This page describes hacker traffic logs that are available to download or sync to your data storage. See this page for instructions on how to obtain these logs.
Logs are provided in a newline-delimited JavaScript Object Notation (NDJSON) format. Three types of logs are available that are described in detail below:
HTTP
Field | Description |
HTTP Host | Hostname in the HTTP header for the HTTP request. |
Email address alias associated with the user who made the HTTP request. This is generated by the WARP client. | |
Action | The Gateway Action taken based on the first rule that matched (for example, Allow or Block). |
Datetime | Date and time of the HTTP request. |
URL | Full URL of the HTTP request. |
Referer | Referer request header containing the address of the page making the request. |
HTTP Version | HTTP version of the origin that Gateway connected to on behalf of the user. |
HTTP Method | HTTP method used for the request (for example, GET or POST). |
HTTP Status Code | HTTP status code returned in the response. |
Destination IP | Public IP address of the destination requested. |
Destination Port | Port of the destination requested. |
User Agent | User-agent header sent in the request by the originating device. |
Untrusted Certificate Action | Action taken when an untrusted origin certificate error occurs (for example, expired certificate, mismatched common name, invalid certificate chain, signed by non-public CA). One of none, block, error, or passThrough. |
SessionID | The session identifier of this network session. |
Network
Field | Description |
Destination IP | IP address of the packet's target. |
Destination Port | Port of the packet's target. |
Action | The Gateway Action taken based on the first rule that matched (for example, Allow or Block). |
Session ID | ID of the unique session. |
Datetime | Date and time of the session. |
Source Port | Source port number for the packet. |
SNI | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. |
Email address alias associated with the user sending the packet. | |
OverrideIP | Overridden IP of the network session, if any. |
OverridePort | Overridden port of the network session, if any. |
Transport | Transport protocol used for this session. Possible values are tcp, quic, and udp. |
Network Session
Field | Description |
BytesReceived | The number of bytes sent from the origin to the client during the network session. |
BytesSent | The number of bytes sent from the client to the origin during the network session. |
ClientTCPHandshakeDurationMs | Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds. |
ClientTLSCipher | TLS cipher suite used in the connection between the client and Cloudflare. |
ClientTLSHandshakeDurationMs | Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds. |
ClientTLSVersion | TLS protocol version used in the connection between the client and Cloudflare. |
ConnectionCloseReason | The reason for closing the connection, only applicable for TCP. Possible values are clientClosed, originClosed, timeout, clientTcpError, clientTlsError, originTcpError and originTlsError. |
ConnectionReuse | Whether the TCP connection was reused for multiple HTTP requests. |
EgressColoName | The name of the Cloudflare colocation from which traffic egressed to the origin. |
EgressIP | Source IP used when egressing traffic from Cloudflare to the origin. |
EgressPort | Source port used when egressing traffic from Cloudflare to the origin. |
Email address alias associated with the user who initiated the network session. | |
IngressColoName | The name of the Cloudflare colocation to which traffic is ingressed. |
Offramp | The type of destination to which the network session was routed. Possible values are internet, magic, cfd_tunnel and WARP. |
OriginIP | The IP of the destination origin for the network session. |
OriginPort | The port of the destination origin for the network session. |
OriginTLSCertificateIssuer | The issuer of the origin TLS certificate. |
OriginTLSCertificateValidationResult | The result of validating the TLS certificate of the origin. Possible values are valid, expired, revoked, and hostnameMismatch. |
OriginTLSCipher | TLS cipher suite used in the connection between Cloudflare and the origin. |
OriginTLSHandshakeDurationMs | Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds. |
OriginTLSVersion | TLS protocol version used in the connection between Cloudflare and the origin. |
Protocol | Network protocol used for this network session. Possible values are tcp, udp, icmp, and icmpv6. |
SessionEndTime | The network session end timestamp with nanosecond precision. |
SessionID | The identifier of this network session. |
SessionStartTime | The network session start timestamp with nanosecond precision. |