There’s no access to the log via the REST API. We use syslog logging but that’s not available on a shared hosting server, I’m afraid.
You would need to parse the log and retrieve the IP addresses.
Thread Starter
CB
(@cbrandt)
Thank you, I’ll try to write a script to handle the log.
Thread Starter
CB
(@cbrandt)
Thank you. I appreciate you taking your time to guide me to it.
Thread Starter
CB
(@cbrandt)
Hi,
In case someone else here may also be interested, here’s what I came up with to move the IP addresses from NF logs to a Cloudflare List.
scp to fetch logs from hosting server
cat to concatenate several logs (different domains, both current and past month) into logfile.txt
transform the merged file:
ip_list=$(sed 's|\]\s\[|\t|g' '/local/path/to/logfile.txt' | awk -F'\t' '$6<=4 {print $7,$10,$11}' | awk NF | sed 's|^|{"ip":"|' | sed 's|\s|","comment":"|' | sed 's|$|"}\,|' | sed 's|:|::|5' | sed 's|::.\+\"\,|::/64",|' | awk -F',' '!seen[toupper($1)]++' | sed '$ s|.$||')
This should get the logfile.txt and
- replace ] [ with tabs (/t).
- extract columns 7, 10, and 11 (respectively IP, requested file, reason for action), for lines where the column $6<= 4 (log level). Columns 10 and 11will become the “comment” field on CF List.
- format the result as a CF List compatible JSON
- replace IPv6s with /64 notation (as required by CF List)
- remove duplicate IPs
then send to CF with
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/CLOUDFLARE-ACCOUNT-ID/rules/lists/LIST-ID/items" -H "X-Auth-Email: CLOUDFLARE-ACCOUNT-EMAIL" -H "X-Auth-Key: CLOUDFLARE-API-KEY" -H "Content-Type: application/json" --data "[$(echo -n $ip_list)]"
Improvement needed: fetch my own public IPv4 and IPv6 addresses, and remove them from the log file.
@nintechnet, am I right to assume that the most severe incidents get the lowest numbers as log level?
The different log levels:
1 = MEDIUM
2 = HIGH
3 = CRITICAL
4 = ERROR
5 = UPLOAD
6 = INFO
7 = DEBUG_ON (debug mode enabled)
