Custom beat to fetch Cloudflare logs via the Enterprise Log Share API.
Ensure that this folder is at the following location:
${GOPATH}/github.com/hartfordfive
Cloudflarebeat is currently in beta therefore it likely has bugs and various optimizations that can be made. If you find any of these, please create an issue or even a pull request if you're familiar with development for beats library.
Special thank you to Lightspeed POS for providing access to test data, feedback and suggestions.
- API request is made to the Cloudflare ELS endpoint for logs within a specific time range, ending at the latest, 30 minutes AGO
- When the response is received, the gzip content is saved into a local file.
- Individual JSON log entries are read from the file one by one, individual fields are added into the event and then sent off to be published.
- Once all log entries in the file have been processed, the remaining log file is deleted, unless the user has specified the option to keep the original log files.
cloudflarebeat.period
: The period at which the cloudflare logs will be fetched. Regardless of the period, logs are always fetched from 30 MINUTES AGO - PERIOD to 30 MINUTES AGO. (Default value of period is 1800s/30mins)cloudflarebeat.api_key
: The API key of the user account (mandatory)cloudflarebeat.email
: The email address of the user account (mandatory)cloudflarebeat.zone_tag
: The zone tag of the domain for which you want to access the enterpise logs (mandatory)cloudflarebeat.state_file_storage_type
: The type of storage for the state file, eitherdisk
ors3
, which keeps track of the current progress. (Default: disk)cloudflarebeat.state_file_path
: The path in which the state file will be saved (applicable only withdisk
storage type)cloudflarebeat.state_file_name
: The name of the state filecloudflarebeat.aws_access_key
: The user AWS access key, if S3 storage selected.cloudflarebeat.aws_secret_access_key
: The user AWS secret access key, if S3 storage selected.cloudflarebeat.aws_s3_bucket_name
: The name of the S3 bucket where the state file will be storedcloudflarebeat.delete_logfile_after_processing
: Delete the log files once the processing is complete (default: true)cloudflarebeat.processed_events_buffer_size
: The capacity of the processed events buffer channel (default: 1000)cloudflarebeat.debug
: Enable verbose debug mode, which includes debugging the HTTP requests to the ELS API.
For cloudflarebeat, it's probably best to create a seperate IAM user account, without a password and only this sample policy file. Best to limit the access of your user as a security practice.
Below is a sample of what the policy file would look like for the S3 storage. Please note you should replace my-cloudflarebeat-bucket-name
with your bucket name that you've created in S3.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-cloudflarebeat-bucket-name"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-cloudflarebeat-bucket-name/*"
]
}
]
}
Please read the beats documentation regarding processors. This will allow you to filter events by field values or even remove event fields.
To get running with Cloudflarebeat and also install the dependencies, run the following command:
make setup
It will create a clean git history for each major step. Note that you can always rewrite the history if you wish before pushing your changes.
To push Cloudflarebeat in the git repository, run the following commands:
git remote set-url origin https://github.com/hartfordfive/cloudflarebeat
git push origin master
For further development, check out the beat developer guide.
To build the binary for Cloudflarebeat run the command below. This will generate a binary in the same directory with the name cloudflarebeat.
make
To run Cloudflarebeat with debugging output enabled, run:
./cloudflarebeat -c cloudflarebeat.yml -e -d "*"
For details of command line options, view the following links:
- https://www.elastic.co/guide/en/beats/libbeat/master/config-file-format-cli.html
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-command-line.html
To test Cloudflarebeat, run the following command:
make testsuite
alternatively:
make unit-tests
make system-tests
make integration-tests
make coverage-report
The test coverage is reported in the folder ./build/coverage/
Each beat has a template for the mapping in elasticsearch and a documentation for the fields
which is automatically generated based on etc/fields.yml
.
To generate etc/cloudflarebeat.template.json and etc/cloudflarebeat.asciidoc
make update
To clean Cloudflarebeat source code, run the following commands:
make fmt
make simplify
To clean up the build directory and generated artifacts, run:
make clean
To clone Cloudflarebeat from the git repository, run the following commands:
mkdir -p ${GOPATH}/github.com/hartfordfive
cd ${GOPATH}/github.com/hartfordfive
git clone https://github.com/hartfordfive/cloudflarebeat
For further development, check out the beat developer guide.
The beat frameworks provides tools to crosscompile and package your beat for different platforms. This requires docker and vendoring as described above. To build packages of your beat, run the following command:
make package
This will fetch and create all images required for the build process. The hole process to finish can take several minutes.
Alain Lefebvre <hartfordfive 'at' gmail.com>
Covered under the Apache License, Version 2.0 Copyright (c) 2016 Alain Lefebvre