Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through configuring a Cloudflare Logpush monitor in Clarion. Clarion receives Cloudflare zone firewall_events rows, builds compact detection windows, and alerts on L7 DDoS-like security-event flood patterns.
Cloudflare Logpush is available on Enterprise plans. Clarion does not backfill historical Logpush data; detections start from the time Cloudflare begins sending rows to the monitor.

Prerequisites

  • A Clarion workspace
  • A connected Cloudflare integration in Clarion
  • Access to a Cloudflare Enterprise zone
  • Permission to create zone Logpush jobs
  • The hostname or hostnames you want Clarion to evaluate

Step 1 — Add a Cloudflare Logpush monitor

  1. In Clarion, go to Settings > Integrations > Cloudflare
  2. Open the Monitors tab
  3. Click Add monitor
  4. Choose Cloudflare Logpush
  5. Enter a zone name and, optionally, the Cloudflare zone ID
  6. Choose the host scope:
    • Exact host for one hostname
    • Selected hosts for multiple hostnames
  7. Enter plain hostnames only, such as app.example.com or api.example.com
  8. Choose a sensitivity level
  9. Save the monitor
Clarion generates a Webhook URL and Webhook secret. Copy both values before configuring Cloudflare.
If you rotate the secret in Clarion, update the Cloudflare Logpush destination header before sending more data.
Clarion matches Logpush rows against ClientRequestHost. Do not include schemes, paths, ports, or wildcards in the host list.

Step 2 — Create the Logpush job in Cloudflare

In the Cloudflare dashboard, open the same zone you configured in Clarion, then go to Analytics & Logs > Logpush and create a Logpush job. Use these settings:
Cloudflare settingValue
Datasetfirewall_events
Destination typeHTTP destination
Destination URLThe Clarion Webhook URL
Destination parameter nameheader_cf-webhook-auth
Destination parameter valueThe Clarion Webhook secret
Output typendjson
Timestamp formatrfc3339
Cloudflare sends destination parameters that start with header_ as HTTP headers. The header_cf-webhook-auth parameter makes Cloudflare send the Clarion secret in a cf-webhook-auth header. If you configure Logpush through the Cloudflare API or Terraform, put the header parameter in destination_conf and URL-encode the secret: 
<CLARION_WEBHOOK_URL>?header_cf-webhook-auth=<URL_ENCODED_WEBHOOK_SECRET>
Do not put the webhook secret in the monitor name, host scope, or any other descriptive field. Store it only as the Cloudflare HTTP destination header value.

Step 3 — Include the required Logpush fields

Configure the Logpush job to include these firewall_events fields: 
Datetime
RayID
Action
ClientRequestHost
ClientRequestPath
ClientCountry
ClientASN
OriginResponseStatus
EdgeResponseStatus
ClientIP
RuleID
Source
Description
MatchIndex
Clarion uses these fields to deduplicate rows, scope detections to the configured hostnames, aggregate hot paths and source traits, and classify Cloudflare mitigation actions.
Clarion does not store raw Logpush rows. It summarizes rows for detection and hashes client IP values before retaining compact aggregates.

Step 4 — Save and validate the Logpush job

Cloudflare validates HTTP destinations with a gzipped JSON test upload ({"content":"tests"}). Clarion accepts that validation upload and returns success when the monitor secret matches. After validation succeeds, enable the Logpush job. New detections can be created once Cloudflare begins delivering current firewall_events rows to the monitor.

Step 5 — Understand direct delivery limits

Cloudflare can send batches smaller than 5 MB, but its max_upload_bytes setting cannot be configured below 5 MB. If a zone produces an unusually large Logpush batch, delivery may be rejected and retried by Cloudflare. Keep the host scope focused on the hostnames you want Clarion to monitor.

What Clarion detects

Clarion monitors for DDoS-like L7 security-event flood patterns visible in Cloudflare firewall_events. This detector does not claim to detect allowed-only traffic floods or total origin traffic volume. It relies on Cloudflare security events such as blocked, challenged, managed challenge, and rate-limited traffic. The initial detection pack is Zone Security with the L7 DDoS detector. Sensitivity controls the event-volume thresholds Clarion uses before opening high or critical detections.

Operational notes

  • Multiple Cloudflare Notifications monitors and multiple Cloudflare Logpush monitors can coexist.
  • Use separate Logpush monitors when different host groups should route to different Clarion agents.
  • Cloudflare limits Logpush to four jobs per dataset per zone.
  • Rows should be delivered promptly; significantly delayed rows may not be evaluated.
  • If Cloudflare retries the same batch, Clarion deduplicates rows and replayed request bodies.

Troubleshooting

If Cloudflare validation fails:
  • Confirm the destination URL exactly matches the Clarion Webhook URL
  • Confirm the destination parameter is named header_cf-webhook-auth
  • Confirm the destination parameter value matches the Clarion Webhook secret
  • If you replaced the secret in Clarion, update the Cloudflare destination before testing again
If Logpush delivers successfully but Clarion does not open detections:
  • Confirm ClientRequestHost exactly matches the monitor host scope
  • Confirm the Logpush job is sending the firewall_events dataset
  • Confirm the required fields are included in the job output
  • Check whether traffic is below the selected sensitivity threshold
  • Remember that allowed-only origin floods are outside this detector’s scope
References: Cloudflare Logpush, Cloudflare HTTP destinations, Cloudflare firewall_events fields.