From 5d7b6e651ff57cb00a181582468520dbbd995924 Mon Sep 17 00:00:00 2001 From: noelle Date: Fri, 20 Mar 2026 14:03:08 -0700 Subject: [PATCH 1/4] Restructure Zero Trust logs documentation - Create dashboard-logs/ folder for UI-accessible logs - Add admin-activity-logs.mdx (new page) - Add ssh-command-logs.mdx (new page) - Move access-authentication-logs.mdx (renamed from audit-logs.mdx) - Move gateway-logs/ folder with index.mdx and manage-pii.mdx - Move scim-logs.mdx - Move posture-logs.mdx - Move tunnel-audit-logs.mdx - Create logpush/ folder for Logpush-related documentation - Move logpush.mdx content to index.mdx - Move enable-logs.mdx to email-security-logs.mdx - Move use-logpush-with-ids.mdx to ids-logs.mdx - Rename filter-views.mdx to network-firewall-log-filters.mdx - Preserve existing overview content (Log Retention, Log Explorer, CMB, Data Privacy) --- .../access-authentication-logs.mdx} | 5 +- .../dashboard-logs/admin-activity-logs.mdx | 28 +++++++++++ .../gateway-logs/index.mdx | 7 ++- .../gateway-logs/manage-pii.mdx | 2 +- .../insights/logs/dashboard-logs/index.mdx | 17 +++++++ .../{ => dashboard-logs}/posture-logs.mdx | 6 +-- .../logs/{ => dashboard-logs}/scim-logs.mdx | 7 ++- .../logs/dashboard-logs/ssh-command-logs.mdx | 49 +++++++++++++++++++ .../tunnel-audit-logs.mdx | 4 +- .../email-security-logs.mdx} | 4 +- .../ids-logs.mdx} | 12 +++-- .../logs/{logpush.mdx => logpush/index.mdx} | 26 +++++----- .../network-firewall-log-filters.mdx} | 4 +- 13 files changed, 137 insertions(+), 34 deletions(-) rename src/content/docs/cloudflare-one/insights/logs/{audit-logs.mdx => dashboard-logs/access-authentication-logs.mdx} (97%) create mode 100644 src/content/docs/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs.mdx rename src/content/docs/cloudflare-one/insights/logs/{ => dashboard-logs}/gateway-logs/index.mdx (99%) rename src/content/docs/cloudflare-one/insights/logs/{ => dashboard-logs}/gateway-logs/manage-pii.mdx (99%) create mode 100644 src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx rename src/content/docs/cloudflare-one/insights/logs/{ => dashboard-logs}/posture-logs.mdx (89%) rename src/content/docs/cloudflare-one/insights/logs/{ => dashboard-logs}/scim-logs.mdx (84%) create mode 100644 src/content/docs/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs.mdx rename src/content/docs/cloudflare-one/insights/logs/{ => dashboard-logs}/tunnel-audit-logs.mdx (93%) rename src/content/docs/cloudflare-one/insights/logs/{enable-logs.mdx => logpush/email-security-logs.mdx} (97%) rename src/content/docs/cloudflare-one/insights/logs/{use-logpush-with-ids.mdx => logpush/ids-logs.mdx} (81%) rename src/content/docs/cloudflare-one/insights/logs/{logpush.mdx => logpush/index.mdx} (91%) rename src/content/docs/cloudflare-one/insights/logs/{filter-views.mdx => logpush/network-firewall-log-filters.mdx} (98%) diff --git a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx similarity index 97% rename from src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx rename to src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx index 16f80ab66581f08..3ac084292200012 100644 --- a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx @@ -5,7 +5,6 @@ tags: - Logging sidebar: order: 2 -head: [] description: Use Access authentication logs to review authentication events and requests to protected URI paths and infrastructure targets. --- @@ -14,8 +13,8 @@ import { GlossaryTooltip, TabItem, Tabs, APIRequest } from "~/components"; Cloudflare Access generates two types of audit logs: -- **[Authentication audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-logs)** maintain a record of authentication events. -- **[Per-request audit logs](/cloudflare-one/insights/logs/audit-logs/#per-request-logs)** record requests to protected URI paths and infrastructure targets. +- **[Authentication audit logs](#authentication-logs)** maintain a record of authentication events. +- **[Per-request audit logs](#per-request-logs)** record requests to protected URI paths and infrastructure targets. ## Authentication logs diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs.mdx new file mode 100644 index 000000000000000..e991821adbacf0c --- /dev/null +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs.mdx @@ -0,0 +1,28 @@ +--- +pcx_content_type: reference +title: Admin activity logs +sidebar: + order: 1 +description: Monitor when a member on your account creates, updates, or deletes configurations. +--- + +Admin