|
| 1 | +--- |
| 2 | +pcx_content_type: how-to |
| 3 | +title: Logging options |
| 4 | +sidebar: |
| 5 | + order: 2 |
| 6 | +--- |
| 7 | + |
| 8 | +Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can [log the payload](#log-the-payload-of-matched-policies) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations. |
| 9 | + |
| 10 | +## Log the payload of matched rules |
| 11 | + |
| 12 | +The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 20 bytes of additional context on both sides of the match. |
| 13 | + |
| 14 | +### 1. Generate a key pair |
| 15 | + |
| 16 | +Follow [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/) to generate a public/private key pair in the command line. |
| 17 | + |
| 18 | +### 2. Upload the public key to Cloudflare |
| 19 | + |
| 20 | +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. |
| 21 | +2. In the **DLP Payload Encryption public key** field, paste your public key. |
| 22 | +3. Select **Save**. |
| 23 | + |
| 24 | +:::note |
| 25 | +The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key. |
| 26 | +::: |
| 27 | + |
| 28 | +### 3. Enable payload logging for a DLP policy |
| 29 | + |
| 30 | +You can enable payload logging for any Allow or Block HTTP policy that uses the [DLP Profile](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector. |
| 31 | + |
| 32 | +1. Go to **Gateway** > **Firewall policies** > **HTTP**. |
| 33 | +2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). |
| 34 | +3. In the policy builder, scroll down to **Configure policy settings** and turn on **Log the payload of matched rules**. |
| 35 | +4. Select **Save**. |
| 36 | + |
| 37 | +Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy. |
| 38 | + |
| 39 | +### 4. View payload logs |
| 40 | + |
| 41 | +1. Go to **Logs** > **Gateway** > **HTTP**. |
| 42 | +2. Go to the DLP log you are interested in reviewing and expand the row. |
| 43 | +3. Select **Decrypt Payload Log**. |
| 44 | +4. Enter your private key and select **Decrypt**. |
| 45 | + |
| 46 | +You will see the [ID of the matched DLP Profile](/api/operations/dlp-profiles-list-all-profiles) followed by the decrypted payload. Note that DLP currently logs only the first match. |
| 47 | + |
| 48 | +:::note |
| 49 | +Neither the key nor the decrypted payload will be stored by Cloudflare. |
| 50 | +::: |
| 51 | + |
| 52 | +### Data privacy |
| 53 | + |
| 54 | +- All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule. |
| 55 | +- Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key. |
| 56 | +- DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`. |
| 57 | + - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/datasets/#exact-data-match). EDM match logs will redact your defined strings. |
| 58 | + |
| 59 | +## Send HTTP requests to Logpush destination |
| 60 | + |
| 61 | +:::note[Availability] |
| 62 | +Only available on Enterprise plans. |
| 63 | +::: |
| 64 | + |
| 65 | +Gateway allows you to send copies of entire HTTP requests matched in DLP policies to storage destinations configured in [Logpush](/logs/about/), including third-party destinations. |
| 66 | + |
| 67 | +To set up the DLP Forensic Copy Logpush job: |
| 68 | + |
| 69 | +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Logs** > **Logpush**. Select **Add a Logpush job**. |
| 70 | +2. Set up a [Logpush destination](/logs/get-started/enable-destinations/) with the DLP Forensic Copy Logpush job. |
| 71 | +3. Return to Zero Trust and go to **Gateway** > **Firewall policies** > **HTTP**. |
| 72 | +4. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). |
| 73 | +5. In the policy builder, scroll down to **Configure policy settings** and turn on **Send copy to storage**. |
| 74 | +6. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. |
| 75 | +7. Select **Save**. |
| 76 | + |
| 77 | +DLP will now send a copy of HTTP requests that match this policy to your Logpush destination. |
| 78 | + |
| 79 | +Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](/logs/reference/filters/). If the request contains an archive file, DLP will only send up to 100 MB of uncompressed content to your configured storage. |
0 commit comments