Connecting Cloudfare logs to your Panther Console
Panther supports ingesting Cloudfare logs via Cloudflare's Logpush service which streams logs directly to Amazon Web Services (AWS) S3.
- Create a new S3 bucket in your AWS account.
- We recommend creating a new S3 bucket specifically for Cloudflare logs. You can use the default settings.
- Please note the region that you are creating it in, as you will need to provide it to Cloudflare.
When choosing the dataset type for your Logpush job, note that Cloudflare has options for Account-scoped data and Zone-scoped data. Audit logs are Account-scoped, whereas Firewall, HttpRequest, and Spectrum are Zone-scoped. The screen shots in this guide demonstrate how to configure Audit logs.
- 1.Navigate to your Cloudflare dashboard, then go to Analytics > Logs.
- 2.Click Add Logpush job next to the dataset type you want to set up.
- 3.Click Select on the dataset you want to choose.
- 4.Scroll down and click Next.
- 5.Select the fields that you want to include. We recommend that you click the checkbox to select "All fields."
Whenare included by default and are required by Panther. Do not unselect these fields.
- 6.Click Next.
- 7.Under "Select a destination," locate the Amazon S3 tile and click Select.
- 8.Scroll down and click Next.
- 9.Configure the destination fields:
- Bucket path: Enter the name of the S3 bucket you created earlier in this documentation.
- Daily subfolders: Choose
Yesif you want to organize logs into daily subfolders.
- Bucket region: Select the region that you created your S3 bucket in.
- To verify the region, navigate to your S3 bucket's Properties.
- Encryption constraint in bucket policy: Set to "Yes" if you enabled SSE encryption on your S3 bucket.
- In the Grant Cloudflare access to upload files to your bucket section, copy the IAM policy that Cloudflare is providing.
- You will need this in the next steps to give Cloudflare access to put objects in your bucket.
- 10.In a separate browser tab, navigate to your AWS account and go to the S3 bucket settings.
- 11.At the top of the page, click the Permissions tab.
- 12.Scroll down to the Bucket policy section. On the right side of the tile, click Edit. In the text editor, paste the bucket policy you copied from the earlier steps.
- 13.Click Save.
- 14.Navigate back to the Cloudflare dashboard, and click Validate Access.
- From here, Cloudflare will write an object to your S3 bucket which will contain an ownership challenge that you must provide back to Cloudflare in the next steps.
- 15.Navigate back to your S3 bucket in AWS.
- 16.Find and download the ownership challenge file, then open it.
- 17.Copy the contents of the ownership challenge file. You will need this in the next steps.
- 18.Navigate back to your Cloudflare dashboard. In the Ownership token field, paste in the contents of the ownership challenge file.
- 19.Click Save.
Once the Logpush job is configured, go back to Panther.
- 1.In the Panther Console, navigate to Configure > Log Sources.
- 2.Click Create New.
When selecting event fields on the Cloudflare UI, make sure you include the
ResourceTypefields, as they are required by Panther.
# Code generated by Panther; DO NOT EDIT. (@generated)
description: Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account level actions like login and logout, as well as zone configuration changes.
- name: ActionResult
description: Whether the action was successful
- name: ActionType
description: Type of action taken
- name: ActorEmail
description: Email of the actor
- name: ActorID
description: Unique identifier of the actor in Cloudflare's system
- name: ActorIP
description: Physical network address of the actor
- name: ActorType
description: Type of user that started the audit trail
- name: ID
description: Unique identifier of an audit log
- name: Interface
description: Entry point or interface of the audit log
- name: Metadata
description: Additional audit log-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by ResourceType.
- name: NewValue
description: Contains the new value for the audited item
- name: OldValue
description: Contains the old value for the audited item
- name: OwnerID
description: The identifier of the user that was acting or was acted on behalf of. If a user did the action themselves, this value will be the same as the ActorID.
- name: ResourceID
description: Unique identifier of the resource within Cloudflares system
- name: ResourceType
description: The type of resource that was changed
- name: When
description: When the change happened
When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field, as it is required by Panther.
When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field, as it is required by Panther.
When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field, as it is required by Panther.