activity logs record configuration changes made by members of your Cloudflare account. Use these logs to monitor when a member creates, updates, or deletes configurations in your Zero Trust organization. + +To view admin activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **Admin activity logs**. + +## Explanation of the fields + +| Field | Description | +| --------------------- | ------------------------------------------------------------------ | +| **Action timestamp** | Date and time when the change occurred. | +| **Action type** | Type of action taken (for example, `create`, `update`, `delete`). | +| **Action result** | Whether the action was successful. | +| **Actor email** | Email address of the user who performed the action. | +| **Actor IP address** | IP address of the user who performed the action. | +| **Actor type** | Type of user that initiated the action. | +| **Resource type** | The type of resource that was changed. | +| **Resource product** | The Cloudflare product associated with the resource. | + +## Export admin activity logs + +Enterprise users can export admin activity logs using [Logpush](/cloudflare-one/insights/logs/logpush/). For a list of all available fields, refer to [Audit Logs V2](/logs/logpush/logpush-job/datasets/account/audit_logs_v2/). diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx similarity index 99% rename from src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx rename to src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx index 40fb6173b16a1a5..b70aeafaa76b9ab 100644 --- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx @@ -5,9 +5,10 @@ tags: - Logging sidebar: order: 3 +description: Review DNS queries, network traffic, and HTTP requests inspected by Gateway. --- -import { Render, GlossaryTooltip } from "~/components"; +import { Render, GlossaryTooltip, DirectoryListing } from "~/components"; :::note[Private source IP substitution] @@ -15,12 +16,14 @@ Gateway logs will only show the public IP address for the **Source IP** field. P ::: -Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/) for sessions proxied by Gateway. +Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/) for sessions proxied by Gateway. To view Gateway activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** and choose a type of Gateway log. Select an individual row to investigate the event in more detail. Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/). + + ## Selective logging By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Traffic policies** > **Traffic settings**. Under **Traffic logging** > **Log traffic activity**, indicate your DNS, Network, and HTTP log preferences. diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii.mdx similarity index 99% rename from src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx rename to src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii.mdx index 92f29d650c6e514..3d4ccecb8f85129 100644 --- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii.mdx @@ -4,7 +4,7 @@ title: Manage PII tags: - Privacy sidebar: - order: 3 + order: 1 --- Cloudflare Gateway gives you multiple ways to safely handle your employees' personally identifiable information (PII). By default, PII is redacted from Gateway Activity logs for all permission roles except the Super Administrator and users with the [Cloudflare Zero Trust PII role](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) assigned to them. Only the Super Administrator can assign roles and determine who has permission to view PII. Redacting PII does not affect the way PII is captured in logs as the data is simply hidden and no information is lost. diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx new file mode 100644 index 000000000000000..253f7a90befdfc4 --- /dev/null +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx @@ -0,0 +1,17 @@ +--- +pcx_content_type: navigation +title: Dashboard logs +sidebar: + order: 1 +head: + - tag: title + content: Zero Trust dashboard logs +--- + +import { DirectoryListing } from "~/components"; + +The following logs are available in the [Zero Trust dashboard](https://one.dash.cloudflare.com/). Go to **Insights** > **Logs** to view activity for your organization. + + + +For additional datasets and long-term log storage, refer to [Logpush](/cloudflare-one/insights/logs/logpush/). diff --git a/src/content/docs/cloudflare-one/insights/logs/posture-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/posture-logs.mdx