Firewall events
The descriptions below detail the fields available for firewall_events.
| Field | Value | Type | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Action | The code of the first-class action the Cloudflare Firewall took on this request. Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengefailed | challengebypassed | jschallengesolved | jschallengefailed | jschallengebypassed | bypass | managedchallenge | managedchallengeskipped | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed | string | ||
| ClientASN | The ASN number of the visitor | int | ||||||||||||||||||||
| ClientASNDescription | The ASN of the visitor as string | string | ||||||||||||||||||||
| ClientCountry | Country from which request originated | string | ||||||||||||||||||||
| ClientIP | The visitor’s IP address (IPv4 or IPv6) | string | ||||||||||||||||||||
| ClientIPClass | The classification of the visitor’s IP address, possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor | string | |||||||||||||
| ClientRefererHost | The referer host | string | ||||||||||||||||||||
| ClientRefererPath | The referer path requested by visitor | string | ||||||||||||||||||||
| ClientRefererQuery | The referer query-string was requested by the visitor | string | ||||||||||||||||||||
| ClientRefererScheme | The referer URL scheme requested by the visitor | string | ||||||||||||||||||||
| ClientRequestHost | The HTTP hostname requested by the visitor | string | ||||||||||||||||||||
| ClientRequestMethod | The HTTP method used by the visitor | string | ||||||||||||||||||||
| ClientRequestPath | The path requested by visitor | string | ||||||||||||||||||||
| ClientRequestProtocol | The version of HTTP protocol requested by the visitor | string | ||||||||||||||||||||
| ClientRequestQuery | The query-string was requested by the visitor | string | ||||||||||||||||||||
| ClientRequestScheme | The URL scheme requested by the visitor | string | ||||||||||||||||||||
| ClientRequestUserAgent | Visitor’s user-agent string | string | ||||||||||||||||||||
| Datetime | The date and time the event occurred at the edge | int or string | ||||||||||||||||||||
| EdgeColoCode | The airport code of the Cloudflare datacenter that served this request | string | ||||||||||||||||||||
| EdgeResponseStatus | HTTP response status code returned to browser | int | ||||||||||||||||||||
| Kind | The kind of event, currently only possible values are: firewall | string | ||||||||||||||||||||
| MatchIndex | Rules match index in the chain | int | ||||||||||||||||||||
| Metadata | Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time | object | ||||||||||||||||||||
| OriginResponseStatus | HTTP origin response status code returned to browser | int | ||||||||||||||||||||
| OriginatorRayID | The RayID of the request that issued the challenge/jschallenge | string | ||||||||||||||||||||
| RayID | The RayID of the request | string | ||||||||||||||||||||
| RuleID | The Cloudflare security product-specific RuleID triggered by this request | string | ||||||||||||||||||||
| Source | The Cloudflare security product triggered by this request. Possible sources are unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | validation | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom | string |