Cloudflare Logpush Integration for Elastic


Version	1.46.0 (View all)
Subscription level What's this?	Basic
Developed by What's this?	Elastic
Ingestion method(s)	AWS S3, Azure Blob Storage, Google Cloud Storage, Webhook
Minimum Kibana version(s)	9.0.0 8.17.1

Overview

The Cloudflare Logpush integration allows you to monitor Access Request, Audit, CASB, Device Posture, DLP Forensic Copies, DNS, DNS Firewall, Email Security Alerts, Firewall Event, Gateway DNS, Gateway HTTP, Gateway Network, HTTP Request, Magic IDS, NEL Report, Network Analytics, Page Shield, Sinkhole HTTP, Spectrum Event, Zero Trust Network Session, and Workers Trace Events logs.

Cloudflare is a content delivery network and DDoS mitigation company. Cloudflare provides a network designed to make everything you connect to the Internet secure, private, fast, and reliable; secure your websites, APIs, and Internet applications; protect corporate networks, employees, and devices; and write and deploy code that runs on the network edge.

Compatibility

This integration follows the log schemas and field definitions published in the Cloudflare Log fields reference.

Cloudflare Logpush supports delivering logs to the following destinations, which can all be consumed by this integration:

HTTP destinations
Amazon S3
S3-compatible endpoints (including Cloudflare R2)
Google Cloud Storage
Microsoft Azure Blob Storage

How it works

Cloudflare Logpush pushes logs to the destination of your choice. Elastic Agent then reads those logs and ships them to Elasticsearch, where they are processed through each data stream's ingest pipeline.

The integration supports the following collection modes:

HTTP Endpoint mode — Cloudflare pushes logs directly to an HTTP endpoint hosted by your Elastic Agent.
AWS S3 polling mode — Cloudflare writes logs to an S3 bucket and Elastic Agent polls the bucket by listing its contents and reading new files.
AWS S3 SQS mode — Cloudflare writes logs to S3; S3 publishes object-created notifications to an SQS queue; Elastic Agent receives those notifications from SQS and reads the corresponding S3 objects. This mode supports horizontal scaling across multiple agents.
S3-compatible (Cloudflare R2) polling mode — Cloudflare writes logs to an R2 or other S3-compatible bucket and Elastic Agent polls the bucket using the S3 API.
Azure Blob Storage polling mode — Cloudflare writes logs to an Azure Blob Storage container and Elastic Agent polls the container by listing its contents and reading new files.
Google Cloud Storage polling mode — Cloudflare writes logs to a GCS bucket and Elastic Agent polls the bucket by listing its contents and reading new files.

What data does this integration collect?

The Cloudflare Logpush integration collects logs for the following Cloudflare datasets. Data streams are grouped by whether the underlying dataset is classified as a Cloudflare Zero Trust dataset or a non Zero Trust dataset.

Zero Trust events

access_request: HTTP requests to sites protected by Cloudflare Access. See Access Requests schema.
audit: Authentication events through Cloudflare Access, plus account-level configuration and administrative actions. See Audit Logs schema.
casb: Security issues detected by Cloudflare CASB in connected SaaS applications. See CASB Findings schema.
device_posture: Device posture status from the Cloudflare One Client (WARP). See Device Posture Results schema.
gateway_dns: DNS queries inspected by Cloudflare Gateway. See Gateway DNS schema.
gateway_http: HTTP requests inspected by Cloudflare Gateway. See Gateway HTTP schema.
gateway_network: Network packets inspected by Cloudflare Gateway. See Gateway Network schema.
network_session: Network session logs for traffic proxied by Cloudflare Gateway. See Zero Trust Network Session schema.

