diff --git a/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx b/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx
index c775ed443c5d31..501f5b963dd630 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx
@@ -3,6 +3,7 @@ title: Configure payload logging via API
pcx_content_type: how-to
sidebar:
order: 4
+ label: Configure via API
head:
- tag: title
content: Configure payload logging for a managed ruleset via API
diff --git a/src/content/docs/waf/managed-rules/payload-logging/configure.mdx b/src/content/docs/waf/managed-rules/payload-logging/configure.mdx
index 164a800bf0cbf6..7de555d5fd6d7a 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/configure.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/configure.mdx
@@ -3,17 +3,17 @@ title: Configure payload logging in the dashboard
pcx_content_type: how-to
sidebar:
order: 2
+ label: Configure in the dashboard
head:
- tag: title
content: Configure payload logging for a managed ruleset in the dashboard
-
---
Configure payload logging for a ruleset in the ruleset configuration page.
:::note
-Only users with the [Super Administrator role](/fundamentals/setup/manage-members/roles/) can configure payload logging and decrypt payloads in the Cloudflare dashboard. Other users can decrypt payloads if they have access to the logs and to the private key.
+Only users with the [Super Administrator role](/fundamentals/setup/manage-members/roles/) can configure payload logging and decrypt payloads in the Cloudflare dashboard. Other users can decrypt payloads if they have access to the logs and to the private key.
:::
Do the following:
@@ -28,9 +28,9 @@ Do the following:
4. After reading and understanding the implications of enabling payload logging, select one of the available options:
- * **Generate key pair using your web browser**: Generates a key pair (a private and a public key) in your browser and configures payload logging with the generated public key.
+ - **Generate key pair using your web browser**: Generates a key pair (a private and a public key) in your browser and configures payload logging with the generated public key.
- * **Use my own public key**: Enter a public key [generated by the `matched-data-cli` command-line tool](/waf/managed-rules/payload-logging/command-line/generate-key-pair/).
+ - **Use my own public key**: Enter a public key [generated by the `matched-data-cli` command-line tool](/waf/managed-rules/payload-logging/command-line/generate-key-pair/).
5. Select **Next**.
diff --git a/src/content/docs/waf/managed-rules/payload-logging/index.mdx b/src/content/docs/waf/managed-rules/payload-logging/index.mdx
index d61894a54c49e0..60002d0c35648d 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/index.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/index.mdx
@@ -3,46 +3,54 @@ pcx_content_type: concept
title: Log the payload of matched rules
sidebar:
order: 11
-
---
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip } from "~/components";
The WAF allows you to log the request information that triggered a specific rule of a managed ruleset. This information is known as the payload. Payload logging is especially useful when diagnosing the behavior of WAF rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later.
:::note
-
This feature is only available for customers on an Enterprise plan.
-
:::
-Each managed ruleset has its own payload logging configuration. To enable the feature, configure a public key to encrypt the logged payload by doing one of the following:
+## Turn on payload logging
-* Generate a key pair directly in the dashboard (Cloudflare will **only** save the generated public key)
-* Enter your own public key
+Each managed ruleset has its own payload logging configuration. To turn on payload logging, configure a public key to encrypt the logged payload by doing one of the following:
+
+- Generate a key pair directly in the Cloudflare dashboard
+- Use your own public key
Once enabled, the WAF saves the payload of any rule matches for the managed ruleset configured with payload logging, encrypting the payload with your public key.
+For more information, refer to [Configure payload logging in the dashboard](/waf/managed-rules/payload-logging/configure/) or [Configure payload logging via API](/waf/managed-rules/payload-logging/configure-api/).
+
+:::caution[Important remarks]
+
+- When you generate a key pair in the dashboard, Cloudflare will only save the generated public key, not the private key. You must store your private key safely.
+- Cloudflare will not save the matched payload if the action of the matched rule is _Log_.
+
+:::
+
+## View payload content
+
To view the content of the payload in clear text, do one of the following:
-* In the Security Events page (**Security** > **Events**), enter your private key to decrypt the payload of a log entry directly in the browser. Refer to [View the payload content in the dashboard](/waf/managed-rules/payload-logging/view/) for details.
+- In the Security Events page (**Security** > **Events**), enter your private key to decrypt the payload of a log entry directly in the browser. Refer to [View the payload content in the dashboard](/waf/managed-rules/payload-logging/view/) for details.
-* Decrypt the payload in the command line using the `matched-data-cli` tool. Refer to [Decrypt the payload content in the command line](/waf/managed-rules/payload-logging/command-line/decrypt-payload/) for details.
+- Decrypt the payload in the command line using the `matched-data-cli` tool. Refer to [Decrypt the payload content in the command line](/waf/managed-rules/payload-logging/command-line/decrypt-payload/) for details.
-* Decrypt the matched payload in your [Logpush](/logs/about/) job using a Worker before storing the logs in your SIEM system. Refer to [Store decrypted matched payloads in logs](/waf/managed-rules/payload-logging/decrypt-in-logs/) for details.
+- Decrypt the matched payload in your [Logpush](/logs/about/) job using a Worker before storing the logs in your SIEM system. Refer to [Store decrypted matched payloads in logs](/waf/managed-rules/payload-logging/decrypt-in-logs/) for details.
:::caution[Important]
-
All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a WAF rule.
Make sure you store your private key safely. If you lose the private key, configure payload logging with a new public key. The payload of new requests will be encrypted with the new public key.
Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key.
-
:::
## User role requirements
diff --git a/src/content/docs/waf/managed-rules/payload-logging/view.mdx b/src/content/docs/waf/managed-rules/payload-logging/view.mdx
index 193d295ba4d65c..80c43d91fcad6a 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/view.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/view.mdx
@@ -3,7 +3,6 @@ pcx_content_type: how-to
title: View the payload content in the dashboard
sidebar:
order: 3
-
---
View the content of the matched rule payload in the dashboard by entering your private key.
@@ -16,13 +15,12 @@ View the content of the matched rule payload in the dashboard by entering your p
+ The **Payload match** section is not available if the action taken by the matched rule is _Log_.
+
4. Enter your private key in the pop-up window and select **Decrypt**.
:::note
-
-
The private key is not sent to a Cloudflare server. The decryption occurs entirely in the browser.
-
:::
If the private key you entered decrypts the encrypted payload successfully, the **Payload match** card displays the payload content in clear text.