SIEM integration with Cloudflare

[Muhammad Ali Khan]

Dear

I hope you are well. I am currently working on a SIEM solution(Wazuh) and have a Cloudflare account with a Free/Pro plan. I tried it via logpush and logpull but failed. I would like to know if it is possible to send Cloudflare logs to my SIEM (Wazuh) for monitoring and analysis. Could you please provide guidance on the available options for log integration?

[Yuriy Medvedev]

You can use cloudflare api 

===
With best wishes
Yuriy Medvedev

On Tue, 18 Feb 2025 at 4:15 PM Muhammad Ali Khan <alikha...@gmail.com> wrote:

Dear

I hope you are well. I am currently working on a SIEM solution(Wazuh) and have a Cloudflare account with a Free/Pro plan. I tried it via logpush and logpull but failed. I would like to know if it is possible to send Cloudflare logs to my SIEM (Wazuh) for monitoring and analysis. Could you please provide guidance on the available options for log integration?

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/CAMoy60MZ0DiGmO%3DFYC8YpxerdVzOuTbJgFwYJzE%3DAw%2Bd%2Bt20HQ%40mail.gmail.com.

[Muhammad Ali Khan]

Thanks , all types of logs are sent through API? please share more guidance if you have any document

[Md. Nazmur Sakib]

Hi Muhammad,

You can configure Cloudflare to push the logs to a storage service: https://developers.cloudflare.com/logs/get-started/enable-destinations/

Then, You can forward logs from AWS, Microsoft Azure, or GCP services.
https://documentation.wazuh.com/current/monitoring.html#cloud-security

Also, you can read this blog this can be useful
https://blog.cloudflare.com/stream-firewall-events-directly-to-your-siem/

Let me know if you need any further information.

[Hitesh Rahangdale]

Use cloudflare log push feature to forward logs to storage like AWS S3 bucket or else just need to add the right authkey.

Same once log forwarded to s3 bucket or storage then configure on wazuh.

To view this discussion visit https://groups.google.com/d/msgid/wazuh/CABDaVUMugOiWx29LoZj2%3DB7EvGXwM910qPRvCgMYw5YuftpRjw%40mail.gmail.com.

[ali khan]

Dear Nazmur Sakib

I have free plan of cloudflare , as you know logpush and logpull is available for enterprise plan , as per my search their are three way to send logs to wazuh 
1st: Custom API for manual fetching logs
2nd: HTTP send logs from cloudflare to any other cloud platform and than forward to wazuh via logstash/filebeat
3rd :integrate Cloudflare’s firewall logging with a SIEM (Sumo Logic) using Terraform)
may be i am wrong because i fresh and trying my best in this, kindly correct / guide me in this scenario

[Sathya Narayana Bhat]

Hi,

As specified above the logpush and log pull features are avaliable for enterprise plans only so one method i tried was only for audit logs. But i guess this should work for logpush too.

1. Make a cronjob in your wazuh's Machine/cluster, which essentially requests the cloudflare's get Audit logs API [for audit logs ONLY](but the same would work for the logpush/logpull APIs too), and it can be done periodically [like every 1hr or 1day] and store it into a json file.

2. Modify the local config of wazuh manager, you can add the following localfile ref [wazuh] in which you can configure the frequency according to the frequency of the cronjob and specify only-future-events as no to ensure that all data from the api are consumed.

3. Create Rules and decoders for the same.

Hope this helps.

[Muhammad Ali Khan]

Dear all, I tried my best but failed. As I said, I want to send logs directly from cloudflare free plan (not via AWS) to my SIEM solution(Wazuh) from my free account of cloudflare , while logpush and logpull both are for enterprise plan. so please suggest the right path, how i send logs of my domain from cloudflare to my SIEM solution from free plan cloudflare or (pro plan if not possible at free plan )

To view this discussion visit https://groups.google.com/d/msgid/wazuh/228705d1-4f88-436b-9c5c-adb20ad18485n%40googlegroups.com.

[Yuriy Medvedev]

create custom script for pulling of logs from Cloudflare via api and push to s3 or direct to Wazuh, use json decoder, write custom rule for detection.

On 20 Feb 2025, at 08:33, Muhammad Ali Khan <alikha...@gmail.com> wrote:

Dear all, I tried my best but failed. As I said, I want to send logs directly from cloudflare free plan (not via AWS) to my SIEM solution(Wazuh) from my free account of cloudflare , while logpush and logpull both are for enterprise plan. so please suggest the right path, how i send logs of my domain from cloudflare to my SIEM solution from free plan cloudflare or (pro plan if not possible at free plan )

<image.png>

To view this discussion visit https://groups.google.com/d/msgid/wazuh/CAMoy60MJN0yr8-oFaOoXkU6wkReX9LrSGRNFSBWGmXn-1ny6qw%40mail.gmail.com.

[Sathya Narayana Bhat]

HI Muhammad Ali Khan,

What kind of cloudflare logs are you expecting in your SIEM Instance?

- Audit Logs [As in who modified what in your DNS Records and/or cloudflare account's Settings], that API is avaliable in the Free Version, 

- HTTP Traffic Logs, for that you can use Cloudflare Log Explorer [which is in beta currently(requires additional signup) and has APIs] or Logpush [which is for enterprise only].

- If you want both together but cannot have logpush or cloudflare log explorer, you can keep implement an ingress controller for example Ambassador, Taking HTTP logs from the Ambassador [via syslogs] and Audit logs as point 1 itself.

And to integrate the logs from these APIs checkout my previous comment.

Hope this helps.