Non Zero Trust events

dns: Zone-scoped authoritative DNS query logs. See DNS logs schema.
dns_firewall: Cloudflare DNS Firewall query and response logs. See DNS Firewall logs schema.
dlp_forensic_copies: Data Loss Prevention forensic copies of content that matched a DLP profile. See DLP Forensic Copies schema.
email_security_alerts: Cloudflare Email Security alerts for phishing, malware, and other email-based threats. See Email Security Alerts schema.
firewall_event: Zone-level Firewall events for requests mitigated by Cloudflare security products (WAF, Rate Limiting, Firewall Rules, etc.). See Firewall Events schema.
http_request: HTTP/HTTPS request logs served at the Cloudflare edge. See HTTP Requests schema.
magic_ids: Magic Network Monitoring IDS detection logs. See Magic IDS Detections schema.
nel_report: Network Error Logging (NEL) reports collected from end-user browsers. See NEL Reports schema.
network_analytics: Network Analytics (Magic Transit / Magic WAN packet-sampled flow) logs. See Network Analytics Logs schema.
page_shield_events: Page Shield events reporting changes to scripts and connections observed on protected zones. See Page Shield Events schema.
sinkhole_http: HTTP traffic captured by Cloudflare sinkholes. See Sinkhole HTTP logs schema.
spectrum_event: Cloudflare Spectrum events for TCP/UDP applications proxied through Cloudflare. See Spectrum Events schema.
workers_trace: Cloudflare Workers Trace Events with execution logs and exceptions for Workers scripts. See Workers Trace Events schema.

Supported use cases

Integrating Cloudflare Logpush with Elastic provides centralized visibility across Cloudflare's edge, Zero Trust, and network-layer products. Common use cases include:

Investigating traffic, WAF, and DDoS-mitigation events from the Cloudflare edge (http_request, firewall_event, network_analytics).
Monitoring Zero Trust user activity, policy decisions, and device posture (gateway_http, gateway_dns, gateway_network, access_request, device_posture, network_session).
Detecting data exfiltration and SaaS misconfigurations (dlp_forensic_copies, casb, email_security_alerts).
Auditing administrative activity on the Cloudflare account (audit).
Troubleshooting DNS and client-side performance issues (dns, dns_firewall, nel_report, workers_trace).

What do I need to use this integration?

From Elastic

You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.

From Cloudflare

To use this integration, you must be able to create and manage Cloudflare Logpush jobs for the datasets you want to collect.

Permissions

Creating and managing Logpush jobs requires an API token or user role with the Logs Write permission (or a role that includes it, such as Super Administrator, Administrator, or Log Share with edit permissions). Refer to Cloudflare Logpush permissions for details.

Zone-scoped datasets (for example, http_requests, firewall_events, dns_logs, spectrum_events, nel_reports, page_shield_events) require a zone-scoped token.
Account-scoped datasets (for example, audit_logs, access_requests, casb_findings, device_posture_results, dlp_forensic_copies, email_security_alerts, gateway_*, dns_firewall_logs, magic_ids_detections, network_analytics_logs, sinkhole_http_logs, workers_trace_events, zero_trust_network_sessions) require an account-scoped token.
Zero Trust datasets (Access, Gateway, DEX) additionally require Zero Trust: PII Read.

Destination-specific credentials

Depending on the delivery destination, you also need:

AWS S3 / S3-compatible — an S3 bucket (or Cloudflare R2 bucket) and credentials (Access Key ID / Secret Access Key, or an IAM role) that Elastic Agent can use to list and read objects. For SQS-based delivery, an SQS queue subscribed to S3 object-created events.
Google Cloud Storage — a GCS bucket and a service account key (JSON) with read access to the bucket.
Azure Blob Storage — a storage account, a blob container, and either a shared access key, a connection string, or OAuth2 client credentials with read access to the container.
HTTP Endpoint — a reachable HTTPS endpoint exposed by Elastic Agent. Cloudflare requires a valid TLS certificate on the destination.

How do I deploy this integration?

This integration supports Elastic Agent-based installations.

Agent-based installation

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

Onboard and configure

Configure one of the following delivery pipelines before enabling the integration in Elastic.