similarity index 89% rename from src/content/docs/cloudflare-one/insights/logs/posture-logs.mdx rename to src/content/docs/cloudflare-one/insights/logs/dashboard-logs/posture-logs.mdx index c4ebe6022937efe..e81d9e6efd3e44e 100644 --- a/src/content/docs/cloudflare-one/insights/logs/posture-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/posture-logs.mdx @@ -2,13 +2,13 @@ pcx_content_type: reference title: Posture logs sidebar: - order: 7 - + order: 8 +description: Monitor the results of device posture checks performed on your users' devices. --- Posture logs show the [device posture check](/cloudflare-one/reusable-components/posture-checks/) results reported by the Cloudflare One Client. -To view device posture logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Logs** > **Posture**. Logs will only display if you have configured [device posture checks](/cloudflare-one/reusable-components/posture-checks/) for your Zero Trust organization. +To view device posture logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **Posture logs**. Logs will only display if you have configured [device posture checks](/cloudflare-one/reusable-components/posture-checks/) for your Zero Trust organization. Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/). diff --git a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/scim-logs.mdx similarity index 84% rename from src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx rename to src/content/docs/cloudflare-one/insights/logs/dashboard-logs/scim-logs.mdx index 2dbfa6fd0bb3064..d4bff85f0268939 100644 --- a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/scim-logs.mdx @@ -1,11 +1,10 @@ --- pcx_content_type: reference -title: SCIM activity logs +title: SCIM provisioning logs tags: - SCIM sidebar: - order: 3 - label: SCIM logs + order: 7 --- import { Render } from "~/components"; @@ -14,7 +13,7 @@ SCIM activity logs allow administrators to audit how [SCIM provisioning](/cloudf ## View SCIM logs -For an overview of SCIM events across all users, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Logs** > **SCIM provisioning**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation. +For an overview of SCIM events across all users, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **SCIM provisioning logs**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation. To investigate how SCIM events impacted a specific user, go to their [User Registry identity](/cloudflare-one/team-and-resources/users/users/). diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs.mdx new file mode 100644 index 000000000000000..90d421dec63476e --- /dev/null +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs.mdx @@ -0,0 +1,49 @@ +--- +pcx_content_type: reference +title: SSH command logs +sidebar: + order: 6 +description: Review SSH commands a user ran on a target. +--- + +SSH command logs record the commands that users run on infrastructure targets protected by [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). Use these logs to audit user activity on your SSH servers. + +To view SSH command logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** > **SSH command logs**. + +## Prerequisites + +To generate SSH command logs, you must: + +1. Set up [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) for your SSH servers. +2. [Enable SSH command logging](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) by uploading an encryption public key. + +## View SSH logs + +SSH command logs displayed in the dashboard are encrypted using a public key you provide. To view the contents of the logs: + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Logs** > **SSH command logs**. +2. Filter the logs using the name of your SSH application. +3. Select the SSH session for which you want to export command logs. +4. In the side panel, scroll down to **SSH logs** and select **Download**. +5. Decrypt the log using the [SSH Logging CLI](https://github.com/cloudflare/ssh-log-cli/). + +## Explanation of the fields + +| Field | Description | +| -------------------------- | ----------------------------------------------------------------------------------------------- | +| **Session ID** | Unique identifier for the SSH session. | +| **User email** | Email address of the user who initiated the SSH session. | +| **Target ID** | Identifier of the infrastructure target being accessed. | +| **Client address** | Source IP address of the SSH connection. | +| **Server address** | Destination