Refine logging

maxvp · maxvp · commit 49fd26177e8c · 2025-08-22T18:31:34.000-05:00
diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx
@@ -7,7 +7,7 @@ sidebar:
 
 Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can log the [payload](#log-the-payload-of-matched-rules) or [generative AI prompt content](#log-generative-ai-prompt-content) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.
 
-The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match.
+The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match.
 
 ## Set a DLP payload encryption public key
 
@@ -27,11 +27,11 @@ To generate a public/private key pair in the command line, refer to [these instr
 The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key.
 :::
 
-## Log the payload of matched rules
+## Log matched DLP policies
 
-DLP can log the payload of matched HTTP requests in your Cloudflare logs.
+Once you set a public key, DLP can log the payload of matched HTTP requests and AI prompts in your Cloudflare logs.
 
-### Turn on payload logging for a DLP policy
+### Turn on payload logging
 
 You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector.
 
@@ -42,7 +42,18 @@ You can enable payload logging for any Allow or Block HTTP policy that uses the
 
 Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy.
 
-### View payload logs
+### Turn on AI prompt content logging
+
+You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/policies/gateway/http-policies/#application) selector with a supported [Cloud App Control](/cloudflare-one/policies/gateway/http-policies/#cloud-app-control) application.
+
+1. Go to **Gateway** > **Firewall policies** > **HTTP**.
+2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
+3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**.
+4. Select **Save**.
+
+Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.
+
+## View payload logs
 
 To view DLP payload logs:
 
@@ -51,10 +62,12 @@ To view DLP payload logs:
 3. Select **Decrypt Payload Log**.
 4. Enter your private key and select **Decrypt**.
 
-You will see the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload.
+Gateway logs will display the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload.
+
+Additionally, if DLP detected an generative AI prompt, you can select **View prompt** to display the user prompt.
 
 :::note
-Cloudflare does not store the key or the decrypted payload.
+Cloudflare does not store the private key or the decrypted payload.
 :::
 
 ### Report false and true positives to AI context analysis
@@ -70,28 +83,6 @@ To report a DLP match payload as a false or true positive:
 
 Based on your report, DLP's machine learning will adjust its confidence in future matches for the associated profile.
 
-### Data privacy
-
-- All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule.
-- Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key.
-- DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`.
-  - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings.
-
-## Log generative AI prompt content
-
-DLP can detect and log the prompt topic sent to an AI tool.
-
-### Turn on AI prompt content logging for a DLP policy
-
-You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/policies/gateway/http-policies/#application) selector with a supported [Cloud App Control](/cloudflare-one/policies/gateway/http-policies/#cloud-app-control) application.
-
-1. Go to **Gateway** > **Firewall policies** > **HTTP**.
-2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
-3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**.
-4. Select **Save**.
-
-Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.
-
 ## Send DLP forensic copies to Logpush destination
 
 :::note[Availability]
@@ -116,3 +107,10 @@ To set up the DLP Forensic Copy Logpush job:
 DLP will now send a copy of HTTP requests that match this policy to your Logpush destination.
 
 Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](/logs/logpush/logpush-job/filters/). If the request contains an archive file, DLP will only send up to 100 MB of uncompressed content to your configured storage.
+
+## Data privacy
+
+- All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule.
+- Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key.
+- DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`.
+  - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings.