Collect data from AWS S3 Bucket

Configure Cloudflare Logpush to Amazon S3 to send Cloudflare's data to an AWS S3 bucket.

The default values of the Bucket Prefix are listed below. However, users can set the parameter Bucket Prefix according to their requirements.

Data Stream Name	Bucket Prefix
Access Request	access_request
Audit Logs	audit_logs
CASB findings	casb
Device Posture Results	device_posture
DLP Forensic Copies	dlp_forensic_copies
DNS	dns
DNS Firewall	dns_firewall
Email Security Alerts	email_security_alerts
Firewall Event	firewall_event
Gateway DNS	gateway_dns
Gateway HTTP	gateway_http
Gateway Network	gateway_network
HTTP Request	http_request
Magic IDS	magic_ids
NEL Report	nel_report
Network Analytics	network_analytics_logs
Page Shield Events	page_shield_events
Zero Trust Network Session	network_session
Sinkhole HTTP	sinkhole_http
Spectrum Event	spectrum_event
Workers Trace Events	workers_trace

Collect data from AWS SQS

If Logpush forwarding to an AWS S3 Bucket hasn't been configured, then first setup an AWS S3 Bucket as mentioned in the above documentation.
Follow the steps below for each Logpush data stream that has been enabled:
1. Create an SQS queue
  - To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the Amazon documentation.
  - While creating an SQS Queue, please provide the same bucket ARN that has been generated after creating an AWS S3 Bucket.
2. Setup event notification from the S3 bucket using the instructions here. Use the following settings:
  - Event type: All object create events (s3:ObjectCreated:*)
  - Destination: SQS Queue
  - Prefix (filter): enter the prefix for this Logpush data stream, e.g. audit_logs/
  - Select the SQS queue that has been created for this data stream

Note:

A separate SQS queue and S3 bucket notification is required for each enabled data stream.
Permissions for the above AWS S3 bucket and SQS queues should be configured according to the Filebeat S3 input documentation.
Credentials for the above AWS S3 and SQS input types should be configured using the link.
Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case.
It is recommended to use AWS SQS for Cloudflare Logpush.

Collect data from S3-Compatible Cloudflare R2 Buckets

Configure Cloudflare Logpush to Cloudflare R2 (or another S3-compatible endpoint) to push logs into an R2 bucket.

Note:

To obtain the Access Key ID and Secret Access Key, create an R2 API token by following the R2 authentication documentation. Once the token is created successfully, Cloudflare will display the Access Key ID and Secret Access Key values. Use these credentials to authenticate the integration.
When creating the R2 API token, make sure it has Admin permissions. This is needed to list buckets and view bucket configuration.

When configuring the integration to read from S3-Compatible Buckets such as Cloudflare R2, the following steps are required:

Enable the Collect logs via S3 Bucket toggle.
Set the S3-Compatible Bucket Name (shown as [Global][S3] S3-Compatible Bucket Name in the UI) to the R2 bucket name.
Set the Endpoint field to the API endpoint shown in the bucket details. It must be a full URI used as the API endpoint of the service. For Cloudflare R2 buckets, the URI is typically of the form https://<accountid>.r2.cloudflarestorage.com.
Set the Region field to auto. This is required for all non-AWS S3-compatible buckets on Elastic Agent 8.19.12 and later. For Cloudflare R2, the region is always auto per the R2 S3 API documentation.
Bucket Prefix is optional for each data stream.

Collect data from GCS Buckets

Configure Cloudflare Logpush to Google Cloud Storage to ingest data into a GCS bucket.
Configure the GCS bucket names and credentials along with the required configurations under the "Collect Cloudflare Logpush logs via Google Cloud Storage" section.
Make sure the service account and authentication being used has proper levels of access to the GCS bucket. Refer to Manage Service Account Keys for more details.

Note:

The GCS input currently does not support fetching of buckets using bucket prefixes, so the bucket names have to be configured manually for each data stream.
The GCS input accepts a service account JSON key or a service account JSON file for authentication.
The GCS input supports JSON/NDJSON data.

