Cloudflare

Cloudflare Overview Dashboard

Overview

Integrate with Cloudflare to get your zone metrics, including web traffic, DNS queries, and threat insights. The integration is based on Cloudflare’s analytics API.

The out-of-the-box dashboard improves the security and performance of your applications. This single pane of glass gives you visibility into

security threats
HTTP request volume and error rates
load balancing, including round-trip time and any changes in traffic flow
performance issues in worker scripts

With enriched logs and detailed metrics giving you deep insight into your Cloudflare infrastructure, you can build the context you need to resolve issues.

The integration works with Datadog Cloud SIEM to provide out-of-the-box threat detection for

impossible travel
dangerous misconfigurations
DDoS attacks

Mitigate security threats more quickly with the included Workflow Automation blueprints, such as blocking an IP address or creating a case in Datadog.

Setup

Before you begin, you need a Datadog account, with an API key, and access to Cloudflare Logpush, which requires an Enterprise account plan.

When using a Cloudflare API token, ensure it has the Zone > Zone > Read and Zone > Analytics > Read permissions.

Installation

Install the integration with the Datadog Cloudflare integration tile.

Configuration

Go to the Configuration tab inside the Datadog Cloudflare integration tile.
Enter the email addresses and API keys or token of the accounts you want to monitor. Your Cloudflare API key and API token are available in your Cloudflare account under My profile > Api Tokens.
Add a name for the account. This name is arbitrary and used in the account tag on your metrics.

Log collection

Cloudflare allows customers to push logs directly into Datadog using Cloudflare Logpush. You can manage the Logpush job with the Cloudflare API or with the Cloudflare dashboard.

If you install the Cloudflare integration pipeline, it automatically remaps certain attributes. To see which attributes are remapped:

Navigate to Logs Pipelines.
Click Browse Pipeline Library on the top right.
Enter Cloudflare in the search bar.
Click Cloudflare to see the list of remappers and other processors that are installed.

Cloudflare API

Create a Logpush job by making a POST request to the Logpush jobs endpoint. Include the following fields:

name (optional): Use your domain name as the job name.
destination_conf: A log destination consisting of the following parameters:
- <DATADOG_ENDPOINT_URL>: The Datadog HTTP logs intake endpoint. Your endpoint is http-intake.logs./v1/input
- <DATADOG_API_KEY>: Your Datadog API key.
- ddsource: Set to cloudflare.
- service (optional): Specify service name.
- host (optional): Specify host name.
- ddtags (optional): Specify tags.
dataset: The category of logs you want to receive. See the Cloudflare Log fields for a list of supported datasets.
logpull_options (optional): To configure fields, sample rate, and timestamp format, see the Logpush API options. Datadog mandates the use of RFC 3339 format for timestamps from Cloudflare, which is the default option used by Cloudflare.

Example request:

curl -s -X POST 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logpush/jobs' \
--header 'X-Auth-Key: <CLOUDFLARE_AUTH_KEY>' \
--header 'X-Auth-Email: <CLOUDFLARE_AUTH_EMAIL>' \
--header 'Content-Type: application/json' \
--data-raw '{
   "name": "<NAME>",
   "destination_conf": "datadog://<DATADOG_ENDPOINT_URL>?header_DD-API-KEY=<DATADOG_API_KEY>&ddsource=cloudflare&service=cloudflare&ddtags=env:dev",
   "logpull_options": "fields=RayID,EdgeStartTimestamp&timestamps=rfc3339",
   "dataset": "http_requests"
}'

Example response:

{
 "errors": [],
 "messages": [],
 "result": {
   "id": 100,
   "dataset": "http_requests",
   "enabled": false,
   "name": "<DOMAIN_NAME>",
   "logpull_options": "fields=RayID,EdgeStartTimestamp&timestamps=rfc3339",
   "destination_conf": "datadog://http-intake.logs./v1/input?header_DD-API-KEY=<DD-API-KEY>&ddsource=cloudflare&service=cloudflare&ddtags=env:dev",
   "last_complete": null,
   "last_error": null,
   "error_message": null
 },
 "success": true
}

Take note of the value of id. In the example above, it is 100.

Enable the job. Use the job ID returned in the response and send {"enabled": true} in the request body.

Example request:

curl -s -X PUT \
https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logpush/jobs/<JOB_ID> -d'{"enabled":true}' | jq .

