Cloudflare

Overview

Integrate with Cloudflare to get your zone metrics, including web traffic, DNS queries, and threat insights. The integration is based on Cloudflare’s analytics API. Learn more about what resources correspond with which metrics in our documentation.

Log Collection: In addition to these metrics, Cloudflare allows customers to push logs directly into Datadog using Cloudflare Logpush. These detailed logs contain metadata generated by Cloudflare products and are helpful for debugging and creating analytics, especially when combined with logs from other sources. Enable Cloudflare log collection in combination with these metrics to get full visibility into your Cloudflare environment.

The out-of-the-box dashboard improves the security and performance of your applications. This single pane of glass gives you visibility into

  • security threats
  • HTTP request volume and error rates
  • load balancing, including round-trip time and any changes in traffic flow
  • performance issues in worker scripts

With enriched logs and detailed metrics giving you deep insight into your Cloudflare infrastructure, you can build the context you need to resolve issues.

The integration works with Datadog Cloud SIEM to provide out-of-the-box threat detection for

  • impossible travel
  • dangerous misconfigurations
  • DDoS attacks

Mitigate security threats more quickly with the included Workflow Automation blueprints, such as blocking an IP address or creating a case in Datadog.

Setup

Before you begin, you need a Datadog account, with an API key, and access to Cloudflare Logpush, which requires an Enterprise account plan.

When using a Cloudflare API token, ensure it has the Zone > Zone > Read and Zone > Analytics > Read permissions.

Installation

Install the integration with the Datadog Cloudflare integration tile.

Configuration

  1. Go to the Configure tab inside the Datadog Cloudflare integration tile.
  2. Enter the email addresses and API keys or token of the accounts you want to monitor. Your Cloudflare API key and API token are available in your Cloudflare account under My profile > Api Tokens.
  3. Add a name for the account. This name is arbitrary and used in the account tag on your metrics.

Log collection

Cloudflare allows customers to push logs directly into Datadog using Cloudflare Logpush. You can manage the Logpush job with the Cloudflare API or directly within your Cloudflare dashboard.

If you install the Cloudflare integration pipeline, it automatically remaps certain attributes. To see which attributes are remapped:

  1. Navigate to Logs Pipelines.
  2. Click Browse Pipeline Library on the top right.
  3. Enter Cloudflare in the search bar.
  4. Click Cloudflare to see the list of remappers and other processors that are installed.

Cloudflare API

  1. Create a Logpush job by making a POST request to the Logpush jobs endpoint. Include the following fields:

    • name (optional): Use your domain name as the job name.
    • destination_conf: A log destination consisting of the following parameters:
      • <DATADOG_ENDPOINT_URL>: The Datadog HTTP logs intake endpoint, which can be either one below. You can find the difference at Datadog API reference.
        • v1: http-intake.logs./v1/input
        • v2 (latest): http-intake.logs./api/v2/logs
      • <DATADOG_API_KEY>: Your Datadog API key.
      • ddsource: Set to cloudflare.
      • service (optional): Specify service name.
      • host (optional): Specify host name.
      • ddtags (optional): Specify tags.
    • dataset: The category of logs you want to receive. See the Cloudflare Log fields for a list of supported datasets.
    • logpull_options (optional): To configure fields, sample rate, and timestamp format, see the Logpush API options. Datadog mandates the use of RFC 3339 format for timestamps from Cloudflare, which is the default option used by Cloudflare.

    Example request:

    curl -s -X POST 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logpush/jobs' \
    --header 'X-Auth-Key: <CLOUDFLARE_AUTH_KEY>' \
    --header 'X-Auth-Email: <CLOUDFLARE_AUTH_EMAIL>' \
    --header 'Content-Type: application/json' \
    --data-raw '{
       "name": "<NAME>",
       "destination_conf": "datadog://<DATADOG_ENDPOINT_URL>?header_DD-API-KEY=<DATADOG_API_KEY>&ddsource=cloudflare&service=cloudflare&ddtags=env:dev",
       "logpull_options": "fields=RayID,EdgeStartTimestamp&timestamps=rfc3339",
       "dataset": "http_requests"
    }'
    

    Example response:

    {
     "errors": [],
     "messages": [],
     "result": {
       "id": 100,
       "dataset": "http_requests",
       "enabled": false,
       "name": "<DOMAIN_NAME>",
       "logpull_options": "fields=RayID,EdgeStartTimestamp&timestamps=rfc3339",
       "destination_conf": "datadog://http-intake.logs./v1/input?header_DD-API-KEY=<DD-API-KEY>&ddsource=cloudflare&service=cloudflare&ddtags=env:dev",
       "last_complete": null,
       "last_error": null,
       "error_message": null
     },
     "success": true
    }
    

    Take note of the value of id. In the example above, it is 100.

