cloudflare · ranbel · Jan 31, 2025 · Jan 29, 2025 · Jan 31, 2025 · Jan 31, 2025
@@ -19,6 +19,7 @@ Users can connect by installing the Cloudflare WARP client on their device and e
 If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
 - Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server.
 - Eliminate SSH keys by using short-lived certificates to authenticate users.
+- Export SSH command logs to a storage service or SIEM solution using [Logpush](/cloudflare-one/insights/logs/logpush/).
 
 ## Clientless access
 

@@ -78,7 +78,7 @@ Users can use any SSH client to connect to the target, as long as they are logge
 ssh <username>@<target IP>
 ```
 
-SSH with Access for Infrastructure also supports `scp` and `rsync` commands. At this time, `sftp` is not supported.
+SSH with Access for Infrastructure also supports `scp` and `rsync` commands. At this time, `sftp` is not supported. Note that `scp` commands that utilize OpenSSH versions > 9.0 will not work at this time because OpenSSH 9.0+ leverages `sftp` to execute the command.
 
 To learn more about user connections, refer to the [Access for Infrastructure documentation](/cloudflare-one/applications/non-http/infrastructure-apps/#4-connect-as-a-user).
 
@@ -131,3 +131,5 @@ To manually retrieve logs:
 2. Select a user who was allowed to access the target.
 3. Select **Download** to download the session's command log.
 4. <Render file="ssh/decrypt-ssh-log" />
+
+Enterprise customers can also export command logs using [Logpush](/cloudflare-one/insights/logs/logpush/).
@@ -4,18 +4,18 @@ title: Access audit logs
 sidebar:
   order: 2
 head: []
-description: Use Access audit logs to review authentication events and HTTP
-  requests to protected URI paths.
+description: Use Access audit logs to review authentication events and
+  requests to protected URI paths and infrastructure targets.
 ---
 
 import { GlossaryTooltip, TabItem, Tabs } from "~/components";
 
 Cloudflare Access generates two types of audit logs:
 
 - **[Authentication audit logs](#authentication-audit-logs)** maintain a record of authentication events.
-- **[Per-request audit logs](#per-request-audit-logs)** record HTTP requests to protected URI paths.
+- **[Per-request audit logs](#per-request-audit-logs)** record requests to protected URI paths and infrastructure targets.
 
-## Authentication audit logs
+## Authentication logs
 
 Cloudflare Access logs an authentication event whenever a user or service attempts to log in to an application, whether the attempt succeeds or not.
 
@@ -24,13 +24,13 @@ Cloudflare Access logs an authentication event whenever a user or service attemp
 [Non-identity authentication](#non-identity-authentication) refers to login attempts that matched a non-identity policy such as IP address, device posture, country, valid certificate, or service token.
 
 :::note
-
-Authentication audit logs do not capture actions the user takes once they have authenticated.
-
+Authentication logs do not capture the user's actions during a self-hosted or SaaS application session.
 :::
 
 ### Identity-based authentication
 
+#### View Access authentication logs
+
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
 To view logs for identity-based authentication events:
@@ -76,37 +76,48 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/logs/acc
 
 Identity-based authentication logs contain the following fields:
 
+##### Basic information
+
 | Field          | Description                                               |
 | -------------- | --------------------------------------------------------- |
-| **user_email** | The email address of the authenticating user.             |
-| **ip_address** | The IP address of the authenticating user.                |
-| **app_uid**    | The unique identifier for the protected application.      |
-| **app_domain** | The URL of the protected application.                     |
-| **action**     | The event that occurred, such as a login attempt.         |
-| **allowed**    | The result of the authentication event.                   |
-| **created_at** | The event timestamp.                                      |
-| **connection** | The IdP used to authenticate.                             |
-| **country**    | The country associated with the user's IP address.        |
-| **ray_id**     | A unique identifier for every request through Cloudflare. |
-| **app_type**   | The type specifies if the app is self-hosted or SaaS.     |
+| **App**        | Name of the Access application.      |
+| **User email** | Email address of the authenticating user.             |
+| **User ID**    | UUID of the authenticating user.                          |
+| **IP address** | IP address of the authenticating user.                |
+| **App UID**    | UUID of the Access application.      |
+| **App domain** | URL of the Access application.                     |
+| **App type**   | The type specifies if the Access application is self-hosted, SaaS, or infrastructure.     |
+| **Event**      | Type of authentication event, such as a login attempt.         |
+| **Connection** | IdP used to authenticate.                             |
+| **Allow**      | Result of the authentication event.                   |
+| **Request time** | Timestamp of the authentication event.                                    |
+| **Ray ID**     | A unique identifier for every request through Cloudflare. |
+| **Country**    | Country associated with the user's IP address.        |
+
+##### Infrastructure applications
+
+Cloudflare Access logs the following information when the user authenticates to an [infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/):
+
+| Field          | Description                                               |
+| -------------- | --------------------------------------------------------- |
+| **Hostname**   | Hostname of the infrastructure target.                |
+| **Target ID**  | UUID of the infrastructure target.       |
+| **SSH user**   | The UNIX user, such as `root`, that the authenticating user specified when connecting to the infrastructure target.                      |
+| **SSH logs**   | SSH commands that the user ran on the target. Requires configuring an [SSH encryption key](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) before the session begins.  |
 
 ### Non-identity authentication
 
 To retrieve logs for non-identity authentication events, use the [GraphQL Analytics API](/analytics/graphql-api/tutorials/querying-access-login-events/). These logs are not available in Zero Trust.
 
-### Log retention
-
-Block policy decisions are retained for a week. Authentication logs are retained for six months.
-
-## Per-request audit Logs
+## Per-request logs
 
 Users who have authenticated through Access have access to authorized URL paths for the duration of their session. Cloudflare provides several ways to audit these requests.
 
 ### Using Cloudflare Logs
 
-Enterprise customers have access to detailed logs of HTTP requests on their Cloudflare dashboard. Enterprise customers also have access to Cloudflare's Logpush service, which can be configured from the Cloudflare dashboard or API. For more information about Cloudflare HTTP logging, refer to [Cloudflare Logs](/logs/).
+Enterprise customers have access to detailed logs of requests on their Cloudflare dashboard. Enterprise customers also have access to Cloudflare's Logpush service, which can be configured from the Cloudflare dashboard or API. For more information about Cloudflare HTTP and infrastructure logging, refer to [Cloudflare Logs](/logs/).
 
-Once a member of your team authenticates to reach a resource behind Access, Cloudflare generates a token for that user that contains their SSO identity. The token is structured as a <GlossaryTooltip term="JSON web token">JSON Web Token (JWT)</GlossaryTooltip>. Cloudflare relies on an RSA Signature with SHA-256, or RS256, an asymmetric algorithm, to perform that signature. Cloudflare also makes the public key available, so that you can validate their authenticity, as well.
+Once a member of your team authenticates to reach an HTTP resource behind Access, Cloudflare generates a token for that user that contains their SSO identity. The token is structured as a <GlossaryTooltip term="JSON web token">JSON Web Token (JWT)</GlossaryTooltip>. Cloudflare relies on an RSA Signature with SHA-256, or RS256, an asymmetric algorithm, to perform that signature. Cloudflare also makes the public key available, so that you can validate their authenticity, as well.
 
 When a user requests a given URL, Access appends the user identity from that token as a request header, which we then log as the request passes through our network. Your team can collect these logs in your preferred third-party Security information and event management (SIEM) software or storage destination by using [Cloudflare Logpush](/cloudflare-one/insights/logs/logpush/). When enabled with the Access user identity field, the logs will export to your systems as JSON similar to the logs below.