IP address of the SSH server. | +| **Session start datetime** | Timestamp when the SSH session started. | +| **Session finish datetime**| Timestamp when the SSH session ended. | +| **Program type** | Type of SSH program (`shell`, `exec`, `x11`, `direct-tcpip`, or `forwarded-tcpip`). | +| **Payload** | Captured request/response data in asciicast v2 format, including commands for `exec` programs. | +| **Error** | SSH error message, if an error occurred. | + +## Export SSH logs with Logpush + +Enterprise users can export SSH command logs using [Logpush](/cloudflare-one/insights/logs/logpush/). Logpush payloads are not encrypted with a customer-provided public key. + +For a list of all available fields, refer to [SSH Logs](/logs/logpush/logpush-job/datasets/account/ssh_logs/). diff --git a/src/content/docs/cloudflare-one/insights/logs/tunnel-audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/tunnel-audit-logs.mdx similarity index 93% rename from src/content/docs/cloudflare-one/insights/logs/tunnel-audit-logs.mdx rename to src/content/docs/cloudflare-one/insights/logs/dashboard-logs/tunnel-audit-logs.mdx index 4e449e54ed26139..cabad7912b69131 100644 --- a/src/content/docs/cloudflare-one/insights/logs/tunnel-audit-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/tunnel-audit-logs.mdx @@ -2,8 +2,8 @@ pcx_content_type: reference title: Tunnel audit logs sidebar: - order: 6 - + order: 9 +description: Review Cloudflare Tunnel connection events. --- Audit logs for Tunnel are available in the [account section of the Cloudflare dashboard](https://dash.cloudflare.com/?account=audit-log) which you can find by selecting your name or email in the upper right-hand corner of the dashboard. The following actions are logged: diff --git a/src/content/docs/cloudflare-one/insights/logs/enable-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/logpush/email-security-logs.mdx similarity index 97% rename from src/content/docs/cloudflare-one/insights/logs/enable-logs.mdx rename to src/content/docs/cloudflare-one/insights/logs/logpush/email-security-logs.mdx index 3c10bcbb29e84f0..5e74accd26130aa 100644 --- a/src/content/docs/cloudflare-one/insights/logs/enable-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/logpush/email-security-logs.mdx @@ -1,8 +1,8 @@ --- -title: Enable Email security logs +title: Email security logs pcx_content_type: how-to sidebar: - order: 9 + order: 1 --- import { DashButton } from "~/components"; diff --git a/src/content/docs/cloudflare-one/insights/logs/use-logpush-with-ids.mdx b/src/content/docs/cloudflare-one/insights/logs/logpush/ids-logs.mdx similarity index 81% rename from src/content/docs/cloudflare-one/insights/logs/use-logpush-with-ids.mdx rename to src/content/docs/cloudflare-one/insights/logs/logpush/ids-logs.mdx index 040acce5ace2878..659de6023c50df9 100644 --- a/src/content/docs/cloudflare-one/insights/logs/use-logpush-with-ids.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/logpush/ids-logs.mdx @@ -1,13 +1,17 @@ --- -title: Use Logpush with IDS -pcx_content_type: concept +title: IDS logs +pcx_content_type: how-to +sidebar: + order: 2 --- -You can use Logpush with Cloudflare Network Firewall IDS to log detected risks: +You can use Logpush with Cloudflare Network Firewall IDS to log detected risks. + +## Set up Logpush for IDS 1. Consult the [Logpush Destination docs](/logs/logpush/logpush-job/api-configuration/#destination) to learn about what destinations Logpush supports. The documentation will also instruct you on how to correctly format the destination URL for Logpush. -2. Follow the [Manage Lopush with cURL](/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job. +2. Follow the [Manage Logpush with cURL](/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job. ## Notes on using Logpush with IDS diff --git a/src/content/docs/cloudflare-one/insights/logs/logpush.mdx b/src/content/docs/cloudflare-one/insights/logs/logpush/index.mdx similarity index 91% rename from src/content/docs/cloudflare-one/insights/logs/logpush.mdx rename to src/content/docs/cloudflare-one/insights/logs/logpush/index.mdx index 732416664256c4a..960e75e677bc272 100644 --- a/src/content/docs/cloudflare-one/insights/logs/logpush.