You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
+5-6Lines changed: 5 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,12 +6,11 @@ sidebar:
6
6
head:
7
7
- tag: title
8
8
content: Override expressions for HTTP DDoS Attack Protection
9
-
10
9
---
11
10
12
11
:::note
13
12
14
-
Only available to Enterprise customers with the Advanced DDoS Protection subscription.
13
+
Only available to Enterprise customers with the Advanced DDoS Protection subscription.
15
14
:::
16
15
17
16
Set an override expression for the HTTP DDoS Attack Protection managed ruleset to define a specific scope for [sensitivity level](/ddos-protection/managed-rulesets/http/override-parameters/#sensitivity-level) or [action](/ddos-protection/managed-rulesets/http/override-parameters/#action) adjustments.
@@ -36,11 +35,11 @@ You can use the following fields in override expressions:
Copy file name to clipboardExpand all lines: src/content/docs/logs/get-started/enable-destinations/splunk.mdx
+39-48Lines changed: 39 additions & 48 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,10 +6,9 @@ sidebar:
6
6
head:
7
7
- tag: title
8
8
content: Enable Logpush to Splunk
9
-
10
9
---
11
10
12
-
import { Render } from"~/components"
11
+
import { Render } from"~/components";
13
12
14
13
Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare dashboard or via API.
15
14
@@ -20,25 +19,27 @@ Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare d
20
19
5. In **Select a destination**, choose **Splunk**.
21
20
22
21
6. Enter or select the following destination information:
23
-
***Splunk raw HTTP Event Collector URL**
24
-
***Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](http://guidgenerator.com/).
25
-
***Auth Token**
26
-
***Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
-**Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](http://guidgenerator.com/).
24
+
-**Auth Token**
25
+
-**Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
When you are done entering the destination details, select **Continue**.
30
29
31
30
7. Select the dataset to push to the storage service.
32
31
33
32
8. In the next step, you need to configure your logpush job:
34
-
* Enter the **Job name**.
35
-
* Under **If logs match**, you can select the events to include and/or remove from your logs. Refer to [Filters](/logs/reference/filters/) for more information. Not all datasets have this option available.
36
-
* In **Send the following fields**, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.
33
+
34
+
- Enter the **Job name**.
35
+
- Under **If logs match**, you can select the events to include and/or remove from your logs. Refer to [Filters](/logs/reference/filters/) for more information. Not all datasets have this option available.
36
+
- In **Send the following fields**, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.
37
37
38
38
9. In **Advanced Options**, you can:
39
-
* Choose the format of timestamp fields in your logs (`RFC3339`(default),`Unix`, or `UnixNano`).
40
-
* Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
41
-
* Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
39
+
40
+
- Choose the format of timestamp fields in your logs (`RFC3339`(default),`Unix`, or `UnixNano`).
41
+
- Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
42
+
- Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
42
43
43
44
10. Select **Submit** once you are done configuring your logpush job.
44
45
@@ -49,12 +50,8 @@ To set up a Splunk Logpush job:
49
50
1. Create a job with the appropriate endpoint URL and authentication parameters.
50
51
2. Enable the job to begin pushing logs.
51
52
52
-
:::note[Note]
53
-
54
-
53
+
:::note
55
54
Unlike configuring Logpush jobs for AWS S3, GCS, or Azure, there is no ownership challenge when configuring Logpush to Splunk.
56
-
57
-
58
55
:::
59
56
60
57
<Renderfile="enable-read-permissions" />
@@ -63,34 +60,33 @@ Unlike configuring Logpush jobs for AWS S3, GCS, or Azure, there is no ownership
63
60
64
61
To create a job, make a `POST` request to the Logpush jobs endpoint with the following fields:
65
62
66
-
***name** (optional) - Use your domain name as the job name.
67
-
***destination\_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
68
-
69
-
***\<SPLUNK\_ENDPOINT\_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
70
-
* Cloudflare expects the HEC network port to be configured to `:443` or `:8088`.
71
-
* Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
72
-
* Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
73
-
* You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname. Refer to [Send data to HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector) for more details.
74
-
***\<SPLUNK\_CHANNEL\_ID>**: A unique channel ID. This is a random GUID that you can generate by:
75
-
* Using an online tool like the [GUID generator](https://www.guidgenerator.com/).
76
-
* Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.
77
-
***\<INSECURE\_SKIP\_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
78
-
79
-
:::note[Note]
80
-
81
-
Cloudflare highly recommends setting this value to <codeclass="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
63
+
-**name** (optional) - Use your domain name as the job name.
