Configure payload logging for a managed ruleset via API
Use the Rulesets API to configure payload logging for a managed ruleset via API.
Configure and enable payload logging
Use the Get a zone entry point ruleset operation to obtain the following IDs:
- The ID of the entry point ruleset of the
http_request_firewall_managed
phase. - The ID of the rule deploying the WAF managed ruleset (an
execute
rule) for which you want to configure payload logging.
- The ID of the entry point ruleset of the
Use the Update a zone ruleset rule operation to update the rule you identified in the previous step.
Include a
matched_data
object in the rule’saction_parameters
object to configure payload logging. Thematched_data
object has the following structure:"action_parameters": {// ..."matched_data": {"public_key": "<PUBLIC_KEY_VALUE>"}}Replace
<PUBLIC_KEY_VALUE>
with the public key you want to use for payload logging. You can generate a public key in the command line or in the Cloudflare dashboard.
Example
This example configures payload logging for the Cloudflare Managed Ruleset, which is already deployed for a zone with ID {zone_id}
.
Invoke the Get a zone entry point ruleset operation (a
GET
request) to obtain the rules currently configured in the entry point ruleset of thehttp_request_firewall_managed
phase.Request
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>"Example response
{"result": {"id": "060013b1eeb14c93b0dcd896537e0d2c", // entry point ruleset ID"name": "default","description": "","source": "firewall_managed","kind": "zone","version": "3","rules": [// (...){"id": "1bdb49371c1f46958fc8b985efcb79e7", // `execute` rule ID"version": "1","action": "execute","expression": "true","last_updated": "2024-01-20T14:21:28.643979Z","ref": "1bdb49371c1f46958fc8b985efcb79e7","enabled": true,"action_parameters": {"id": "efb7b8c949ac4650a09736fc376e9aee", // "Cloudflare Managed Ruleset" ID"version": "latest"}},// (...)],"last_updated": "2024-01-20T14:29:00.190643Z","phase": "http_request_firewall_managed"},"success": true,"errors": [],"messages": []}Save the following IDs for the next step:
- The ID of the entry point ruleset:
060013b1eeb14c93b0dcd896537e0d2c
- The ID of the
execute
rule deploying the Cloudflare Managed Ruleset:1bdb49371c1f46958fc8b985efcb79e7
.
To find the correct rule in the
rules
array, search for anexecute
rule containing the ID of the Cloudflare Managed Ruleset (efb7b8c949ac4650a09736fc376e9aee
) inaction_parameters > id
.- The ID of the entry point ruleset:
Invoke the Update a zone ruleset rule operation (a
PATCH
request) to update the configuration of the rule you identified. The rule will now include the payload logging configuration (matched_data
object).Request
curl --request PATCH \"https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/060013b1eeb14c93b0dcd896537e0d2c/rules/1bdb49371c1f46958fc8b985efcb79e7" \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"action": "execute","action_parameters": {"id": "efb7b8c949ac4650a09736fc376e9aee","matched_data": {"public_key": "Ycig/Zr/pZmklmFUN99nr+taURlYItL91g+NcHGYpB8="}},"expression": "true"}'The response will include the complete ruleset after updating the rule.
For more information on deploying managed rulesets via API, refer to Deploy a managed ruleset in the Ruleset Engine documentation.
Disable payload logging
To disable payload logging for a managed ruleset:
Use the Update a zone ruleset rule operation (a
PATCH
request) to update the rule deploying the managed ruleset (anexecute
rule).Modify the rule definition so that there is no
matched_data
object inaction_parameters
.
For example, the following PATCH
request updates rule with ID {rule_id}
deploying the Cloudflare Managed Ruleset so that payload logging is disabled:
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{entrypoint_ruleset_id}/rules/{rule_id}" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{ "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "true"}'
For details on obtaining the entry point ruleset ID and the ID of the rule to update, refer to Configure and enable payload logging.