescription Type: `string` -The ASN of the visitor as string. +The ASN of the visitor as a string. ## ClientCountry Type: `string` -Country from which request originated. +Country from which the request originated. ## ClientIP Type: `string` -The visitor's IP address (IPv4 or IPv6). +The IP address of the visitor (IPv4 or IPv6). ## ClientIPClass @@ -79,13 +79,13 @@ The referer host. Type: `string` -The referer path requested by visitor. +The referer path requested by the visitor. ## ClientRefererQuery Type: `string` -The referer query-string was requested by the visitor. +The referer query string requested by the visitor. ## ClientRefererScheme @@ -109,7 +109,7 @@ The HTTP method used by the visitor. Type: `string` -The path requested by visitor. +The path requested by the visitor. ## ClientRequestProtocol @@ -121,7 +121,7 @@ The version of HTTP protocol requested by the visitor. Type: `string` -The query-string was requested by the visitor. +The query string requested by the visitor. ## ClientRequestScheme @@ -133,7 +133,7 @@ The URL scheme requested by the visitor. Type: `string` -Visitor's user-agent string. +The user-agent string of the visitor. ## ContentScanObjResults @@ -157,7 +157,7 @@ List of content types. Type: `int or string` -The date and time the event occurred at the edge. +The date and time the event occurred at the edge. To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types). ## Description @@ -175,7 +175,7 @@ The airport code of the Cloudflare data center that served this request. Type: `int` -HTTP response status code returned to browser. +HTTP response status code returned to the browser. ## FirewallForAIInjectionScore (deprecated) @@ -235,7 +235,7 @@ Additional product-specific information. Metadata is organized in key:value pair Type: `int` -HTTP origin response status code returned to browser. +HTTP origin response status code returned to the browser. ## OriginatorRayID @@ -266,3 +266,9 @@ The Cloudflare security product-specific RuleID triggered by this request. Type: `string` The Cloudflare security product triggered by this request.
Possible sources are unknown \| asn \| country \| ip \| iprange \| securitylevel \| zonelockdown \| waf \| firewallrules \| uablock \| ratelimit \| bic \| hot \| l7ddos \| validation \| botfight \| apishield \| botmanagement \| dlp \| firewallmanaged \| firewallcustom \| apishieldschemavalidation \| apishieldtokenvalidation \| apishieldsequencemitigation. + +## ZoneName + +Type: `string` + +The human-readable name of the zone (for example, 'cloudflare.com'). diff --git a/src/content/docs/logs/logpush/logpush-job/datasets/zone/websocket_analytics.md b/src/content/docs/logs/logpush/logpush-job/datasets/zone/websocket_analytics.md new file mode 100644 index 00000000000..5a7d728be5b --- /dev/null +++ b/src/content/docs/logs/logpush/logpush-job/datasets/zone/websocket_analytics.md @@ -0,0 +1,112 @@ +--- +# Code generator. DO NOT EDIT. + +title: WebSocket Analytics +pcx_content_type: configuration +sidebar: + order: 21 +--- + +The descriptions below detail the fields available for `websocket_analytics`. + +## BytesReceivedClient + +Type: `int` + +Number of bytes received from the client. + +## BytesReceivedOrigin + +Type: `int` + +Number of bytes received from the origin. + +## BytesSentClient + +Type: `int` + +Number of bytes sent to the client. + +## BytesSentOrigin + +Type: `int` + +Number of bytes sent to the origin. + +## ClientASN + +Type: `int` + +The client's autonomous system number (ASN). + +## ClientIP + +Type: `string` + +The client IP address. + +## ClientRequestHost + +Type: `string` + +The host requested by the client in the WebSocket upgrade request. + +## ClientRequestPath + +Type: `string` + +The path requested by the client in the WebSocket upgrade request. + +## ClientRequestUserAgent + +Type: `string` + +The user agent reported by the client. + +## ColoCode + +Type: `string` + +IATA airport code of the data center that handled the connection. + +## ConnectionCloseReason + +Type: `string` + +The reason the WebSocket connection ended.
Possible values are none \| unspecifiedError \| timedOut \| peerReset \| upstreamReset \| protocolViolation \| peerNoError. + +## ConnectionCloseSource + +Type: `string` + +Which side initiated the connection close.
Possible values are upstream \| downstream \| me \| both, or the raw internal value if unrecognized. + +## ConnectionID + +Type: `string` + +Unique identifier of the WebSocket connection, hex-encoded. + +## ConnectionTransportCloseCode + +Type: `int` + +The first transport-level close code observed. For TLS connections this is the TLS alert code; for plain TCP connections (no TLS) it is always 0. The most significant bit indicates the source: 0 = proxy-initiated, 1 = eyeball-initiated. + +## EdgeEndTimestamp + +Type: `int or string` + +Timestamp at which the WebSocket connection closed. To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types). + +## EdgeStartTimestamp + +Type: `int or string` + +Timestamp at which the WebSocket connection was established. To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types). + +## RayID + +Type: `string` + +The Ray ID of the WebSocket upgrade request.