---
title: Logging options
description: Logging options in Cloudflare One.
image: https://developers.cloudflare.com/zt-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt  
> Use this file to discover all available pages before exploring further.

[Skip to content](#%5Ftop) 

### Tags

[ Logging ](https://developers.cloudflare.com/search/?tags=Logging) 

# Logging options

Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. DLP offers three logging approaches, each suited to different needs:

| Approach                                                                    | What it captures                                            | Encryption                      | Availability |
| --------------------------------------------------------------------------- | ----------------------------------------------------------- | ------------------------------- | ------------ |
| [Payload logging](#log-the-payload-of-matched-rules)                        | Redacted match + 75 bytes of surrounding context            | Encrypted with your public key  | All plans    |
| [AI prompt logging](#log-generative-ai-prompt-content)                      | Generative AI prompt topic, user prompt, and model response | Encrypted with your public key  | All plans    |
| [Logpush forensic copies](#send-dlp-forensic-copies-to-logpush-destination) | Complete HTTP request (headers + body)                      | Encrypted in transit only (TLS) | Enterprise   |

Users on all plans can log the [payload](#log-the-payload-of-matched-rules) or [generative AI prompt content](#log-generative-ai-prompt-content) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-dlp-forensic-copies-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.

The data that triggers a DLP policy is stored in the body of the HTTP request — the part that carries content such as file uploads, form submissions, and chat messages. This body is referred to as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match.

## Set a DLP payload encryption public key

Before you begin logging DLP payloads, you will need to [set a DLP payload encryption public key](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#payload-encryption-key). DLP uses public-key encryption so that matched sensitive data is readable only by you — Cloudflare does not have access to your private key and cannot decrypt your logs.

You can also [configure payload log masking](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#payload-log-masking) to control how DLP redacts sensitive data in logs.

## Log the payload of matched rules

DLP can log the payload of matched HTTP requests in your Cloudflare logs. Use payload logging to verify what content triggered a DLP detection — for example, to confirm whether a match was a real finding or a false positive.

### Turn on payload logging for a DLP policy

You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector — the filter condition that matches traffic against your DLP detection profiles.

1. Go to **Traffic policies** \> **Firewall policies** \> **HTTP**.
2. Edit an existing Allow or Block DLP policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
3. In the policy builder, scroll down to **Configure policy settings** and turn on **Log the payload of matched rules**.
4. Select **Save**.

Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy.

### View payload logs

To view DLP payload logs:

1. Go to **Insights** \> **Logs** \> **HTTP request logs**.
2. Go to the DLP log you are interested in reviewing and expand the row.
3. Select **Decrypt payload log**.
4. Enter your private key and select **Decrypt**.

You will see the [ID of the matched DLP Profile](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload.

Note

Cloudflare does not store the key or the decrypted payload.

### Report false and true positives to AI context analysis

When you have [AI context analysis](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#ai-context-analysis) turned on for a DLP profile, you can improve detection accuracy over time by reporting false and true positives. A false positive is a match that DLP flagged incorrectly (the content was not actually sensitive). A true positive confirms that DLP correctly identified sensitive data. These reports train the AI model to adjust its confidence threshold.

To report a DLP match payload as a false or true positive:

1. [Find and decrypt](#view-payload-logs) the payload log you want to report.
2. In **Log details**, choose a detected context match.
3. In **Context**, select the redacted match data.
4. In **Match details**, choose whether you want to report the match as a false positive or a true positive.

Based on your report, DLP's machine learning will adjust its confidence in future matches for the associated profile.

### Data privacy

* All Cloudflare logs are encrypted at rest (encrypted while stored on disk). Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule.
* Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key.
* By default, DLP uses Full Mask to redact alphanumeric characters in the matched pattern, replacing them with `*` while preserving the format. For example, `123-45-6789` becomes `***-**-****`. You can [configure the masking level](#configure-payload-log-masking) to show partial or full matches if your incident response workflow requires more context.  
   * You can define sensitive data with [Exact Data Match (EDM)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#exact-data-match-datasets). EDM match logs will redact your defined strings.

## Log generative AI prompt content

DLP can detect and log the prompt topic sent to an AI tool.

### Turn on AI prompt content logging for a DLP policy

You can enable AI prompt content logging for any Allow or Block HTTP policy that uses the [_Application_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#application) selector with a supported [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) application. This means your policy must target a specific AI application (such as ChatGPT) that Gateway can inspect at a granular level.

1. Go to **Traffic policies** \> **Firewall policies** \> **HTTP**.
2. Edit an existing Allow or Block DLP policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**.
4. Select **Save**.

Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.

### View prompt logs

To view generative AI prompt log details:

1. Go to **Insights** \> **Logs** \> **HTTP request logs**.
2. Go to the DLP log you are interested in reviewing and expand the row.
3. Select **Decrypt payload log**.
4. Enter your private key and select **Decrypt**.
5. In **Summary** \> **GenAI prompt captured**, select **View prompt**.

Gateway logs will provide a summary of the conversation, including the topic and AI model used, and the user prompt and AI model's raw response if available. A text prompt must be present for DLP to capture the prompt.

## Send DLP forensic copies to Logpush destination

Availability

Only available on Enterprise plans.

Unlike payload logging (which stores encrypted excerpts of matched content), forensic copies send the complete, unaltered HTTP request — including all headers and the full body — to an external storage destination.

Gateway allows you to send copies of entire HTTP requests matched in HTTP Allow and Block policies to storage destinations configured in [Logpush](https://developers.cloudflare.com/logs/logpush/) (Cloudflare's log delivery service), including third-party destinations. Forensic copies include unaltered payloads and headers which may include sensitive data. Logpush logs are encrypted in transit only, such as when sent as TLS traffic. Once the data reaches your storage destination, it is stored according to that destination's encryption policies — not encrypted by Cloudflare.

To set up the DLP Forensic Copy Logpush job:

1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \>**Logs**, and select **Manage Logpush**.
2. In Logpush, select **Create a Logpush job**.
3. Choose a [Logpush destination](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/).
4. In **Configure logpush job**, choose the _DLP forensic copies_ dataset. Select **Create Logpush job**.
5. Return to **Zero Trust** and go to **Traffic policies** \> **Firewall policies** \> **HTTP**.
6. Edit an existing Allow or Block policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). Your policy does not need to include a DLP profile — any Gateway HTTP policy can send forensic copies.
7. In the policy builder, scroll down to **Configure policy settings** and turn on **Send DLP forensic copies to storage**.
8. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests.
9. Select **Save policy**.

DLP will now send a copy of HTTP requests that match this policy to your Logpush destination.

Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/). If the request contains an archive file, DLP will only send up to 100 MB of uncompressed content to your configured storage.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/","name":"Scan HTTP traffic"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/","name":"Logging options"}}]}
```