ELK beat to fetch Cloudflare logs via the Enterprise Log Share API
Go Makefile Python Shell
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



Custom beat to fetch Cloudflare logs via the Enterprise Log Share API.

Ensure that this folder is at the following location: ${GOPATH}/github.com/hartfordfive


Cloudflarebeat is currently in beta therefore it likely has bugs and various optimizations that can be made. If you find any of these, please create an issue or even a pull request if you're familiar with development for beats library.


Special thank you to Lightspeed POS for providing access to test data, feedback and suggestions.

Getting Started with Cloudflarebeat

Basic Overview of Application Design

  1. API request is made to the Cloudflare ELS endpoint for logs within a specific time range, ending at the latest, 30 minutes AGO
  2. When the response is received, the gzip content is saved into a local file.
  3. Individual JSON log entries are read from the file one by one, individual fields are added into the event and then sent off to be published.
  4. Once all log entries in the file have been processed, the remaining log file is deleted, unless the user has specified the option to keep the original log files.


Cloudflarebeat specific configuration options

  • cloudflarebeat.period : The period at which the cloudflare logs will be fetched. Regardless of the period, logs are always fetched from 30 MINUTES AGO - PERIOD to 30 MINUTES AGO. (Default value of period is 1800s/30mins)
  • cloudflarebeat.api_key : The API key of the user account (mandatory)
  • cloudflarebeat.email : The email address of the user account (mandatory)
  • cloudflarebeat.zone_tag : The zone tag of the domain for which you want to access the enterpise logs (mandatory)
  • cloudflarebeat.state_file_storage_type : The type of storage for the state file, either disk or s3, which keeps track of the current progress. (Default: disk)
  • cloudflarebeat.state_file_path : The path in which the state file will be saved (applicable only with disk storage type)
  • cloudflarebeat.state_file_name : The name of the state file
  • cloudflarebeat.aws_access_key : The user AWS access key, if S3 storage selected.
  • cloudflarebeat.aws_secret_access_key : The user AWS secret access key, if S3 storage selected.
  • cloudflarebeat.aws_s3_bucket_name : The name of the S3 bucket where the state file will be stored
  • cloudflarebeat.delete_logfile_after_processing : Delete the log files once the processing is complete (default: true)
  • cloudflarebeat.processed_events_buffer_size : The capacity of the processed events buffer channel (default: 1000)
  • cloudflarebeat.debug : Enable verbose debug mode, which includes debugging the HTTP requests to the ELS API.

Using S3 Storage for state file

For cloudflarebeat, it's probably best to create a seperate IAM user account, without a password and only this sample policy file. Best to limit the access of your user as a security practice.

Below is a sample of what the policy file would look like for the S3 storage. Please note you should replace my-cloudflarebeat-bucket-name with your bucket name that you've created in S3.

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

Filtering out specific logs and/or log properties

Please read the beats documentation regarding processors. This will allow you to filter events by field values or even remove event fields.

Init Project

To get running with Cloudflarebeat and also install the dependencies, run the following command:

make setup

It will create a clean git history for each major step. Note that you can always rewrite the history if you wish before pushing your changes.

To push Cloudflarebeat in the git repository, run the following commands:

git remote set-url origin https://github.com/hartfordfive/cloudflarebeat
git push origin master

For further development, check out the beat developer guide.


To build the binary for Cloudflarebeat run the command below. This will generate a binary in the same directory with the name cloudflarebeat.



To run Cloudflarebeat with debugging output enabled, run:

./cloudflarebeat -c cloudflarebeat.yml -e -d "*"

For details of command line options, view the following links:


To test Cloudflarebeat, run the following command:

make testsuite


make unit-tests
make system-tests
make integration-tests
make coverage-report

The test coverage is reported in the folder ./build/coverage/


Each beat has a template for the mapping in elasticsearch and a documentation for the fields which is automatically generated based on etc/fields.yml. To generate etc/cloudflarebeat.template.json and etc/cloudflarebeat.asciidoc

make update


To clean Cloudflarebeat source code, run the following commands:

make fmt
make simplify

To clean up the build directory and generated artifacts, run:

make clean


To clone Cloudflarebeat from the git repository, run the following commands:

mkdir -p ${GOPATH}/github.com/hartfordfive
cd ${GOPATH}/github.com/hartfordfive
git clone https://github.com/hartfordfive/cloudflarebeat

For further development, check out the beat developer guide.


The beat frameworks provides tools to crosscompile and package your beat for different platforms. This requires docker and vendoring as described above. To build packages of your beat, run the following command:

make package

This will fetch and create all images required for the build process. The hole process to finish can take several minutes.


Alain Lefebvre <hartfordfive 'at' gmail.com>


Covered under the Apache License, Version 2.0 Copyright (c) 2016 Alain Lefebvre