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/logpush/index.mdx @@ -4,16 +4,14 @@ title: Logpush integration tags: - Logging sidebar: - order: 8 + order: 2 --- -import { GlossaryTooltip, Render } from "~/components"; +import { GlossaryTooltip, Render, DirectoryListing, Plan } from "~/components"; -:::note -Only available on Enterprise plans. -::: + -With Cloudflare's [Logpush](/logs/logpush/) service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to third-party security information and event management (SIEM) solutions. Once exported, your team can analyze and audit the data as needed. +With Cloudflare's [Logpush](/logs/logpush/) service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to third-party security information and event management (SIEM) solutions. Once exported, your team can analyze and audit the data as needed. ## Export Zero Trust logs with Logpush @@ -30,7 +28,7 @@ To configure Logpush for Zero Trust logs: 5. Follow the service-specific instructions to configure and validate your destination. 6. Choose the [Zero Trust datasets](#zero-trust-datasets) to export. 7. Enter a **Job name**, any [filters](/logs/logpush/logpush-job/filters/) you would like to add, and the data fields you want to include in the logs. -8. (Optional) In **Advanced settings**, choose the timestamp format you prefer and whether you want to enable log sampling. +8. (Optional) In **Advanced settings**, choose the timestamp format you prefer and whether you want to turn on log sampling. 9. Select **Submit**. The setup of your Logpush integration is now complete. Logpush will send updated logs every five minutes to your selected destination. You can configure multiple destinations and add additional fields to your logs by returning to the **Logpush** page. @@ -39,7 +37,7 @@ For more information on supported destinations, refer to [Enable destinations](/ ## Zero Trust datasets -Refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/) for a list of all available fields. +Logpush supports all [dashboard logs](/cloudflare-one/insights/logs/dashboard-logs/) as well as additional datasets not available in the Zero Trust UI. Refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/) for a list of all available fields. | Dataset | Description | | ---------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -47,16 +45,16 @@ Refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/) for a list of a | [Audit Logs](/logs/logpush/logpush-job/datasets/account/audit_logs/) | Authentication events through Cloudflare Access | | [Browser Isolation User Actions](/logs/logpush/logpush-job/datasets/account/biso_user_actions/) | Data transfer actions performed by a user in the remote browser | | [CASB Findings](/logs/logpush/logpush-job/datasets/account/casb_findings/) | Security issues detected by Cloudflare CASB | -| [Device Posture Results](/logs/logpush/logpush-job/datasets/account/device_posture_results/) | Device posture status from the Cloudflare One Client | -| [DEX Application Tests](/logs/logpush/logpush-job/datasets/account/dex_application_tests/) | Device application synthetic test results from the Cloudflare One Client | -| [DEX Device State Events](/logs/logpush/logpush-job/datasets/account/dex_device_state_events/) | Device event data like connectivity, CPU usage, and Disk I/O from the Cloudflare One Client | +| [Device Posture Results](/logs/logpush/logpush-job/datasets/account/device_posture_results/) | Device posture status from the Cloudflare One Client | +| [DEX Application Tests](/logs/logpush/logpush-job/datasets/account/dex_application_tests/) | Device application synthetic test results from the Cloudflare One Client | +| [DEX Device State Events](/logs/logpush/logpush-job/datasets/account/dex_device_state_events/) | Device event data like connectivity, CPU usage, and Disk I/O from the Cloudflare One Client | | [Gateway DNS](/logs/logpush/logpush-job/datasets/account/gateway_dns/) | DNS queries inspected by Cloudflare Gateway | | [Gateway HTTP](/logs/logpush/logpush-job/datasets/account/gateway_http/) | HTTP requests inspected by Cloudflare Gateway | | [Gateway Network](/logs/logpush/logpush-job/datasets/account/gateway_network/) | Network packets inspected by Cloudflare Gateway | | [MCP Portal Logs](/logs/logpush/logpush-job/datasets/account/mcp_portal_logs/) | Requests made through [MCP server portals](/cloudflare-one/access-controls/ai-controls/mcp-portals/) | | [SSH Logs](/logs/logpush/logpush-job/datasets/account/ssh_logs/) | SSH command logs for [Access for Infrastructure targets](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) | | [WARP Config Changes](/logs/logpush/logpush-job/datasets/account/warp_config_changes/) | Event logs that Cloudflare generates