Example response:

{
  "errors": [],
  "messages": [],
  "result": {
    "id": 100,
    "dataset": "http_requests",
    "enabled": true,
    "name": "<DOMAIN_NAME>",
    "logpull_options": "fields=RayID,EdgeStartTimestamp&timestamps=rfc3339",
    "destination_conf": "datadog://?header_DD-API-KEY=<DATADOG-API-KEY>",
    "last_complete": null,
    "last_error": null,
    "error_message": null
  },
  "success": true
}

Cloudflare dashboard

Once you have Connected a service with the Logpush section of the Cloudflare dashboard, select the dataset, select data fields, and then, under select destination, choose Datadog.
Under Enter destination information, enter the Datadog URL Endpoint:
```
http-intake.logs./api/v2/logs?ddsource=cloudflare
```
Note: ddsource=cloudflare is required. To differentiate between logs, you can also add the optional parameters of service, host, and ddtags.
Example:
```
http-intake.logs./api/v2/logs?service=<SERVICE>&host=<HOST>&ddsource=cloudflare
```
Enter the Datadog API key you used to set-up your Datadog Cloudflare integration tile.
After validating access, you should see “Ready to push!” under Prove ownership. Click Push to complete.

Data Collected

Metrics

cloudflare.requests.all (count)	Total request count Shown as request
cloudflare.requests.cached (count)	Cached requests count Shown as request
cloudflare.requests.uncached (count)	Uncached requests count Shown as request
cloudflare.requests.ssl.encrypted (count)	SSL encrypted requests count Shown as request
cloudflare.requests.ssl.unencrypted (count)	Unencrypted requests count Shown as request
cloudflare.requests.country (count)	Request count, tagged by IATA country code Shown as request
cloudflare.requests.status (count)	Request count, tagged by HTTP response code Shown as request
cloudflare.requests.content_type (count)	Request count, tagged by Content-Type Shown as request
cloudflare.requests.ip_class (count)	Request count, tagged by IP class Shown as request
cloudflare.bandwidth.all (count)	Total bandwidth Shown as byte
cloudflare.bandwidth.cached (count)	Cached bandwidth Shown as byte
cloudflare.bandwidth.uncached (count)	Uncached bandwidth Shown as byte
cloudflare.bandwidth.ssl.encrypted (count)	SSL encrypted bandwidth Shown as byte
cloudflare.bandwidth.ssl.unencrypted (count)	Unencrypted bandwidth Shown as byte
cloudflare.bandwidth.country (count)	Bandwidth tagged by IATA country code Shown as byte
cloudflare.bandwidth.content_type (count)	Bandwidth tagged by Content-Type Shown as byte
cloudflare.threats.all (count)	Total threats Shown as operation
cloudflare.threats.type (count)	Threats tagged by type Shown as operation
cloudflare.threats.country (count)	Threats tagged by IATA country code Shown as operation
cloudflare.pageviews.all (count)	Total page views Shown as page
cloudflare.pageviews.search_engine (count)	Page views tagged by search engine Shown as page
cloudflare.uniques.all (count)	Unique visitors count Shown as connection
cloudflare.dns.query.all (count)	DNS query count Shown as request
cloudflare.dns.query.uncached (count)	Uncached DNS query count Shown as request
cloudflare.dns.query.stale (count)	Stale DNS query count Shown as request
cloudflare.dns.response_time.avg (gauge)	DNS query average response time Shown as millisecond
cloudflare.dns.response_time.median (gauge)	DNS query median response time Shown as millisecond
cloudflare.dns.response_time.90p (gauge)	DNS query response time to the 90th percentile Shown as millisecond
cloudflare.dns.response_time.99p (gauge)	DNS query response time to the 99th percentile Shown as millisecond
cloudflare.workers.requests.all (count)	The request count to the worker script (metrics may not show without enabled API Key permissions) Shown as request
cloudflare.workers.requests.errors (count)	The error count to the worker script (metrics may not show without enabled API Key permissions) Shown as request
cloudflare.workers.requests.subrequests (count)	The subrequest count to the worker script (metrics may not show without enabled API Key permissions) Shown as request
cloudflare.workers.response_time.75p (gauge)	The worker response time to the 75th percentile (metrics may not show without enabled API Key permissions) Shown as microsecond
cloudflare.workers.response_time.99p (gauge)	The worker response time to the 99th percentile (metrics may not show without enabled API Key permissions) Shown as microsecond
cloudflare.load_balancer.pool.round_trip_time.average (gauge)	The average round trip time to reach the load balancer pool Shown as millisecond
cloudflare.load_balancer.pool.health.status (count)	The load balancer pool health status Shown as request

Permissions

Verify your Cloudflare API token has these permissions enabled:

Scope	Permission	Status
Account	Account Analytics	Read
Account	Account Setting	Read
Account	Worker Scripts	Read
Zone	Zone	Read
Zone	Analytics	Read
Zone	Worker Routes	Read
Zone	Load Balancers	Read

Events

The Cloudflare integration does not include any events.

Service Checks

The Cloudflare integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.