Logs are provided in a newline-delimited JavaScript Object Notation (NDJSON) format. Three types of logs are available that are described in detail below:
HTTP
Field | Description |
HTTP Host | Hostname in the HTTP header for the HTTP request. |
Email address alias associated with the user who made the HTTP request. This is generated by the WARP client. | |
Action | The Gateway Action taken based on the first rule that matched (for example, Allow or Block). |
Datetime | Date and time of the HTTP request. |
URL | Full URL of the HTTP request. |
Referer | Referer request header containing the address of the page making the request. |
HTTP Version | HTTP version of the origin that Gateway connected to on behalf of the user. |
HTTP Method | HTTP method used for the request (for example, GET or POST). |
HTTP Status Code | HTTP status code returned in the response. |
Destination IP | Public IP address of the destination requested. |
Destination Port | Port of the destination requested. |
User Agent | User-agent header sent in the request by the originating device. |
Untrusted Certificate Action | Action taken when an untrusted origin certificate error occurs (for example, expired certificate, mismatched common name, invalid certificate chain, signed by non-public CA). One of none, block, error, or passThrough. |
SessionID | The session identifier of this network session. |
Network
Field | Description |
Destination IP | IP address of the packet's target. |
Destination Port | Port of the packet's target. |
Action | The Gateway Action taken based on the first rule that matched (for example, Allow or Block). |
Session ID | ID of the unique session. |
Datetime | Date and time of the session. |
Source Port | Source port number for the packet. |
SNI | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. |
Email address alias associated with the user sending the packet. | |
OverrideIP | Overridden IP of the network session, if any. |
OverridePort | Overridden port of the network session, if any. |
Transport | Transport protocol used for this session. Possible values are tcp, quic, and udp. |
Network Session
Field | Description |
BytesReceived | The number of bytes sent from the origin to the client during the network session. |
BytesSent | The number of bytes sent from the client to the origin during the network session. |
ClientTCPHandshakeDurationMs | Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds. |
ClientTLSCipher | TLS cipher suite used in the connection between the client and Cloudflare. |
ClientTLSHandshakeDurationMs | Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds. |
ClientTLSVersion | TLS protocol version used in the connection between the client and Cloudflare. |
ConnectionCloseReason | The reason for closing the connection, only applicable for TCP. Possible values are clientClosed, originClosed, timeout, clientTcpError, clientTlsError, originTcpError and originTlsError. |
ConnectionReuse | Whether the TCP connection was reused for multiple HTTP requests. |
EgressColoName | The name of the Cloudflare colocation from which traffic egressed to the origin. |
EgressIP | Source IP used when egressing traffic from Cloudflare to the origin. |
EgressPort | Source port used when egressing traffic from Cloudflare to the origin. |
Email address alias associated with the user who initiated the network session. | |
IngressColoName | The name of the Cloudflare colocation to which traffic is ingressed. |
Offramp | The type of destination to which the network session was routed. Possible values are internet, magic, cfd_tunnel and WARP. |
OriginIP | The IP of the destination origin for the network session. |
OriginPort | The port of the destination origin for the network session. |
OriginTLSCertificateIssuer | The issuer of the origin TLS certificate. |
OriginTLSCertificateValidationResult | The result of validating the TLS certificate of the origin. Possible values are valid, expired, revoked, and hostnameMismatch. |
OriginTLSCipher | TLS cipher suite used in the connection between Cloudflare and the origin. |
OriginTLSHandshakeDurationMs | Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds. |
OriginTLSVersion | TLS protocol version used in the connection between Cloudflare and the origin. |
Protocol | Network protocol used for this network session. Possible values are tcp, udp, icmp, and icmpv6. |
SessionEndTime | The network session end timestamp with nanosecond precision. |
SessionID | The identifier of this network session. |
SessionStartTime | The network session start timestamp with nanosecond precision. |