whenever a device changes [profiles](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) | -| [WARP Toggle Events](/logs/logpush/logpush-job/datasets/account/warp_toggle_changes/) | Event logs that Cloudflare generates whenever a device toggles the Cloudflare One Client on or off | +| [WARP Toggle Events](/logs/logpush/logpush-job/datasets/account/warp_toggle_changes/) | Event logs that Cloudflare generates whenever a device toggles the Cloudflare One Client on or off | | [Zero Trust Network Session Logs](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/) | Network session logs for traffic proxied by Cloudflare Gateway | ## Verify regional map application @@ -92,3 +90,7 @@ DNS query resource records are available in [Base64-encoded binary format](https "ResourceRecordsJSON": "[{\"name\":\"www.example.com\",\"type\":\"CNAME\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"example.com.\"},{\"name\":\"example.com\",\"type\":\"A\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"203.0.113.0\"}]" } ``` + +## Additional Logpush guides + + diff --git a/src/content/docs/cloudflare-one/insights/logs/filter-views.mdx b/src/content/docs/cloudflare-one/insights/logs/logpush/network-firewall-log-filters.mdx similarity index 98% rename from src/content/docs/cloudflare-one/insights/logs/filter-views.mdx rename to src/content/docs/cloudflare-one/insights/logs/logpush/network-firewall-log-filters.mdx index 6346b3b62d910d7..5bcd831488397ef 100644 --- a/src/content/docs/cloudflare-one/insights/logs/filter-views.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/logpush/network-firewall-log-filters.mdx @@ -1,6 +1,8 @@ --- -title: Filter different views +title: Network Firewall log filters pcx_content_type: how-to +sidebar: + order: 3 --- import { APIRequest } from "~/components"; From 6c71c16cc3dd6e1591599f342c8463568c1a7c41 Mon Sep 17 00:00:00 2001 From: noelle Date: Fri, 20 Mar 2026 14:11:17 -0700 Subject: [PATCH 2/4] Add new log viewer UI documentation for Access and Gateway logs - Add beta-flagged 'Log viewer' section to access-authentication-logs.mdx - Add beta-flagged 'Log viewer' section to gateway-logs/index.mdx - Document new capabilities: field filtering, column customization, timestamp details view, and classic UI toggle --- .../dashboard-logs/access-authentication-logs.mdx | 13 ++++++++++++- .../logs/dashboard-logs/gateway-logs/index.mdx | 13 ++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx index 3ac084292200012..195ada96a1176b3 100644 --- a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx @@ -9,7 +9,18 @@ description: Use Access authentication logs to review authentication events and requests to protected URI paths and infrastructure targets. --- -import { GlossaryTooltip, TabItem, Tabs, APIRequest } from "~/components"; +import { GlossaryTooltip, TabItem, Tabs, APIRequest, InlineBadge } from "~/components"; + +## Log viewer + +Access authentication logs use an updated log viewer with the following capabilities: + +- **Filter by field** - Select any field value to add it as a filter. +- **Customize columns** - Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. +- **View details** - Select a timestamp to view the full details of a log entry. +- **Switch to classic view** - Select **Use old UI** to return to the previous log viewer. + +## Log types Cloudflare Access generates two types of audit logs: diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx index b70aeafaa76b9ab..93a4c1bb9f7b489 100644 --- a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx @@ -8,7 +8,18 @@ sidebar: description: Review DNS queries, network traffic, and HTTP requests inspected by Gateway. --- -import { Render, GlossaryTooltip, DirectoryListing } from "~/components"; +import { Render, GlossaryTooltip, DirectoryListing, InlineBadge } from "~/components"; + +## Log viewer + +Gateway activity logs use an updated log viewer with the following capabilities: + +- **Filter by field** - Select any field value to add it as a filter. +- **Customize columns** - Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. +- **View details** - Select a timestamp to view the full details of a log entry. +- **Switch to classic view** - Select **Use old UI** to return to the previous log viewer. + +## Overview :::note[Private source IP substitution] From f79d6ad04e2fc8d97fe7dc06fb1268cf7f23dc35 Mon Sep 17 00:00:00 2001 From: noelle Date: Mon, 30 Mar 2026 15:59:18 -0700 Subject: [PATCH 3/4] Address PR feedback: remove