  2. Enable the job. Use the job ID returned in the response and send {"enabled": true} in the request body.

    Example request:

    curl -s -X PUT \
    https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logpush/jobs/<JOB_ID> -d'{"enabled":true}' | jq .
    

    Example response:

    {
      "errors": [],
      "messages": [],
      "result": {
        "id": 100,
        "dataset": "http_requests",
        "enabled": true,
        "name": "<DOMAIN_NAME>",
        "logpull_options": "fields=RayID,EdgeStartTimestamp&timestamps=rfc3339",
        "destination_conf": "datadog://?header_DD-API-KEY=<DATADOG-API-KEY>",
        "last_complete": null,
        "last_error": null,
        "error_message": null
      },
      "success": true
    }
    

Cloudflare dashboard

  1. Once you have connected a service with the Logpush section of the Cloudflare dashboard, select the dataset, select data fields, and then, under select destination, choose Datadog.

  2. Under Enter destination information, enter the Datadog URL Endpoint:

    http-intake.logs./api/v2/logs?ddsource=cloudflare
    

    Note: ddsource=cloudflare is required. To differentiate between logs, you can also add the optional parameters of service, host, and ddtags.

    Example:

    http-intake.logs./api/v2/logs?service=<SERVICE>&host=<HOST>&ddsource=cloudflare
    
  3. Enter the Datadog API key you used to set-up your Datadog Cloudflare integration tile.

  4. After validating access, you should see “Ready to push!” under Prove ownership. Click Push to complete.

Data Collected

Metrics

cloudflare.requests.all
(count)
Total request count
Shown as request
cloudflare.requests.cached
(count)
Cached requests count
Shown as request
cloudflare.requests.uncached
(count)
Uncached requests count
Shown as request
cloudflare.requests.ssl.encrypted
(count)
SSL encrypted requests count
Shown as request
cloudflare.requests.ssl.unencrypted
(count)
Unencrypted requests count
Shown as request
cloudflare.requests.country
(count)
Request count, tagged by IATA country code
Shown as request
cloudflare.requests.status
(count)
Request count, tagged by HTTP response code
Shown as request
cloudflare.requests.content_type
(count)
Request count, tagged by Content-Type
Shown as request
cloudflare.requests.ip_class
(count)
Request count, tagged by IP class
Shown as request
cloudflare.requests.cross_zone_sub_requests.avg
(gauge)
The proportion of requests that were inititiated by a Cloudflare Worker on another zone
Shown as request
cloudflare.requests.edge_dns_response_time.avg
(gauge)
Average edge dns response time in milliseconds
Shown as millisecond
cloudflare.requests.edge_time_to_first_byte.avg
(gauge)
Average time to first byte in milliseconds
Shown as millisecond
cloudflare.requests.origin_response_duration.avg
(gauge)
The average originResponseDuration in milliseconds excluding 0 values (i.e. cached ones)
Shown as millisecond
cloudflare.bandwidth.all
(count)
Total bandwidth
Shown as byte
cloudflare.bandwidth.cached
(count)
Cached bandwidth
Shown as byte
cloudflare.bandwidth.uncached
(count)
Uncached bandwidth
Shown as byte
cloudflare.bandwidth.ssl.encrypted
(count)
SSL encrypted bandwidth
Shown as byte
cloudflare.bandwidth.ssl.unencrypted
(count)
Unencrypted bandwidth
Shown as byte
cloudflare.bandwidth.country
(count)
Bandwidth tagged by IATA country code
Shown as byte
cloudflare.bandwidth.content_type
(count)
Bandwidth tagged by Content-Type
Shown as byte
cloudflare.threats.all
(count)
Total threats
Shown as operation
cloudflare.threats.type
(count)
Threats tagged by type
Shown as operation
cloudflare.threats.country
(count)
Threats tagged by IATA country code
Shown as operation
cloudflare.pageviews.all
(count)
Total page views
Shown as page
cloudflare.pageviews.search_engine
(count)
Page views tagged by search engine
Shown as page
cloudflare.uniques.all
(count)
Unique visitors count
Shown as connection
cloudflare.dns.query.all
(count)
DNS query count
Shown as request
cloudflare.dns.query.uncached
(count)
Uncached DNS query count
Shown as request
cloudflare.dns.query.stale
(count)
Stale DNS query count
Shown as request
cloudflare.dns.response_time.avg
(gauge)
DNS query average response time
Shown as millisecond
cloudflare.dns.response_time.median
(gauge)
DNS query median response time
Shown as millisecond
cloudflare.dns.response_time.90p
(gauge)
DNS query response time to the 90th percentile
Shown as millisecond
cloudflare.dns.response_time.99p
(gauge)
DNS query response time to the 99th percentile
Shown as millisecond
cloudflare.workers.requests.all
(count)
The request count to the worker script (metrics may not show without enabled API Key permissions)
Shown as request
cloudflare.workers.requests.errors
(count)
The error count to the worker script (metrics may not show without enabled API Key permissions)
Shown as request
cloudflare.workers.requests.subrequests
(count)
The subrequest count to the worker script (metrics may not show without enabled API Key permissions)
Shown as request
cloudflare.workers.response_time.75p
(gauge)
The worker response time to the 75th percentile (metrics may not show without enabled API Key permissions)
Shown as microsecond
cloudflare.workers.response_time.99p
(gauge)
The worker response time to the 99th percentile (metrics may not show without enabled API Key permissions)
Shown as microsecond
cloudflare.load_balancer.pool.round_trip_time.average
(gauge)
The average round trip time to reach the load balancer pool
Shown as millisecond
cloudflare.load_balancer.pool.health.status
(count)
The load balancer pool health status
Shown as request