Collect data from Azure Blob Storage

Configure Cloudflare Logpush to Microsoft Azure to ingest data into Azure Blob Storage containers.
Configure Azure Blob Storage container names and credentials along with the required configurations under the "Collect Cloudflare Logpush logs via Azure Blob Storage" section.
Make sure the storage account and authentication being used has proper levels of access to the Azure Blob Storage Container. Follow the documentation here for more details.
If you want to use RBAC for your account, follow the documentation here.

Note:

The Azure Blob Storage input does not support fetching from containers using container prefixes, so the containers' names must be configured manually for each data stream.
The Azure Blob Storage input accepts a service account key (shared credentials key), service account URI (connection string) and OAuth2 credentials for authentication.
The Azure Blob Storage input only supports JSON/NDJSON data.

Collect data from the Cloudflare HTTP Endpoint

Refer to Enable HTTP destination for Cloudflare Logpush.
Add the same custom header along with its value on both sides (Cloudflare job and Elastic Agent HTTP input) for additional security.
For example, while creating a job along with a header and value for a particular dataset:

		curl --location --request POST 'https://api.cloudflare.com/client/v4/zones/<ZONE ID>/logpush/jobs' \
--header 'X-Auth-Key: <X-AUTH-KEY>' \
--header 'X-Auth-Email: <X-AUTH-EMAIL>' \
--header 'Authorization: <BASIC AUTHORIZATION>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name":"<public domain>",
    "destination_conf": "https://<public domain>:<public port>/<dataset path>?header_Content-Type=application/json&header_<secret_header>=<secret_value>",
    "dataset": "audit",
    "logpull_options": "fields=RayID,EdgeStartTimestamp&timestamps=rfc3339"
}'
		
	

Note:

The destination_conf parameter inside the request data should set the Content-Type header to application/json. This is the content type that the HTTP endpoint expects for incoming events.
Default port for the HTTP Endpoint is 9560.
When using the same port for more than one dataset, be sure to specify different dataset paths.
To enable request ACKing, add a wait_for_completion_timeout request query with the timeout for an ACK. See the HTTP Endpoint documentation for details.

Enable the integration in Elastic

In the top search bar in Kibana, search for Integrations.
In the search bar, type Cloudflare Logpush.
Select the Cloudflare Logpush integration from the search results.
Select Add Cloudflare Logpush to add the integration.
Enable and configure only the collection methods which you will use.
- To Collect Cloudflare Logpush logs via HTTP Endpoint, you'll need to:
  - Configure the Listen Address and, per data stream, the Listen Port and URL.
  - Optionally configure Secret Header / Secret Value and SSL Configuration to secure the endpoint.
- To Collect Cloudflare Logpush logs via AWS S3, AWS SQS, or S3-Compatible Buckets, you'll need to:
  - Enable the Collect logs via S3 Bucket toggle when polling an S3 or S3-compatible bucket directly. Leave it disabled to consume S3 object-created events from an SQS queue.
  - For direct polling, configure the [S3] Bucket ARN, the [S3] Access Point ARN, or the [Global][S3] S3-Compatible Bucket Name (for Cloudflare R2 and other S3-compatible providers). For S3-compatible buckets also set Endpoint and Region.
  - Configure credentials using any of: Access Key ID / Secret Access Key (plus an optional Session Token), a Role ARN, or a Shared Credential File / Credential Profile Name.
  - For each enabled data stream, set the [SQS] Queue URL (when using SQS) or the [S3] Bucket Prefix (when polling an S3 / S3-compatible bucket). For R2 / S3-compatible buckets you may also override the bucket name per data stream using the [<Dataset>][S3] S3-Compatible Bucket Name field.
  - Tune throughput with [S3/SQS] Number of Workers and [S3] Interval (polling mode) or [SQS] Visibility Timeout / [SQS] API Timeout (SQS mode).
- To Collect Cloudflare Logpush logs via Google Cloud Storage, you'll need to:
  - Configure Project Id and either JSON Credentials key or JSON Credentials file path.
  - For each data stream, configure the Buckets list and optionally tune Maximum number of workers, Polling, Polling interval, and Bucket Timeout.
- To Collect Cloudflare Logpush logs via Azure Blob Storage, you'll need to:
  - Configure Account Name and (optionally) Storage URL, and authenticate using either a Service Account Key, a Service Account URI, or by enabling Collect logs using OAuth2 authentication and supplying Client ID (OAuth2), Client Secret (OAuth2), and Tenant ID (OAuth2).
  - For each data stream, configure the Containers list and optionally tune Maximum number of workers, Polling, and Polling interval.
Select Save and continue to save the integration.

