Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted SSH command logs for sessions proxied by Gateway.
To view Gateway activity logs, log in to Zero Trust ↗ and go to Logs > Gateway. Select an individual row to investigate the event in more detail.
Enterprise users can generate more detailed logs with Logpush.
Selective logging
By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to Zero Trust ↗ and go to Settings > Network. Under Activity Logging, indicate your DNS, Network, and HTTP log preferences.
These settings will only apply to logs displayed in Zero Trust. Logpush data is unaffected.
DNS logs
Explanation of the fields
Basic information
Field
Description
Query name
Name of the domain that was queried.
Query ID
UUID of the query assigned by Cloudflare.
Email
Email address of the user who registered the WARP client where traffic originated from. If a non-identity on-ramp (such as a proxy endpoint) or machine-level authentication (such as a service token) was used, this value will be non_identity@<team-domain>.cloudflareaccess.com.
Action
The Action Gateway applied to the query (such as Allow or Block).
Time
Date and time of the DNS query.
Resolver decision
The reason why Gateway applied a particular Action to the request. Refer to the list of resolver decisions.
Protocol that was used to make the DNS query (such as https).
Identities
Field
Description
Email
Email address of the user who registered the WARP client where traffic originated from.
User ID
UUID of the user. Each unique email address in your organization will have a UUID associated with it.
Device name
Display name of the device returned by the operating system to the WARP client. Typically this is the hostname of a device. Not all devices will have a device name. Device names are not guaranteed to be unique.
Device ID
UUID of the device connected with the WARP client. Each unique device in your organization will have a UUID associated with it each time the device is registered for a particular email. The same physical device may have multiple UUIDs associated with it.
Last authenticated
Date and time the user last authenticated their Zero Trust session.
Referer request header containing the address of the page making the request.
Source IP
Public source IP address of the HTTP request.
Source port
Port that was used to make the HTTP request.
Source IP country
Country code of the HTTP request.
Destination IP
Public IP address of the destination requested.
Destination port
Port of the destination requested.
Destination IP country
Country code of the destination requested.
Blocked file reason
Reason why the file was blocked if a file transfer occurred or was attempted.
Category details
Category the blocked file belongs to.
File detection details
Field
Description
Name
Name of the detected file.
Type
File type of the detected file.
Size
Size of the detected file.
Hash
Hash of the detected file, generated by DLP.
Content type
MIME type of the detected file.
Direction
Upload or download direction of the detected file.
Action
The Action Gateway applied to the request.
Enhanced file detection
Enhanced file detection is an optional feature to extract more file information from HTTP traffic. When turned on, Gateway will read file information from the HTTP body rather than the HTTP headers to provide greater accuracy and reliability. This feature may have a minor impact on performance for file-heavy organizations.
In Gateway Logging, turn on Enable enhanced file detection.
Isolate requests
When a user creates an isolation policy, Gateway logs the initial request that triggers isolation as an Isolate action. Because this request is not isolated yet, the is_isolated field will return false. Zero Trust then securely returns the result to the user in an isolated browser. Gateway will log all subsequent requests in the isolated browser with the action (such as Allow or Block), and the is_isolated field will return true.
Limitations
Gateway activity logs are not available in the dashboard if you turn on the Customer Metadata Boundary within Cloudflare Data Localization Suite (DLS). Enterprise users using CMB can still export logs via Logpush. For more information, refer to DLS product compatibility.