Cloudflare Docs
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Configure payload logging for a managed ruleset via API

You can use the Rulesets API to configure payload logging for a managed ruleset.

​​ Configure and enable payload logging

To configure:

  1. Use the Update rule in ruleset API method to update the rule that executes the managed ruleset.

  2. In the configuration of the rule that executes the managed ruleset, include a matched_data object in action_parameters to configure payload logging.

    The matched_data object has the following structure:

    "action_parameters": {
    // ...
    "matched_data": {
    "public_key": "<PUBLIC_KEY_VALUE>"
    }
    }

    Replace <PUBLIC_KEY_VALUE> with the public key you want to use for payload logging.

You can generate a public key in the command line or in the Cloudflare dashboard.

​​ Example

The following example updates rule <RULE_ID_1> that executes the Cloudflare Managed Ruleset for zone <ZONE_ID>, configuring payload logging with the provided public key.

Request
curl -X PATCH \
"https://api.cloudflare.com/client/v4/zone/<ZONE_ID>/rulesets/<RULESET_ID>/rules/<RULE_ID_1>" \
-H "Authorization: Bearer <API_TOKEN>" \
-d '{
"action": "execute",
"action_parameters": {
"id": "<CLOUDFLARE_MANAGED_RULESET_ID>",
"matched_data": {
"public_key": "<YOUR_PUBLIC_KEY>"
}
},
"expression": "true",
"description": "Executes the Cloudflare Managed Ruleset"
}'

The response includes the complete ruleset after updating the rule.

Response
{
"result": {
"id": "<ZONE_LEVEL_RULESET_ID>",
"name": "Zone-level Ruleset 1",
"description": "",
"kind": "zone",
"version": "3",
"rules": [
{
"id": "<RULE_ID_1>",
"version": "1",
"action": "execute",
"action_parameters": {
"id": "<CLOUDFLARE_MANAGED_RULESET_ID>",
"version": "latest",
"matched_data": {
"public_key": "<YOUR_PUBLIC_KEY>"
}
},
"expression": "true",
"description": "Executes the Cloudflare Managed Ruleset",
"last_updated": "2021-06-28T18:08:14.003361Z",
"ref": "<RULE_REF_1>",
"enabled": true
},
// ...
],
"last_updated": "2021-06-28T18:08:14.003361Z",
"phase": "http_request_firewall_managed"
},
"success": true,
"errors": [],
"messages": []
}

For more information on deploying managed rulesets via API, refer to Deploy a managed ruleset in the Ruleset Engine documentation.


​​ Disable payload logging

To disable payload logging for a managed ruleset:

  1. Use the Update rule in ruleset API method to update the rule that executes the managed ruleset.

  2. Modify the rule definition so that there is no matched_data object in action_parameters.

The following example rule executes a managed ruleset with payload logging disabled:

{
"action": "execute",
"action_parameters": {
"id": "<MANAGED_RULESET_ID>"
},
"expression": "true",
"description": ""
}