64
+
-**destination_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
65
+
66
+
-**\<SPLUNK_ENDPOINT_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
67
+
- Cloudflare expects the HEC network port to be configured to `:443` or `:8088`.
68
+
- Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
69
+
- Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
70
+
- You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname. Refer to [Send data to HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector) for more details.
71
+
-**\<SPLUNK_CHANNEL_ID>**: A unique channel ID. This is a random GUID that you can generate by:
72
+
- Using an online tool like the [GUID generator](https://www.guidgenerator.com/).
73
+
- Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.
74
+
-**\<INSECURE_SKIP_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
75
+
76
+
:::note
77
+
Cloudflare highly recommends setting this value to <codeclass="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
82
78
:::
83
79
84
-
*`<SOURCE_TYPE>`: The Splunk source type. For example: `cloudflare:json`.
85
-
*`<SPLUNK_AUTH_TOKEN>`: The Splunk authorization token that is URL-encoded. For example: `Splunk%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
80
+
-`<SOURCE_TYPE>`: The Splunk source type. For example: `cloudflare:json`.
81
+
-`<SPLUNK_AUTH_TOKEN>`: The Splunk authorization token that is URL-encoded. For example: `Splunk%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
***dataset** - The category of logs you want to receive. Refer to [Log fields](/logs/reference/log-fields/) for the full list of supported datasets.
87
+
-**dataset** - The category of logs you want to receive. Refer to [Log fields](/logs/reference/log-fields/) for the full list of supported datasets.
92
88
93
-
***output\_options** (optional) - To configure fields, sample rate, and timestamp format, refer to [Log Output Options](/logs/reference/log-output-options/). For timestamp, Cloudflare recommends using `timestamps=rfc3339`.
89
+
-**output_options** (optional) - To configure fields, sample rate, and timestamp format, refer to [Log Output Options](/logs/reference/log-output-options/). For timestamp, Cloudflare recommends using `timestamps=rfc3339`.
94
90
95
91
Example request using cURL:
96
92
@@ -185,8 +181,6 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
185
181
2. Select **Create rule** and enter a descriptive name for it (for example, `Splunk`).
186
182
3. Under **If incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input:
@@ -196,21 +190,18 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
196
190
| AS Num |`equals`|`132892`|
197
191
| User Agent |`equals`|`Go-http-client/2.0`|
198
192
199
-
200
-
201
193
4. After inputting the values as shown in the table, you should have an Expression Preview with the values you added for your specific rule. The example below reflects the hostname `splunk.cf-analytics.com`.
202
194
203
195
```txt
204
-
(http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.geoip.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0")
196
+
(http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.src.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0")
205
197
```
206
198
207
-
5. Under the **Then** > **Choose an action** dropdown, select *Skip*.
208
-
6. Under **WAF components to skip**, select *All managed rules*.
199
+
5. Under the **Then** > **Choose an action** dropdown, select _Skip_.
200
+
6. Under **WAF components to skip**, select _All managed rules_.
209
201
7. Select **Deploy**.
210
202
211
203
The WAF should now ignore requests made to Splunk HEC by Cloudflare.
212
204
213
-
:::note[Note]
214
-
215
-
To analyze and visualize Cloudflare Logs using the Cloudflare App for Splunk, follow the steps in the [Splunk Analytics integration page](/analytics/analytics-integrations/splunk/).
205
+
:::note
206
+
To analyze and visualize Cloudflare Logs using the Cloudflare App for Splunk, follow the steps in the [Splunk Analytics integration page](/analytics/analytics-integrations/splunk/).
Copy file name to clipboardExpand all lines: src/content/docs/rules/cloud-connector/examples/send-eu-visitors-to-gcs.mdx
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ To route requests from visitors in the European Union to a Google Cloud Storage
18
18
5._(Optional)_ Use the [Rewrite URL](/rules/transform/url-rewrite/) feature of [Transform Rules](/rules/transform/) to adjust the URL structure. For example, you can [create a URL rewrite](/rules/transform/url-rewrite/create-dashboard/) that changes `/eu` to `/<BUCKET_NAME>` to match the URI path-style URL structure.
19
19
6. Click **Next** and enter a descriptive name like "Route EU visitors to GCP" in Cloud Connector name.
20
20
7. Under **If**, select **Custom filter expression** and enter the following expression:
21
-
`(ip.geoip.is_in_european_union)`<br />
21
+
`(ip.src.is_in_european_union)`<br />
22
22
This expression targets traffic from European Union users.
0 commit comments