Cloudflare Logpush with Raw HTTP Input

Logs from the Cloudflare Logpush service (via HTTP destination) can be ingested into Graylog using the Raw HTTP input. When set up and configured, Logpush will post newline-delimited batches of log messages to the input over HTTP protocol.

General information about this input, including configuration options, may be found in the Raw HTTP Input documentation.

Prerequisites

  • A Cloudflare subscription is required.

  • The Cloudflare Logpush HTTP destination service must be able to forward to an endpoint in your environment that is secured with TLS. See Secure Inputs with TLS for more information. (Note that you may also choose to route through a firewall or gateway to fulfill TLS requirement).

  • We strongly recommend using the Authorization Header option when setting up the Raw HTTP input to ensure message requests are authenticated.

Set up the Input

Navigate to System > Inputs and select Raw HTTP to launch the new input. The following configuration settings must be carefully considered when setting up this input for Cloudflare Logpush:

  • Bind Address and Port: Ensure that Cloudflare can route through your network to the IP address and port specified. Note that the raw HTTP input listens for HTTP requests at the /raw root HTTP path.

  • TLS Settings: TLS must either be enabled for this endpoint, or you can choose to route through a firewall or gateway to fulfill the required usage of TLS.

  • Enable Bulk Receiving: Be sure to select this option. This will ensure that the input will correctly split newline-delimited batches of log messages sent from Cloudflare.

  • Authorization Header: Specify a name and value for the authorization header to use. This will ensure that the input will only accept communication where appropriate authentication is validated.

    • Authorization Header Name: authorization

    • Authorization Header Value: Choose a secure password with sufficient length and complexity to meet your requirements. Use the same value for the authorization setting in Cloudflare.

For the additional configuration settings available, see the Raw HTTP Input documentation for more details. Unless required for your environment, we recommend you use the default settings when determining these additional configuration properties.

Enable the HTTP Destination in Cloudflare

After setting up the new input, you must enable the Logpush service to send logs to Graylog. This is done by defining the Graylog endpoint as a Logpush destination. For information on this process, see the Cloudflare documentation.

Hint: Note that the first few steps described in the Cloudflare documentation direct you to select the appropriate website (i.e. domain) you want to use with Logpush. This can be done by selecting Websites from the Cloudflare management console navigation bar and clicking Add a domain. This step is essential to getting your Cloudflare logs into Graylog!

When you are prompted to enter the URI where the Raw HTTP input is listening for requests, ensure the URL includes the /raw root path. For example: 

Copy 
https://graylog-host:port/raw?header_Authorization=<Graylog input Authorization Header Value value>