cloudflare · maxvp · Feb 27, 2025 · Feb 26, 2025 · Feb 26, 2025 · Feb 26, 2025
@@ -8,7 +8,7 @@ head:
     content: Zero Trust logs
 ---
 
-import { DirectoryListing } from "~/components";
+import { DirectoryListing, Badge, Render } from "~/components";
 
 Review detailed logs for your Zero Trust organization.
 
@@ -18,19 +18,25 @@ Review detailed logs for your Zero Trust organization.
 
 Cloudflare Zero Trust logs are stored for a varying period of time based on the service used and plan type:
 
-| | Free | Standard | Access | Gateway | Enterprise |
-| ----| ------ | ------ | ------ | ------ | -------- |
-| **Admin logs** | 18 months | 18 months | 18 months | 18 months | 18 months | 18 months |
-| **Access logs** | 24 hours | 30 days | 30 days | 24 hours | 180 days |
-| **DNS logs** | 24 hours | 30 days | 24 hours | 30 days | 180 days<sup><a href="#footnote-1">1</a></sup> |
-| **Network logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days |
-| **HTTP logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days |
-| **DEX logs** | 7 days | 7 days | 7 days | 7 days | 7 days |
-| **Device posture logs** | 30 days | 30 days | 30 days | 30 days | 30 days |
-
-<a name="footnote-1"><sup>1</sup></a> Enterprise users on per query plans cannot store DNS logs via Cloudflare.
-You can still export logs via [Logpush](/cloudflare-one/insights/logs/logpush/).
-For more information, contact your account team.
+|                         | Free      | Standard  | Access    | Gateway   | Enterprise   |
+| ----------------------- | --------- | --------- | --------- | --------- | ------------ |
+| **Admin logs**          | 18 months | 18 months | 18 months | 18 months | 18 months    |
+| **Access logs**         | 24 hours  | 30 days   | 30 days   | 24 hours  | 180 days     |
+| **DNS logs**            | 24 hours  | 30 days   | 24 hours  | 30 days   | 180 days[^1] |
+| **Network logs**        | 24 hours  | 30 days   | 24 hours  | 30 days   | 30 days      |
+| **HTTP logs**           | 24 hours  | 30 days   | 24 hours  | 30 days   | 30 days      |
+| **DEX logs**            | 7 days    | 7 days    | 7 days    | 7 days    | 7 days       |
+| **Device posture logs** | 30 days   | 30 days   | 30 days   | 30 days   | 30 days      |
+
+[^1]: Enterprise users on per query plans cannot store DNS logs via Cloudflare. You can still export logs via [Logpush](/cloudflare-one/insights/logs/logpush/). For more information, contact your account team.
+
+## Log Explorer <Badge text="Beta" variant="caution" size="small" />
+
+Log Explorer users can store Zero Trust logs directly within Cloudflare in an [R2 bucket](/r2/) and access them with the dashboard or API. Log Explorer supports the following Zero Trust datasets:
+
+<Render file="log-explorer-account-datasets" product="logs" />
+
+For more information, refer to [Log Explorer](/logs/log-explorer/).
 
 ## Customer Metadata Boundary
 

@@ -35,19 +35,20 @@ You can configure multiple destinations and add additional fields to your logs b
 
 ## Zero Trust datasets
 
-Refer to the Logpush documentation for a list of available fields.
-
-| Dataset                                                                         | Description                                                    |
-| ------------------------------------------------------------------------------- | -------------------------------------------------------------- |
-| [Gateway DNS](/logs/reference/log-fields/account/gateway_dns/)                  | DNS queries inspected by Cloudflare Gateway                    |
-| [Gateway HTTP](/logs/reference/log-fields/account/gateway_http/)                | HTTP requests inspected by Cloudflare Gateway                  |
-| [Gateway Network](/logs/reference/log-fields/account/gateway_network/)          | Network packets inspected by Cloudflare Gateway                |
-| [Audit Logs](/logs/reference/log-fields/account/audit_logs/)                    | Authentication events through Cloudflare Access                |
-| [Access Requests](/logs/reference/log-fields/account/access_requests/)          | HTTP requests to sites protected by Cloudflare Access          |
-| [CASB Findings](/logs/reference/log-fields/account/casb_findings/)              | Security issues detected by Cloudflare CASB                    |
-| [Device Posture](/logs/reference/log-fields/account/device_posture_results/)    | Device posture status from the WARP client                     |
-| [Session Logs](/logs/reference/log-fields/account/zero_trust_network_sessions/) | Network session logs for traffic proxied by Cloudflare Gateway |
-| [SSH Logs](/logs/reference/log-fields/account/ssh_logs/)                        | SSH command logs for [Access for Infrastructure targets](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) | 
+Refer to [Logpush log fields](/logs/reference/log-fields/) for a list of all available fields.
+
+| Dataset                                                                                            | Description                                                                                                                                                 |
+| -------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Access Requests](/logs/reference/log-fields/account/access_requests/)                             | HTTP requests to sites protected by Cloudflare Access                                                                                                       |
+| [Audit Logs](/logs/reference/log-fields/account/audit_logs/)                                       | Authentication events through Cloudflare Access                                                                                                             |
+| [CASB Findings](/logs/reference/log-fields/account/casb_findings/)                                 | Security issues detected by Cloudflare CASB                                                                                                                 |
+| [Device Posture Results](/logs/reference/log-fields/account/device_posture_results/)               | Device posture status from the WARP client                                                                                                                  |
+| [DLP Forensic Copies](/logs/reference/log-fields/account/dlp_forensic_copies/)                     | Entire HTTP requests or payloads of HTTP requests captured by [Cloudflare DLP](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/) |
+| [Gateway DNS](/logs/reference/log-fields/account/gateway_dns/)                                     | DNS queries inspected by Cloudflare Gateway                                                                                                                 |
+| [Gateway HTTP](/logs/reference/log-fields/account/gateway_http/)                                   | HTTP requests inspected by Cloudflare Gateway                                                                                                               |
+| [Gateway Network](/logs/reference/log-fields/account/gateway_network/)                             | Network packets inspected by Cloudflare Gateway                                                                                                             |
+| [SSH Logs](/logs/reference/log-fields/account/ssh_logs/)                                           | SSH command logs for [Access for Infrastructure targets](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/)             |
+| [Zero Trust Network Session Logs](/logs/reference/log-fields/account/zero_trust_network_sessions/) | Network session logs for traffic proxied by Cloudflare Gateway                                                                                              |
 