Validation

Dashboards populated

In the top search bar in Kibana, search for Dashboards.
In the search bar, type Cloudflare Logpush.
Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.

Troubleshooting

For help with Elastic ingest tools, check Common problems.
For Cloudflare-side troubleshooting and delivery status, refer to the Logpush health dashboard and the relevant destination-specific troubleshooting guide.
When collecting from Cloudflare R2 via the AWS S3 input, the error failed to get AWS region for bucket: operation error S3: GetBucketLocation usually indicates a credentials or permissions problem. Inspect the full API error response to identify the underlying issue.
When using Azure Blob Storage, SAS tokens must have the Write-only permission, the service set to Blob-only (ss=b), and the resource type set to Object-only (srt=o). Set an expiration of at least five years to avoid unexpected token expiry. Refer to Troubleshooting Azure destinations for details.
When using the HTTP Endpoint input, ensure the Elastic Agent endpoint is reachable over HTTPS with a trusted certificate and that any secret.header / secret.value pair configured on the agent matches the header_* parameter defined in the Logpush job's destination_conf.

Performance and scaling

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

Additional considerations:

For high-volume zones, AWS SQS mode is recommended because it distributes work across multiple Elastic Agents without requiring bucket polling.
Tune max_upload_bytes, max_upload_records, and max_upload_interval_seconds on the Logpush job to match the throughput your agents and destination can handle.
For each input, adjust the worker count and polling interval to balance latency against API calls / egress costs. The relevant fields are [S3/SQS] Number of Workers and [S3] Interval for the AWS S3 input, and Maximum number of workers with Polling interval for the Google Cloud Storage and Azure Blob Storage inputs.
Use Cloudflare Logpush sampling and filters to reduce the volume of low-value events at the source.

