Skip to main content
Gateway Traffic Logs

Organizations: Hacker traffic logs available to download or sync

Updated over a week ago

Logs are provided in a newline-delimited JavaScript Object Notation (NDJSON) format. Three types of logs are available that are described in detail below:

HTTP

Field

Description

HTTP Host

Hostname in the HTTP header for the HTTP request.

Email

Email address alias associated with the user who made the HTTP request. This is generated by the WARP client.

Action

The Gateway Action taken based on the first rule that matched (for example, Allow or Block).

Datetime

Date and time of the HTTP request.

URL

Full URL of the HTTP request.

Referer

Referer request header containing the address of the page making the request.

HTTP Version

HTTP version of the origin that Gateway connected to on behalf of the user.

HTTP Method

HTTP method used for the request (for example, GET or POST).

HTTP Status Code

HTTP status code returned in the response.

Destination IP

Public IP address of the destination requested.

Destination Port

Port of the destination requested.

User Agent

User-agent header sent in the request by the originating device.

Untrusted Certificate Action

Action taken when an untrusted origin certificate error occurs (for example, expired certificate, mismatched common name, invalid certificate chain, signed by non-public CA). One of none, block, error, or passThrough.

SessionID

The session identifier of this network session.

Network

Field

Description

Destination IP

IP address of the packet's target.

Destination Port

Port of the packet's target.

Action

The Gateway Action taken based on the first rule that matched (for example, Allow or Block).

Session ID

ID of the unique session.

Datetime

Date and time of the session.

Source Port

Source port number for the packet.

SNI

Host whose Server Name Indication (SNI) header Gateway will filter traffic against.

Email

Email address alias associated with the user sending the packet.

OverrideIP

Overridden IP of the network session, if any.

OverridePort

Overridden port of the network session, if any.

Transport

Transport protocol used for this session. Possible values are tcp, quic, and udp.

Network Session

Field

Description

BytesReceived

The number of bytes sent from the origin to the client during the network session.

BytesSent

The number of bytes sent from the client to the origin during the network session.

ClientTCPHandshakeDurationMs

Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds.

ClientTLSCipher

TLS cipher suite used in the connection between the client and Cloudflare.

ClientTLSHandshakeDurationMs

Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds.

ClientTLSVersion

TLS protocol version used in the connection between the client and Cloudflare.

ConnectionCloseReason

The reason for closing the connection, only applicable for TCP. Possible values are clientClosed, originClosed, timeout, clientTcpError, clientTlsError, originTcpError and originTlsError.

ConnectionReuse

Whether the TCP connection was reused for multiple HTTP requests.

EgressColoName

The name of the Cloudflare colocation from which traffic egressed to the origin.

EgressIP

Source IP used when egressing traffic from Cloudflare to the origin.

EgressPort

Source port used when egressing traffic from Cloudflare to the origin.

Email

Email address alias associated with the user who initiated the network session.

IngressColoName

The name of the Cloudflare colocation to which traffic is ingressed.

Offramp

The type of destination to which the network session was routed. Possible values are internet, magic, cfd_tunnel and WARP.

OriginIP

The IP of the destination origin for the network session.

OriginPort

The port of the destination origin for the network session.

OriginTLSCertificateIssuer

The issuer of the origin TLS certificate.

OriginTLSCertificateValidationResult

The result of validating the TLS certificate of the origin. Possible values are valid, expired, revoked, and hostnameMismatch.

OriginTLSCipher

TLS cipher suite used in the connection between Cloudflare and the origin.

OriginTLSHandshakeDurationMs

Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds.

OriginTLSVersion

TLS protocol version used in the connection between Cloudflare and the origin.

Protocol

Network protocol used for this network session. Possible values are tcp, udp, icmp, and icmpv6.

SessionEndTime

The network session end timestamp with nanosecond precision.

SessionID

The identifier of this network session.

SessionStartTime

The network session start timestamp with nanosecond precision.

Did this answer your question?