Cloudflare integration
17 views
Skip to first unread message
Asmit Desai
Jun 17, 2026, 9:22:14 AM (11 days ago) Jun 17
to Wazuh | Mailing List
Hi Team
Just wanted to ask how can i integrate cloudflare with wazuh without pushing it onto a cloud storage.
Is there a way of using the logpush API and directly integrate into wazuh using the <remote> tag in ossec.conf file
Just wanted to ask how can i integrate cloudflare with wazuh without pushing it onto a cloud storage.
Is there a way of using the logpush API and directly integrate into wazuh using the <remote> tag in ossec.conf file
Oluwaseyi Soneye
Jun 17, 2026, 10:40:58 AM (11 days ago) Jun 17
to Wazuh | Mailing List
Hello,
Direct integration using only Cloudflare Logpush and the Wazuh <remote> block is not really possible in the way you described. This is because Wazuh does not expose a native Cloudflare Logpush HTTP ingestion endpoint.
However, you can still achieve this without pushing logs to cloud storage by using a lightweight HTTP receiver in the middle.
1. Run a lightweight HTTP receiver on a server reachable by Cloudflare, for example a small Python service. This receiver should listen for Cloudflare Logpush POST requests and append the NDJSON payload to a local log file, for example: /var/log/cloudflare/cf_logpush.json
Cloudflare Logpush supports HTTP destinations, but the endpoint must be available over HTTPS, use a trusted certificate, and accept POST requests. You should also add authentication, for example by using a secret token in a header or URL parameter.
2. In Cloudflare, configure a Logpush job with HTTP as the destination and point it to your receiver endpoint.
3. On the same system where the log file is written, configure the Wazuh agent to monitor the file using <localfile>:
<localfile>
<log_format>json</log_format>
<location>/var/log/cloudflare/cf_logpush.json</location>
</localfile>
Then restart the Wazuh agent: sudo systemctl restart wazuh-agent
Alternative option:
If the environment cannot use Cloudflare Logpush to HTTP, another approach is to run a scheduled script or cron job that periodically pulls relevant Cloudflare logs/events from the Cloudflare API and writes them to a local JSON file. The same Wazuh <localfile> configuration can then be used to ingest the logs.
So, in summary, you can avoid cloud storage, but not by sending Cloudflare Logpush directly into Wazuh using only <remote>. You would need a middleware/receiver that accepts the Cloudflare HTTP payload and writes it to a file monitored by Wazuh.
You can also check out this post by a community user: https://lux10n.medium.com/monitoring-cloudflare-events-with-wazuh-for-better-incident-response-6645b8d2bbe8
Hope this helps!
References:
Cloudflare Logpush HTTP destination: https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/http/
Cloudflare Logpush output options: https://developers.cloudflare.com/logs/logpush/logpush-job/log-output-options/
Wazuh <localfile> configuration: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
Wazuh log file monitoring: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html
Direct integration using only Cloudflare Logpush and the Wazuh <remote> block is not really possible in the way you described. This is because Wazuh does not expose a native Cloudflare Logpush HTTP ingestion endpoint.
However, you can still achieve this without pushing logs to cloud storage by using a lightweight HTTP receiver in the middle.
1. Run a lightweight HTTP receiver on a server reachable by Cloudflare, for example a small Python service. This receiver should listen for Cloudflare Logpush POST requests and append the NDJSON payload to a local log file, for example: /var/log/cloudflare/cf_logpush.json
Cloudflare Logpush supports HTTP destinations, but the endpoint must be available over HTTPS, use a trusted certificate, and accept POST requests. You should also add authentication, for example by using a secret token in a header or URL parameter.
2. In Cloudflare, configure a Logpush job with HTTP as the destination and point it to your receiver endpoint.
3. On the same system where the log file is written, configure the Wazuh agent to monitor the file using <localfile>:
<localfile>
<log_format>json</log_format>
<location>/var/log/cloudflare/cf_logpush.json</location>
</localfile>
Then restart the Wazuh agent: sudo systemctl restart wazuh-agent
Alternative option:
If the environment cannot use Cloudflare Logpush to HTTP, another approach is to run a scheduled script or cron job that periodically pulls relevant Cloudflare logs/events from the Cloudflare API and writes them to a local JSON file. The same Wazuh <localfile> configuration can then be used to ingest the logs.
So, in summary, you can avoid cloud storage, but not by sending Cloudflare Logpush directly into Wazuh using only <remote>. You would need a middleware/receiver that accepts the Cloudflare HTTP payload and writes it to a file monitored by Wazuh.
You can also check out this post by a community user: https://lux10n.medium.com/monitoring-cloudflare-events-with-wazuh-for-better-incident-response-6645b8d2bbe8
Hope this helps!
References:
Cloudflare Logpush HTTP destination: https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/http/
Cloudflare Logpush output options: https://developers.cloudflare.com/logs/logpush/logpush-job/log-output-options/
Wazuh <localfile> configuration: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
Wazuh log file monitoring: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html
Reply all
Reply to author
Forward
0 new messages