CD
Cloudflare Developers13mo ago
lokiwind

Listing Firewall Events..

I am listing Cloudflare firewall events. However, instead of writing which rule is in the source section, it says firewallCustom. How can i fix this... My code: https://discord.com/channels/595317990191398933/1114130327351332964 Source eq: Http 1.0 Block Rule... 
{
    "events": [
        {
            "action": "skip",
            "clientAsn": "8075",
            "clientCountryName": "US",
            "clientIP": "52.167.144.131",
            "clientRequestPath": "/robots.txt",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T19:40:40Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36"
        }
    ]
}
{
    "events": [
        {
            "action": "skip",
            "clientAsn": "8075",
            "clientCountryName": "US",
            "clientIP": "52.167.144.131",
            "clientRequestPath": "/robots.txt",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T19:40:40Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36"
        }
    ]
}
20 Replies
Chaika
Chaika13mo ago
source is just the product. You want ruleId or rulesetId I believe
lokiwind
lokiwind13mo ago
Yeah, it could be ruleid, it doesn't matter.
Chaika
Chaika13mo ago
what do you mean? Are you saying those fields don't contain the http 1.0 block rule id?
lokiwind
lokiwind13mo ago
I want to know which rule the incident belongs to Listing all events for Cloudflare custom rule I would like to know which custom rule these listed events belong to
Chaika
Chaika13mo ago
That's the ruleSetId property
lokiwind
lokiwind13mo ago
Hmm so I can't use this feature in firewall events
Chaika
Chaika13mo ago
Chaika
Chaika13mo ago
that rule has a ID for itself (rulesetId), and an ID for each of the specific rules within it (ruleId)
Chaika
Chaika13mo ago
and in events, the ruleId = that
Chaika
Chaika13mo ago
you can filter by it as well
lokiwind
lokiwind13mo ago
Ah ok does every custom rule have a ruleset id
Chaika
Chaika13mo ago
err sorry I explained that a bit weirdly, every rule has a ruleId, the rulesetId is the ID for all custom rules in general
Chaika
Chaika13mo ago
(you can filter by either, of course)
lokiwind
lokiwind13mo ago
hmm It's too complicated. 😦
Chaika
Chaika13mo ago
If you want to filter for a specific rule, just get the rule id, and filter by ruleId . The ruleSetId is just the same ID for all custom rules within your zone, as I understand it
lokiwind
lokiwind13mo ago
https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-magic-firewall-samples/ Isn't it like the use here
Querying Magic Firewall Samples with GraphQL · Cloudflare Analytics...
In this example, we are going to use the GraphQL Analytics API to query for Magic Firewall Samples over a specified time period.
Chaika
Chaika13mo ago
looks like it, yep.
lokiwind
lokiwind13mo ago
😘
Chaika
Chaika13mo ago
If it's worth mentioning, that uses groups with sampling, i.e firewallEventsAdaptiveGroups, not firewallEventsAdaptive, and firewallEventsAdaptiveGroups seems to be Pro or higher even without that exact query though, you can just add ruleId to your list of fields in firewallEventsAdaptive and do the grouping/counting yourself, up to a point
lokiwind
lokiwind13mo ago
{
    "events": [
        {
            "action": "challenge",
            "clientAsn": "4134",
            "clientCountryName": "CN",
            "clientIP": "124.235.138.30",
            "clientRequestPath": "/",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T21:36:26Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1",
            "ruleId": "f51e15c853554faaa9c0f9165785b0f8"
        }
    ]
}
{
    "events": [
        {
            "action": "challenge",
            "clientAsn": "4134",
            "clientCountryName": "CN",
            "clientIP": "124.235.138.30",
            "clientRequestPath": "/",
            "clientRequestQuery": "",
            "datetime": "2023-06-02T21:36:26Z",
            "source": "firewallCustom",
            "userAgent": "Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1",
            "ruleId": "f51e15c853554faaa9c0f9165785b0f8"
        }
    ]
}
Yeah, I got it, thank you, mate. @chaika.me
Want results from more Discord servers?
Add your server
More Posts
Infinite redirection in Cloudflare PagesHello! We have deployed some next.js projects we had in Vercel in Cloudflare. Everything works finI have no idea what they do but it sI have no idea what they do but it's probably the most common framework it happens withInfinite redirection in Cloudflare PagesHello! We have deployed some next.js projects we had in Vercel in Cloudflare. Everything works finsid 3835 no im using module helper for@sdnts no im using module helper for S3 in elixir ```config = %{ region: @s3_region, accDebugging Documentation?Where can I gather logs within Cloudflare pages, to debug potential issues happening?Next build succeeds but it fails to "find a module"?I got a Next 13 app with Server components, everything was working fine and then I started getting eIs it better to create a “general help”S3 upload speeds (slow) I’ve also been waiting for 2 weeks on my CloudFlare tickets. Wait times areCSS is different in pages, vs local environment.Below are previews for local vs pages renders.Using connect() API in PagesHi team. I have a Pages function that talks directly to a Postgres DB using the new connect() API (dCache deserialization error``` CacheError [ERR_DESERIALIZATION]: Unable to deserialize stored cached data due to missing metada