> ## Documentation Index
> Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloudflare Logpush

> Send Cloudflare firewall_events Logpush batches to Clarion for L7 DDoS-like detection windows.

This guide walks you through configuring a Cloudflare Logpush monitor in Clarion. Clarion receives Cloudflare zone `firewall_events` rows, builds compact detection windows, and alerts on L7 DDoS-like security-event flood patterns.

<Note>
  Cloudflare Logpush is available on Enterprise plans. Clarion does not backfill historical Logpush data; detections start from the time Cloudflare begins sending rows to the monitor.
</Note>

## Prerequisites

* A **Clarion workspace**
* A connected **Cloudflare** integration in Clarion
* Access to a Cloudflare Enterprise zone
* Permission to create zone Logpush jobs
* The hostname or hostnames you want Clarion to evaluate

## Step 1 — Add a Cloudflare Logpush monitor

1. In Clarion, go to **Settings > Integrations > Cloudflare**
2. Open the **Monitors** tab
3. Click **Add monitor**
4. Choose **Cloudflare Logpush**
5. Enter a zone name and, optionally, the Cloudflare zone ID
6. Choose the host scope:
   * **Exact host** for one hostname
   * **Selected hosts** for multiple hostnames
7. Enter plain hostnames only, such as `app.example.com` or `api.example.com`
8. Choose a sensitivity level
9. Save the monitor

Clarion generates a **Webhook URL** and **Webhook secret**. Copy both values before configuring Cloudflare.

<Warning>
  If you rotate the secret in Clarion, update the Cloudflare Logpush destination header before sending more data.
</Warning>

<Note>
  Clarion matches Logpush rows against `ClientRequestHost`. Do not include schemes, paths, ports, or wildcards in the host list.
</Note>

## Step 2 — Create the Logpush job in Cloudflare

In the Cloudflare dashboard, open the same zone you configured in Clarion, then go to **Analytics & Logs > Logpush** and create a Logpush job.

Use these settings:

| Cloudflare setting          | Value                          |
| --------------------------- | ------------------------------ |
| Dataset                     | `firewall_events`              |
| Destination type            | HTTP destination               |
| Destination URL             | The Clarion **Webhook URL**    |
| Destination parameter name  | `header_cf-webhook-auth`       |
| Destination parameter value | The Clarion **Webhook secret** |
| Output type                 | `ndjson`                       |
| Timestamp format            | `rfc3339`                      |

Cloudflare sends destination parameters that start with `header_` as HTTP headers. The `header_cf-webhook-auth` parameter makes Cloudflare send the Clarion secret in a `cf-webhook-auth` header.

If you configure Logpush through the Cloudflare API or Terraform, put the header parameter in `destination_conf` and URL-encode the secret:

```text theme={null}
<CLARION_WEBHOOK_URL>?header_cf-webhook-auth=<URL_ENCODED_WEBHOOK_SECRET>
```

<Warning>
  Do not put the webhook secret in the monitor name, host scope, or any other descriptive field. Store it only as the Cloudflare HTTP destination header value.
</Warning>

## Step 3 — Include the required Logpush fields

Configure the Logpush job to include these `firewall_events` fields:

```text theme={null}
Datetime
RayID
Action
ClientRequestHost
ClientRequestPath
ClientCountry
ClientASN
OriginResponseStatus
EdgeResponseStatus
ClientIP
RuleID
Source
Description
MatchIndex
```

Clarion uses these fields to deduplicate rows, scope detections to the configured hostnames, aggregate hot paths and source traits, and classify Cloudflare mitigation actions.

<Note>
  Clarion does not store raw Logpush rows. It summarizes rows for detection and hashes client IP values before retaining compact aggregates.
</Note>

## Step 4 — Save and validate the Logpush job

Cloudflare validates HTTP destinations with a gzipped JSON test upload (`{"content":"tests"}`). Clarion accepts that validation upload and returns success when the monitor secret matches.

After validation succeeds, enable the Logpush job. New detections can be created once Cloudflare begins delivering current `firewall_events` rows to the monitor.

## Step 5 — Understand direct delivery limits

Cloudflare can send batches smaller than 5 MB, but its `max_upload_bytes` setting cannot be configured below 5 MB. If a zone produces an unusually large Logpush batch, delivery may be rejected and retried by Cloudflare. Keep the host scope focused on the hostnames you want Clarion to monitor.

## What Clarion detects

Clarion monitors for DDoS-like L7 security-event flood patterns visible in Cloudflare `firewall_events`.

This detector does not claim to detect allowed-only traffic floods or total origin traffic volume. It relies on Cloudflare security events such as blocked, challenged, managed challenge, and rate-limited traffic.

The initial detection pack is **Zone Security** with the **L7 DDoS** detector. Sensitivity controls the event-volume thresholds Clarion uses before opening high or critical detections.

## Operational notes

* Multiple Cloudflare Notifications monitors and multiple Cloudflare Logpush monitors can coexist.
* Use separate Logpush monitors when different host groups should route to different Clarion agents.
* Cloudflare limits Logpush to four jobs per dataset per zone.
* Rows should be delivered promptly; significantly delayed rows may not be evaluated.
* If Cloudflare retries the same batch, Clarion deduplicates rows and replayed request bodies.

## Troubleshooting

If Cloudflare validation fails:

* Confirm the destination URL exactly matches the Clarion **Webhook URL**
* Confirm the destination parameter is named `header_cf-webhook-auth`
* Confirm the destination parameter value matches the Clarion **Webhook secret**
* If you replaced the secret in Clarion, update the Cloudflare destination before testing again

If Logpush delivers successfully but Clarion does not open detections:

* Confirm `ClientRequestHost` exactly matches the monitor host scope
* Confirm the Logpush job is sending the `firewall_events` dataset
* Confirm the required fields are included in the job output
* Check whether traffic is below the selected sensitivity threshold
* Remember that allowed-only origin floods are outside this detector's scope

References: [Cloudflare Logpush](https://developers.cloudflare.com/logs/logpush/), [Cloudflare HTTP destinations](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/http/), [Cloudflare firewall\_events fields](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/zone/firewall_events/).