		{
    "@timestamp": "2023-05-23T17:18:33.000Z",
    "agent": {
        "ephemeral_id": "056ec563-a195-426e-9567-24bbfabae21f",
        "id": "b7ff516b-300e-4aa7-9b17-86fb55c9b5c3",
        "name": "elastic-agent-10661",
        "type": "filebeat",
        "version": "8.17.1"
    },
    "client": {
        "as": {
            "number": 35908
        },
        "geo": {
            "continent_name": "Asia",
            "country_iso_code": "BT",
            "country_name": "Bhutan",
            "location": {
                "lat": 27.5,
                "lon": 90.5
            }
        },
        "ip": "67.43.156.93"
    },
    "cloudflare_logpush": {
        "access_request": {
            "action": "login",
            "allowed": true,
            "app": {
                "domain": "partner-zt-logs.cloudflareaccess.com/warp",
                "uuid": "123e4567-e89b-12d3-a456-426614174000"
            },
            "client": {
                "ip": "67.43.156.93"
            },
            "connection": "onetimepin",
            "country": "us",
            "ray": {
                "id": "00c0ffeeabc12345"
            },
            "request": {
                "prompt": "Please provide your reason for accessing the application.",
                "response": "I need to access the application for work purposes."
            },
            "temp_access": {
                "approvers": [
                    "approver1@example.com",
                    "approver2@example.com"
                ],
                "duration": 7200
            },
            "timestamp": "2023-05-23T17:18:33.000Z",
            "user": {
                "email": "user@example.com",
                "id": "166befbb-00e3-5e20-bd6e-27245333949f"
            }
        }
    },
    "data_stream": {
        "dataset": "cloudflare_logpush.access_request",
        "namespace": "60239",
        "type": "logs"
    },
    "ecs": {
        "version": "9.3.0"
    },
    "elastic_agent": {
        "id": "b7ff516b-300e-4aa7-9b17-86fb55c9b5c3",
        "snapshot": false,
        "version": "8.17.1"
    },
    "event": {
        "action": "login",
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "dataset": "cloudflare_logpush.access_request",
        "id": "00c0ffeeabc12345",
        "ingested": "2026-05-11T12:48:12Z",
        "kind": "event",
        "original": "{\"Action\":\"login\",\"Allowed\":true,\"AppDomain\":\"partner-zt-logs.cloudflareaccess.com/warp\",\"AppUUID\":\"123e4567-e89b-12d3-a456-426614174000\",\"Connection\":\"onetimepin\",\"Country\":\"us\",\"CreatedAt\":1684862313000000000,\"Email\":\"user@example.com\",\"IPAddress\":\"67.43.156.93\",\"PurposeJustificationPrompt\":\"Please provide your reason for accessing the application.\",\"PurposeJustificationResponse\":\"I need to access the application for work purposes.\",\"RayID\":\"00c0ffeeabc12345\",\"TemporaryAccessApprovers\":[\"approver1@example.com\",\"approver2@example.com\"],\"TemporaryAccessDuration\":7200,\"UserUID\":\"166befbb-00e3-5e20-bd6e-27245333949f\"}",
        "type": [
            "access",
            "allowed"
        ]
    },
    "input": {
        "type": "http_endpoint"
    },
    "related": {
        "ip": [
            "67.43.156.93"
        ],
        "user": [
            "166befbb-00e3-5e20-bd6e-27245333949f",
            "user@example.com",
            "approver1@example.com",
            "approver2@example.com"
        ]
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "cloudflare_logpush-access_request"
    ],
    "url": {
        "domain": "partner-zt-logs.cloudflareaccess.com/warp"
    },
    "user": {
        "email": "user@example.com",
        "id": "166befbb-00e3-5e20-bd6e-27245333949f"
    }
}
		
	

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
aws.s3.bucket.arn	The AWS S3 bucket ARN.	keyword
aws.s3.bucket.name	The AWS S3 bucket name.	keyword
aws.s3.object.key	The AWS S3 Object key.	keyword
azure.storage.blob.content_type	The content type of the Azure Blob Storage blob object	keyword
azure.storage.blob.name	The name of the Azure Blob Storage blob object	keyword
azure.storage.container.name	The name of the Azure Blob Storage container	keyword
cloudflare_logpush.access_request.action	What type of record is this. login	logout.	keyword
cloudflare_logpush.access_request.allowed	If request was allowed or denied.	boolean
cloudflare_logpush.access_request.app.domain	The domain of the Application that Access is protecting.	keyword
cloudflare_logpush.access_request.app.uuid	Access Application UUID.	keyword
cloudflare_logpush.access_request.client.ip	The IP address of the client.	ip
cloudflare_logpush.access_request.connection	Identity provider used for the login.	keyword
cloudflare_logpush.access_request.country	Request’s country of origin.	keyword
cloudflare_logpush.access_request.ray.id	Identifier of the request.	keyword
cloudflare_logpush.access_request.request.prompt	Message prompted to the client when accessing the application.	keyword
cloudflare_logpush.access_request.request.response	Justification given by the client when accessing the application.	keyword
cloudflare_logpush.access_request.temp_access.approvers	List of approvers for this access request.	keyword
cloudflare_logpush.access_request.temp_access.duration	Approved duration for this access request.	long
cloudflare_logpush.access_request.timestamp	The date and time the corresponding access request was made.	date
cloudflare_logpush.access_request.user.email	Email of the user who logged in.	keyword
cloudflare_logpush.access_request.user.id	The uid of the user who logged in.	keyword
data_stream.dataset	The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.namespace	A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.type	An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.	constant_keyword
event.dataset	Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.	constant_keyword
event.module	Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.	constant_keyword
gcs.storage.bucket.name	The name of the Google Cloud Storage Bucket.	keyword
gcs.storage.object.content_type	The content type of the Google Cloud Storage object.	keyword
gcs.storage.object.json_data	When parse_json is true, the resulting JSON data is stored in this field.	keyword
gcs.storage.object.name	The content type of the Google Cloud Storage object.	keyword
input.type	Input type	keyword
log.offset	Log offset	long
log.source.address	Source address from which the log event was read / sent from.	keyword