 ## Parse DNS logs
 

@@ -7,7 +7,7 @@ sidebar:
     text: Beta
 ---
 
-import { TabItem, Tabs } from "~/components";
+import { TabItem, Tabs, Render } from "~/components";
 
 Log Explorer enables you to store and explore your Cloudflare logs directly within the Cloudflare Dashboard or API. Giving you visibility into your logs without the need to forward them to third parties. Logs are stored on Cloudflare's global network using the R2 object storage platform and can be queried via the Dashboard or SQL API.
 
@@ -26,13 +26,7 @@ Log Explorer is available at the account and zone level. At the zone level, data
 
 At the account level, the datasets available are:
 
-- [Access requests](/logs/reference/log-fields/account/access_requests/) (`FROM access_requests`)
-- [CASB Findings](/logs/reference/log-fields/account/casb_findings/) (`FROM casb_findings`)
-- [Device posture results](/logs/reference/log-fields/account/device_posture_results/) (`FROM device_posture_results`)
-- [Gateway DNS](/logs/reference/log-fields/account/gateway_dns/) (`FROM gateway_dns`)
-- [Gateway HTTP](/logs/reference/log-fields/account/gateway_http/) (`FROM gateway_http`)
-- [Gateway Network](/logs/reference/log-fields/account/gateway_network/) (`FROM gateway_network`)
-- [Zero Trust Network Session Logs](/logs/reference/log-fields/account/zero_trust_network_sessions/) (`FROM zero_trust_network_sessions`)
+<Render file="log-explorer-account-datasets" product="logs" />
 
 ## Authentication
 
@@ -54,8 +48,6 @@ Authentication with the API can be done via an authentication header or API toke
 
   - `Authorization: Bearer <API_TOKEN>` To create an appropriately scoped API token, refer to [Create API token](/fundamentals/api/get-started/create-token/) documentation. Copy and paste the token into the authorization parameter for your API call.
 
-
-
 ## Enable Log Explorer
 
 In order for Log Explorer to begin storing logs, you need to enable the desired datasets. You can do this via the dashboard or the API.
@@ -150,18 +142,18 @@ Which returns the following HTTP request details:
 
 ```json
 {
-  "result": [
-    {
-      "clientrequestscheme": "https",
-      "clientrequesthost": "example.com",
-      "clientrequestmethod": "GET",
-      "clientrequestuseragent": "curl/7.88.1",
-      "edgeresponsestatus": 200
-    }
-  ],
-  "success": true,
-  "errors": [],
-  "messages": []
+	"result": [
+		{
+			"clientrequestscheme": "https",
+			"clientrequesthost": "example.com",
+			"clientrequestmethod": "GET",
+			"clientrequestuseragent": "curl/7.88.1",
+			"edgeresponsestatus": 200
+		}
+	],
+	"success": true,
+	"errors": [],
+	"messages": []
 }
 ```
 
@@ -177,23 +169,23 @@ Which returns the following request details:
 
 ```json
 {
-  "result": [
-    {
-      "createdat": "2025-01-14T18:17:55Z",
-      "appdomain": "example.com",
-      "appuuid": "a66b4ab0-ccdf-4d60-a6d0-54a59a827d92",
-      "action": "login",
-      "allowed": true,
-      "country": "us",
-      "rayid": "90fbb07c0b316957",
-      "email": "[email protected]",
-      "ipaddress": "1.2.3.4",
-      "useruid": "52859e81-711e-4de0-8b31-283336060e79"
-    }
-  ],
-  "success": true,
-  "errors": [],
-  "messages": []
+	"result": [
+		{
+			"createdat": "2025-01-14T18:17:55Z",
+			"appdomain": "example.com",
+			"appuuid": "a66b4ab0-ccdf-4d60-a6d0-54a59a827d92",
+			"action": "login",
+			"allowed": true,
+			"country": "us",
+			"rayid": "90fbb07c0b316957",
+			"email": "[email protected]",
+			"ipaddress": "1.2.3.4",
+			"useruid": "52859e81-711e-4de0-8b31-283336060e79"
+		}
+	],
+	"success": true,
+	"errors": [],
+	"messages": []
 }
 ```
 

@@ -0,0 +1,11 @@
+---
+{}
+---
+
+- [Access requests](/logs/reference/log-fields/account/access_requests/) (`FROM access_requests`)
+- [CASB Findings](/logs/reference/log-fields/account/casb_findings/) (`FROM casb_findings`)
+- [Device posture results](/logs/reference/log-fields/account/device_posture_results/) (`FROM device_posture_results`)
+- [Gateway DNS](/logs/reference/log-fields/account/gateway_dns/) (`FROM gateway_dns`)
+- [Gateway HTTP](/logs/reference/log-fields/account/gateway_http/) (`FROM gateway_http`)
+- [Gateway Network](/logs/reference/log-fields/account/gateway_network/) (`FROM gateway_network`)
+- [Zero Trust Network Session Logs](/logs/reference/log-fields/account/zero_trust_network_sessions/) (`FROM zero_trust_network_sessions`)