Cloudflare Enablement
WAF
Testing
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. WAF
  3. ...
  4. Log the payload of matched rules
  5. Configure payload logging via API

Configure payload logging for a managed ruleset via API

Use the Rulesets API to configure payload logging for a managed ruleset via API.

​​ Configure and enable payload logging

  1. Use the Get a zone entry point ruleset operation to obtain the following IDs:

    • The ID of the entry point ruleset of the http_request_firewall_managed phase.
    • The ID of the rule deploying the WAF managed ruleset (an execute rule) for which you want to configure payload logging.

  2. Use the Update a zone ruleset rule operation to update the rule you identified in the previous step.

    Include a matched_data object in the rule’s action_parameters object to configure payload logging. The matched_data object has the following structure:

    Replace <PUBLIC_KEY_VALUE> with the public key you want to use for payload logging. You can generate a public key in the command line or in the Cloudflare dashboard.

​​ Example

This example configures payload logging for the Cloudflare Managed Ruleset, which is already deployed for a zone with ID {zone_id}.

  1. Invoke the Get a zone entry point ruleset operation (a GET request) to obtain the rules currently configured in the entry point ruleset of the http_request_firewall_managed phase.

  2. Save the following IDs for the next step:

    • The ID of the entry point ruleset: ...537e0d2c 
    • The ID of the execute rule deploying the Cloudflare Managed Ruleset: ...efcb79e7 

    To find the correct rule in the rules array, search for an execute rule containing the ID of the Cloudflare Managed Ruleset ( ...376e9aee ) in action_parameters > id.

  3. Invoke the Update a zone ruleset rule operation (a PATCH request) to update the configuration of the rule you identified. The rule will now include the payload logging configuration (matched_data object).

    The response will include the complete ruleset after updating the rule.

For more information on deploying managed rulesets via API, refer to Deploy a managed ruleset in the Ruleset Engine documentation.

​​ Disable payload logging

To disable payload logging for a managed ruleset:

  1. Use the Update a zone ruleset rule operation (a PATCH request) to update the rule deploying the managed ruleset (an execute rule).

  2. Modify the rule definition so that there is no matched_data object in action_parameters.

For example, the following PATCH request updates rule with ID {rule_id} deploying the Cloudflare Managed Ruleset so that payload logging is disabled:

For details on obtaining the entry point ruleset ID and the ID of the rule to update, refer to Configure and enable payload logging.