audit

This is the audit dataset.

Version	Details	Minimum Kibana version
1.46.0	Enhancement (View pull request) Update README documentation.	9.0.0 8.17.1
1.45.0	Enhancement (View pull request) Ingest pipeline improvements. Enhancement (View pull request) Normalize severity handling in CASB data stream. Enhancement (View pull request) Consolidate timestamp handling to a single script across all data streams. Enhancement (View pull request) Improve ECS mapping across multiple data streams. Enhancement (View pull request) Standardize the error message format and use the latest null-removal script. Enhancement (View pull request) Add `tag` key to each processor in the ingest pipelines. Enhancement (View pull request) Replace `rename` processors with typed `convert` processors for fields whose `fields.yml` mapping is `ip`, `long`, `double`, or `boolean`. This validates incoming values against the declared mapping and prevents off-type values from being silently indexed. Replace grok processors with dissect for simple delimiter-based pattern. Enhancement (View pull request) Update ECS to 9.3.0 and add new fields across multiple data streams.	9.0.0 8.17.1
1.44.2	Bug fix (View pull request) Split comma-separated values in `IPv4Options`, `IPv6ExtensionHeaders`, and `TCPOptions` fields from `network_analytics` data stream. Fix grammatical mistakes in manifest files.	9.0.0 8.17.1
1.44.1	Bug fix (View pull request) Fix multiple ingest pipeline and field definition bugs across data streams: - Fix incorrect field-path references and PascalCase mismatches with Cloudflare JSON keys. - Fix `dns` and `gateway_dns` to populate `related.hosts` and `related.ip` from the correct package fields. - Fix `gateway_network` GeoIP enrichment to tolerate missing source and destination IPs. - Fix `network_analytics` TCP SACK blocks split ordering and empty-string handling. - Fix swapped field descriptions in `firewall_event` and `http_request`. - Remove orphaned `page_shield_events.page` field that was never populated.	9.0.0 8.17.1
1.44.0	Enhancement (View pull request) Add SSL configuration option to the aws-s3 input.	9.0.0 8.17.1
1.43.5	Bug fix (View pull request) Update R2 setup documentation to require the `region` field instead of stating it is not needed.	9.0.0 8.17.1
1.43.4	Bug fix (View pull request) Add `region` variable to the aws-s3 input to fix compatibility with Elastic Agent 8.19.12+ when using non-AWS S3-compatible buckets such as Cloudflare R2.	9.0.0 8.17.1
1.43.3	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	9.0.0 8.17.1
1.43.2	Bug fix (View pull request) Fix URI parsing for URIs starting with '/' by constructing complete URIs from scheme, domain, and path components in http_request data stream.	9.0.0 8.17.1
1.43.1	Bug fix (View pull request) Fix uri parsing for http_request data stream.	9.0.0 8.17.1
1.43.0	Enhancement (View pull request) Add `Enable Data Deduplication` toggle for AWS S3 input. By default, it is enabled. When enabled, this setting prevents duplicates but may result in a lower indexing rate because Elasticsearch must check for existing documents before indexing.	9.0.0 8.17.1
1.42.0	Enhancement (View pull request) Add alternative host configuration option support in gcs input.	9.0.0 8.17.1
1.41.0	Enhancement (View pull request) Add Cloudflare `SourceInternalIP` field values to `related.ip` for the gateway_http and gateway_network data streams.	9.0.0 8.17.1