Metric categories

The table below describes the types of metrics collected and their associated metric prefixes.

TypeDescriptionMetric Prefixes Collected
Web AnalyticsMetrics related to web traffic and performance.cloudflare.requests.all
cloudflare.requests.cached
cloudflare.requests.uncached
cloudflare.requests.ssl.encrypted
cloudflare.requests.ssl.unencrypted
cloudflare.requests.country
cloudflare.requests.status
cloudflare.requests.content_type
cloudflare.requests.ip_class
cloudflare.bandwidth.all
cloudflare.bandwidth.cached
cloudflare.bandwidth.uncached
cloudflare.bandwidth.ssl.encrypted
cloudflare.bandwidth.ssl.unencrypted
cloudflare.bandwidth.country
cloudflare.bandwidth.content_type
cloudflare.threats.all
cloudflare.threats.type
cloudflare.threats.country
cloudflare.pageviews.all
cloudflare.pageviews.search_engine
cloudflare.uniques.all
cloudflare.requests.cross_zone_sub_requests.avg
cloudflare.requests.edge_dns_response_time.avg
cloudflare.requests.edge_time_to_first_byte.avg
cloudflare.requests.origin_response_duration.avg
DNSMetrics related to DNS queries and response times.cloudflare.dns.query.all
cloudflare.dns.query.uncached
cloudflare.dns.query.stale
cloudflare.dns.response_time.avg
cloudflare.dns.response_time.median
cloudflare.dns.response_time.90p
cloudflare.dns.response_time.99p
Load BalancerMetrics related to load balancing pools.cloudflare.load_balancer.pool.round_trip_time.average
cloudflare.load_balancer.pool.health.status
Worker ScriptMetrics related to Cloudflare Workers scripts.cloudflare.workers.requests.all
cloudflare.workers.requests.errors
cloudflare.workers.requests.subrequests
cloudflare.workers.response_time.75p
cloudflare.workers.response_time.99p

Permissions

Verify your Cloudflare API token has these permissions enabled:

ScopePermissionStatus
AccountAccount AnalyticsRead
AccountAccount SettingRead
AccountWorker ScriptsRead
ZoneZoneRead
ZoneAnalyticsRead
ZoneWorker RoutesRead
ZoneLoad BalancersRead

Events

The Cloudflare integration does not include any events.

Service Checks

The Cloudflare integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.

PREVIEWING: piotr_wolski/update-dsm-docs