Log the payload of matched rules
The WAF allows you to log the request information that triggered a specific rule of a managed ruleset. This information is known as the payload. Payload logging is especially useful when diagnosing the behavior of WAF rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later.
Each managed ruleset has its own payload logging configuration. To enable the feature, configure a public key to encrypt the logged payload by doing one of the following:
- Generate a key pair directly in the dashboard (Cloudflare will only save the generated public key)
- Enter your own public key
Once enabled, the WAF saves the payload of any rule matches for the managed ruleset configured with payload logging, encrypting the payload with your public key.
To view the content of the payload in clear text, do one of the following:
-
In the Security Events page (Security > Events), enter your private key to decrypt the payload of a log entry directly in the browser. Refer to View the payload content in the dashboard for details.
-
Decrypt the payload in the command line using the
matched-data-clitool. Refer to Decrypt the payload content in the command line for details. -
Decrypt the matched payload in your Logpush job using a Worker before storing the logs in your SIEM system. Refer to Store decrypted matched payloads in logs for details.
Only users with the Super Administrator role can enable payload logging or edit the payload logging configuration.