{"id":6729,"date":"2026-06-02T09:00:00","date_gmt":"2026-06-02T06:00:00","guid":{"rendered":"https:\/\/skeletor.org.ua\/?p=6729"},"modified":"2026-03-23T17:22:44","modified_gmt":"2026-03-23T15:22:44","slug":"%d0%bf%d0%b5%d1%80%d0%b5%d1%81%d0%b8%d0%bb%d0%b0%d0%bd%d0%bd%d1%8f-log-%d1%96%d0%b7-cloudflare-%d1%83-logstash","status":"publish","type":"post","link":"https:\/\/skeletor.org.ua\/?p=6729","title":{"rendered":"\u041f\u0435\u0440\u0435\u0441\u0438\u043b\u0430\u043d\u043d\u044f log \u0456\u0437 cloudflare \u0443 logstash"},"content":{"rendered":"\n

\u042f\u043a \u0432\u0456\u0434\u043e\u043c\u043e, \u043b\u043e\u0433\u0438 \u0443 CloudFlare (CF)<\/strong> \u0434\u0438\u0432\u0438\u0442\u0438\u0441\u044f \u0434\u0443\u0436\u0435 \u043d\u0435\u0437\u0440\u0443\u0447\u043d\u043e. \u0410 \u043e\u0442 \u0432 kibana<\/strong> – \u0437\u043e\u0432\u0441\u0456\u043c \u0456\u043d\u0448\u0430 \u0440\u0456\u0447. \u041d\u0430\u0448\u0435 \u0437\u0430\u0432\u0434\u0430\u043d\u043d\u044f \u0437\u0440\u043e\u0431\u0438\u0442\u0438 \u043f\u0435\u0440\u0435\u0441\u0438\u043b\u043a\u0443 log’\u0456\u0432<\/strong> \u0443 logstash<\/strong>. \u0414\u0430\u043d\u0430 \u0441\u0442\u0430\u0442\u0442\u044f \u043f\u0440\u0438\u043f\u0443\u0441\u043a\u0430\u0454, \u0449\u043e \u0443 \u0432\u0430\u0441 \u0432\u0436\u0435 \u0454 \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0438\u0439 ELK<\/strong> \u0441\u0442\u0435\u043a \u0456 \u0440\u043e\u0437\u043a\u0430\u0436\u0435, \u044f\u043a \u0434\u043e\u0434\u0430\u0442\u0438 \u0432 \u0456\u0441\u043d\u0443\u044e\u0447\u0438\u0439 \u0441\u0442\u0435\u043a \u043d\u043e\u0432\u0438\u0439 source, \u0442\u043e\u0431\u0442\u043e CF<\/strong>. \u0421\u0442\u0430\u0442\u0442\u044f \u0431\u0443\u0434\u0435 \u0440\u043e\u0437\u0431\u0438\u0442\u0430 \u043d\u0430 2 \u0447\u0430\u0441\u0442\u0438\u043d\u0438: Logstash<\/strong> \u0456 CF<\/strong><\/p>\n\n\n\n\n\n\n\n

Logstash<\/mark><\/strong><\/h2>\n\n\n\n

\u0421\u043f\u043e\u0447\u0430\u0442\u043a\u0443 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0454\u043c\u043e \u043f\u0440\u0438\u0439\u043e\u043c \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u044c, \u0431\u043e \u044f\u043a\u0449\u043e \u0440\u043e\u0431\u0438\u0442\u0438 \u043d\u0430\u0432\u043f\u0430\u043a\u0438, \u0442\u043e \u043d\u0435 \u043f\u0440\u043e\u0439\u0434\u0435 health check (HC)<\/strong> \u0437\u0456 \u0441\u0442\u043e\u0440\u043e\u043d\u0438 CF<\/strong>. \u041d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0431\u0443\u0434\u0435\u043c\u043e \u0447\u0435\u0440\u0435\u0437 nginx<\/strong> proxy_pass<\/strong>. \u0427\u043e\u043c\u0443 \u043d\u0435 \u043d\u0430\u043f\u0440\u044f\u043c\u0443? \u0422\u043e\u043c\u0443 \u0449\u043e, \u0447\u0430\u0441 \u0432\u0456\u0434 \u0447\u0430\u0441\u0443 CF<\/strong> \u043f\u043e\u0441\u0438\u043b\u0430\u0454 HC<\/strong> \u043f\u0430\u043a\u0435\u0442, \u0449\u043e\u0431 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0438\u0442\u0438, \u0447\u0438 \u0436\u0438\u0432\u0438\u0439 DST<\/strong> \u0456 \u0446\u0435\u0439 \u043f\u0430\u043a\u0435\u0442 \u043a\u0430\u0440\u0434\u0438\u043d\u0430\u043b\u044c\u043d\u043e \u0432\u0456\u0434\u0440\u0456\u0437\u043d\u044f\u0454\u0442\u044c\u0441\u044f \u0432\u0456\u0434 \u0434\u0430\u043d\u0438\u0445: HC<\/strong> \u043d\u0435 \u0441\u0442\u0438\u0441\u043d\u0443\u0442\u0438\u0439 gzip<\/strong>, \u043d\u0430 \u0432\u0456\u0434\u043c\u0456\u043d\u0443 \u0432\u0456\u0434 data<\/strong>-\u043f\u0430\u043a\u0435\u0442\u0443 \u0456 \u0442\u043e\u043c\u0443, \u044f\u043a\u0449\u043e \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u0438 \u043d\u0430\u043f\u0440\u044f\u043c\u0443 \u0432 logstash<\/strong>, \u0442\u043e \u043e\u0441\u0442\u0430\u043d\u043d\u0456\u0439 \u0431\u0443\u0434\u0435\u043c\u043e \u043c\u0430\u0442\u0438 \u043f\u043e\u043c\u0438\u043b\u043a\u0443<\/p>\n\n\n\n

