Cloudflare Docs
Waf
Cloudflare Docs
WAF
Search icon (depiction of a magnifying glass)
GitHub icon
Visit WAF on GitHub
Set theme to dark (⇧+D)

Configure payload logging for a Managed Ruleset via API

You can use the Rulesets API to configure payload logging for a Managed Ruleset.

Configure and enable payload logging

To configure:

  1. Use the Update rule in ruleset API method to update the rule that executes the Managed Ruleset.

  2. In the configuration of the rule that executes the Managed Ruleset, include a matched_data object in action_parameters to configure payload logging.

    The matched_data object has the following structure:

    ---
highlight: [3,4,5]
---
"action_parameters": {
  // ...
  "matched_data": {
    "public_key": "<PUBLIC_KEY_VALUE>"
  }
}

    Replace <PUBLIC_KEY_VALUE> with the public key you want to use for payload logging.

You can generate a public key in the command line or in the Cloudflare dashboard .

Example

The following example updates rule <RULE_ID_1> that executes the Cloudflare Managed Ruleset for zone <ZONE_ID>, configuring payload logging with the provided public key.

---
header: Request
highlight: [9,10,11]
---
curl -X PATCH \
"https://api.cloudflare.com/client/v4/zone/<ZONE_ID>/rulesets/<RULESET_ID>/rules/<RULE_ID_1>" \
-H "Authorization: Bearer <API_TOKEN>" \
-d '{
  "action": "execute",
  "action_parameters": {
    "id": "<CLOUDFLARE_MANAGED_RULESET_ID>",
    "matched_data": {
      "public_key": "<YOUR_PUBLIC_KEY>"
    }
  },
  "expression": "true",
  "description": "Executes the Cloudflare Managed Ruleset"
}'

The response includes the complete ruleset after updating the rule.

---
header: Response
---
{
  "result": {
    "id": "<ZONE_LEVEL_RULESET_ID>",
    "name": "Zone-level Ruleset 1",
    "description": "",
    "kind": "zone",
    "version": "3",
    "rules": [
      {
        "id": "<RULE_ID_1>",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "<CLOUDFLARE_MANAGED_RULESET_ID>",
          "version": "latest",
          "matched_data": {
            "public_key": "<YOUR_PUBLIC_KEY>"
          }
        },
        "expression": "true",
        "description": "Executes the Cloudflare Managed Ruleset",
        "last_updated": "2021-06-28T18:08:14.003361Z",
        "ref": "<RULE_REF_1>",
        "enabled": true
      },
      // ...
    ],
    "last_updated": "2021-06-28T18:08:14.003361Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}

For more information on deploying Managed Rulesets via API, refer to Deploy a Managed Ruleset in the Ruleset Engine documentation.

Disable payload logging

To disable payload logging for a Managed Ruleset:

  1. Use the Update rule in ruleset API method to update the rule that executes the Managed Ruleset.

  2. Modify the rule definition so that there is no matched_data object in action_parameters.

The following example rule executes a Managed Ruleset with payload logging disabled:

{
  "action": "execute",
  "action_parameters": {
    "id": "<MANAGED_RULESET_ID>"
  },
  "expression": "true",
  "description": ""
}