1.40.0	Enhancement (View pull request) Added support for Azure Blob Storage input for all data streams.	9.0.0 8.17.1
1.39.2	Bug fix (View pull request) Do not convert timestamps in spectrum_event datastream that are 0, "0" or "".	9.0.0 8.16.5
1.39.1	Bug fix (View pull request) Fix audit data stream null handling.	9.0.0 8.16.5
1.39.0	Enhancement (View pull request) Update the Cloudflare Logpush integration data streams introduction.	9.0.0 8.16.5
1.38.3	Bug fix (View pull request) Fix duplicate key `number_of_workers` inside gateway_http data stream.	9.0.0 8.16.5
1.38.2	Bug fix (View pull request) Fix handling of TCP SACK block lists.	9.0.0 8.16.5
1.38.1	Bug fix (View pull request) Fix Cloudflare source field rename handling.	9.0.0 8.16.5
1.38.0	Enhancement (View pull request) Add `tls.cipher` ECS mapping for `cloudflare_logpush.http_request.client.ssl.cipher`.	9.0.0 8.16.5
1.37.4	Bug fix (View pull request) Fix the field type of http_request.bot.detection_tags from long to keyword, aligning it with the log source type of string array. This resolves an issue where the field was being ignored due to the "ignored_malformed" index setting, making it unusable in searches.	9.0.0 8.16.5
1.37.3	Bug fix (View pull request) Fix default request trace enabled behavior.	9.0.0 8.16.5
1.37.2	Bug fix (View pull request) Fix geoip processor for gateway_dns and gateway_http when there is no `source.ip` or `destination.ip`.	9.0.0 8.16.5
1.37.1	Bug fix (View pull request) Fix handling of http_request events missing `EdgeStartTimestamp`.	9.0.0 8.16.5
1.37.0	Enhancement (View pull request) Add parse for missing field on Firewall Event dataset.	9.0.0 8.16.5
1.36.0	Enhancement (View pull request) Expand set of supported fields. Enhancement (View pull request) Add page_shield_events, dlp_forensic_copies and email_security_alerts data streams. Enhancement (View pull request) Enable request trace log removal.	9.0.0 8.16.5
1.35.2	Bug fix (View pull request) Fix handling of SQS worker count configuration.	9.0.0 8.16.5
1.35.1	Bug fix (View pull request) Fix handling of http_request events missing `ClientRequestProtocol`.	9.0.0 8.16.5
1.35.0	Enhancement (View pull request) Add support to configure start_timestamp and ignore_older configurations for AWS S3 backed inputs.	9.0.0 8.16.5
1.34.1	Bug fix (View pull request) Updated SSL description in package manifest.yml to be uniform and to include links to documentation.	9.0.0 8.16.2
1.34.0	Enhancement (View pull request) Update Kibana constraint to support 9.0.0.	9.0.0 8.16.2
1.33.0	Enhancement (View pull request) Reduce pipeline errors when expected fields are missing (part 2).	8.16.2
1.32.0	Enhancement (View pull request) Reduce pipeline errors when expected fields are missing.	8.16.2
1.31.0	Enhancement (View pull request) Populate the field event.id for Firewall Events and HTTP Requests.	8.16.2
1.30.0	Enhancement (View pull request) Provide request tracing support.	8.16.2
1.29.0	Enhancement (View pull request) Add support for Access Point ARN when collecting logs via the AWS S3 Bucket.	8.16.2
1.28.0	Enhancement (View pull request) Allow user configuration of server overload behavior for http_endpoint input.	8.16.2
1.27.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".	8.13.0
1.26.1	Bug fix (View pull request) Fix string literals in painless scripts.	8.13.0