navigation instructions from dashboard-logs index The 'Go to Insights > Logs' instruction doesn't apply to all logs in this section (e.g., Tunnel audit logs are in the account dashboard). Removed the specific navigation path to avoid confusion. --- .../docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx index 253f7a90befdfc4..308ec88a79a9987 100644 --- a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/index.mdx @@ -10,7 +10,7 @@ head: import { DirectoryListing } from "~/components"; -The following logs are available in the [Zero Trust dashboard](https://one.dash.cloudflare.com/). Go to **Insights** > **Logs** to view activity for your organization. +The following logs are available in the [Zero Trust dashboard](https://one.dash.cloudflare.com/). From e84b90cd010239d0a0fdfc254b965d7a95acb0f7 Mon Sep 17 00:00:00 2001 From: noelle Date: Mon, 30 Mar 2026 16:00:36 -0700 Subject: [PATCH 4/4] Address PR feedback: improve log viewer documentation - Remove navigation instructions from dashboard-logs/index.mdx (doesn't apply to all logs like Tunnel audit logs) - Replace 'Log viewer' header with introductory paragraph in access-authentication-logs.mdx - Reorganize gateway-logs/index.mdx to start with overview of what Gateway activity logs are and where to find them, then move log viewer section further down the page --- .../access-authentication-logs.mdx | 11 +---------- .../dashboard-logs/gateway-logs/index.mdx | 19 ++++++------------- 2 files changed, 7 insertions(+), 23 deletions(-) diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx index 195ada96a1176b3..37e67973a4d7646 100644 --- a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx @@ -11,16 +11,7 @@ description: Use Access authentication logs to review authentication events and import { GlossaryTooltip, TabItem, Tabs, APIRequest, InlineBadge } from "~/components"; -## Log viewer - -Access authentication logs use an updated log viewer with the following capabilities: - -- **Filter by field** - Select any field value to add it as a filter. -- **Customize columns** - Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. -- **View details** - Select a timestamp to view the full details of a log entry. -- **Switch to classic view** - Select **Use old UI** to return to the previous log viewer. - -## Log types +Access authentication logs use an updated log viewer with the following capabilities: filter by field, customize columns, view details by selecting a timestamp, and switch to the classic view. Querying for fewer fields improves log loading performance. Cloudflare Access generates two types of audit logs: diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx index 93a4c1bb9f7b489..a11d7e6026db6ab 100644 --- a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx @@ -10,16 +10,13 @@ description: Review DNS queries, network traffic, and HTTP requests inspected by import { Render, GlossaryTooltip, DirectoryListing, InlineBadge } from "~/components"; -## Log viewer +Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/) for sessions proxied by Gateway. -Gateway activity logs use an updated log viewer with the following capabilities: +To view Gateway activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** and choose a type of Gateway log. Select an individual row to investigate the event in more detail. -- **Filter by field** - Select any field value to add it as a filter. -- **Customize columns** - Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. -- **View details** - Select a timestamp to view the full details of a log entry. -- **Switch to classic view** - Select **Use old UI** to return to the previous log viewer. +Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/). -## Overview + :::note[Private source IP substitution] @@ -27,13 +24,9 @@ Gateway logs will only show the public IP address for the **Source IP** field. P ::: -Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/) for sessions proxied by Gateway. - -To view Gateway activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** and choose a type of Gateway log. Select an individual row to investigate the event in more detail. - -Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/). +## Log viewer - +Gateway activity logs use an updated log viewer with the following capabilities: filter by field, customize columns, view details by selecting a timestamp, and switch to the classic view. Querying for fewer fields improves log loading performance. ## Selective logging