Stay organized with collections
Save and categorize content based on your preferences.
Change log for CLOUDFLARE_AUDIT
Date
Changes
2023-11-27
Enhancement:
- Added a Grok pattern to match new log format.
- Mapped "ResourceID" to "target.resource.product_object_id".
- Mapped "metainfo_zone_name" to "principal.hostname".
- Mapped "metainfo_user_id" to "principal.user.userid".
- Mapped "metainfo_user_email" to "principal.user.email".
- Mapped "metainfo_user_tag" to "principal.user.product_object_id".
- Mapped "metainfo" fields to "security_result.detection_fields".
- Mapped "newvalue_session_id" to "network.session_id".
- Mapped "NewValue" to "security_result.detection_fields".
- Mapped "OldValue" to "security_result.detection_fields".
- If "ActorID" is present, set "metadata.event_type" to "USER_RESOURCE_ACCESS".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eA new parser for CLOUDFLARE_AUDIT logs was created on 2023-07-09.\u003c/p\u003e\n"],["\u003cp\u003eOn 2023-11-27, the CLOUDFLARE_AUDIT log parser was enhanced to include a new Grok pattern and several new mappings.\u003c/p\u003e\n"],["\u003cp\u003eThe update on 2023-11-27 mapped various fields, such as "ResourceID", "metainfo," "newvalue_session_id," "NewValue," and "OldValue," to more specific fields within the log structure.\u003c/p\u003e\n"],["\u003cp\u003eIf the "ActorID" field is present in the logs, the 2023-11-27 update sets the "metadata.event_type" to "USER_RESOURCE_ACCESS".\u003c/p\u003e\n"]]],[],null,["Change log for CLOUDFLARE_AUDIT\n\n| Date | Changes |\n|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| 2023-11-27 | Enhancement: - Added a Grok pattern to match new log format. - Mapped \"ResourceID\" to \"target.resource.product_object_id\". - Mapped \"metainfo_zone_name\" to \"principal.hostname\". - Mapped \"metainfo_user_id\" to \"principal.user.userid\". - Mapped \"metainfo_user_email\" to \"principal.user.email\". - Mapped \"metainfo_user_tag\" to \"principal.user.product_object_id\". - Mapped \"metainfo\" fields to \"security_result.detection_fields\". - Mapped \"newvalue_session_id\" to \"network.session_id\". - Mapped \"NewValue\" to \"security_result.detection_fields\". - Mapped \"OldValue\" to \"security_result.detection_fields\". - If \"ActorID\" is present, set \"metadata.event_type\" to \"USER_RESOURCE_ACCESS\". |\n| 2023-07-09 | New parser created. |"]]