#<Puma::HttpParserError: Invalid HTTP format, parsing fails.><\/code><\/pre>\n\n\n\n
\u0456 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u043e, HC<\/strong> \u043d\u0435 \u043f\u0440\u043e\u0439\u0434\u0435 \u0456 CF<\/strong> \u043f\u0440\u0438\u043f\u0438\u043d\u0438\u0442\u044c \u043f\u043e\u0441\u0438\u043b\u0430\u0442\u0438 \u043b\u043e\u0433\u0438. \u041e\u0442\u0436\u0435, \u043a\u043e\u043d\u0444\u0456\u0433 nginx’a<\/strong>:<\/p>\n\n\n\n
server {\n    listen 80 ssl;\n    server_name _;\n\n    ssl_certificate \/etc\/nginx\/ssl\/domain.com.crt;\n    ssl_certificate_key \/etc\/nginx\/ssl\/domain.com.key;\n\n    client_max_body_size 100M;\n\n    location \/ {\n        # Pass the request as plain HTTP to Logstash on localhost\n        proxy_pass http:\/\/127.0.0.1:8764;\n\n        # Ensure headers are preserved for Logstash\n        proxy_set_header Host $host;\n        proxy_set_header X-Real-IP $remote_addr;\n        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\n        # Increase timeout for large log batches\n        proxy_read_timeout 300;\n    }\n}<\/code><\/pre>\n\n\n\n
\u0412\u0430\u0436\u043b\u0438\u0432\u0438\u0439 \u043c\u043e\u043c\u0435\u043d\u0442: \u0442\u0456\u043b\u044c\u043a\u0438 https<\/strong>. \u0421\u0445\u0435\u043c\u0443 http<\/strong> \u043d\u0435 \u043f\u0440\u043e\u043f\u0443\u0441\u0442\u0438\u0442\u044c \u043d\u0430 \u0435\u0442\u0430\u043f\u0456 \u0441\u0442\u0432\u043e\u0440\u0435\u043d\u043d\u044f \u0443 CF<\/strong>:<\/p>\n\n\n\n
Invalid destination configuration: error getting destination: unsupported scheme: http<\/code><\/pre>\n\n\n\n
\u041a\u043e\u043d\u0444\u0456\u0433 logstash<\/strong><\/p>\n\n\n\n
input {\n\nhttp {\n    port => \"8764\"\n    codec => \"json_lines\"\n    additional_codecs => { \"application\/gzip\" => \"gzip_lines\" } # Handles CF compression\n#    ssl => true\n#    keystore => \"\/etc\/nginx\/ssl\/keystore\"\n#    keystore_password => \"XXX\"\n  }\n\n}\n\nfilter {\n\nif [JA4] {\n     mutate { add_tag => [ \"has_fingerprint\" ] }\n  }\n\n}\n\noutput {\n\n  else if [http_host] == \"cflog.domain.com\" {\n\n   elasticsearch {\n      hosts => \"elk.domain.net\"\n      index => \"cf-%{+YYYY-MM}\"\n      sniffing => false\n    }\n\n  }\n\n}<\/code><\/pre>\n\n\n\n
\u0414\u0435\u044f\u043a\u0456 \u043d\u044e\u0430\u043d\u0441\u0438 \u0432 \u043a\u043e\u043d\u0444\u0456\u0433\u0443. \u042f \u043d\u0430\u0432\u043c\u0438\u0441\u043d\u0435 \u0437\u0430\u043b\u0438\u0448\u0438\u0432 \u0441\u0435\u043a\u0446\u0456\u044e ssl<\/strong>, \u0440\u0430\u043f\u0442\u043e\u043c \u0432\u0430\u043c \u0442\u0440\u0435\u0431\u0430 \u0431\u0443\u0434\u0435 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u0442\u0438 security<\/strong> connection<\/strong> \u043c\u0456\u0436 nginx<\/strong> \u0456 logstash<\/strong>. \u0406 \u0434\u043b\u044f logstash<\/strong> 6.2<\/strong> \u0442\u0440\u0435\u0431\u0430 \u0441\u0430\u043c\u0435 \u0442\u0430\u043a\u0456 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438, \u0456\u043d\u0430\u043a\u0448\u0435 \u0432 \u043f\u0440\u0438 \u0437\u0430\u043f\u0443\u0441\u043a\u0443 \u0431\u0443\u0434\u0443\u0442\u044c \u043f\u043e\u043c\u0438\u043b\u043a\u0438<\/p>\n\n\n\n
[2026-02-17T16:05:14,497][ERROR][logstash.inputs.http\u00a0 \u00a0 \u00a0] Unknown setting 'ssl_certificate' for http\n[2026-02-17T16:05:14,498][ERROR][logstash.inputs.http\u00a0 \u00a0 \u00a0] Unknown setting 'ssl_key' for http<\/code><\/pre>\n\n\n\n
CloudFlare<\/mark><\/strong><\/h2>\n\n\n\n
\u0412\u0438\u0431\u0438\u0440\u0430\u0454\u043c\u043e \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u0438\u0439 \u0434\u043e\u043c\u0435\u043d -> Analytics & logs -> Logpush<\/strong>. \u0412\u0438\u0431\u0438\u0440\u0430\u0454\u043c\u043e Create a Logpush job -> HTTP destination<\/strong> \u0456 \u0437\u0430\u043f\u043e\u0432\u043d\u044e\u0454\u043c\u043e:<\/p>\n\n\n\n
Http destination: cflog.domain.com<\/mark><\/em><\/p>\n\n\n\n
Send fields:<\/mark><\/em> \u0442\u0443\u0442 \u0442\u0440\u0435\u0431\u0430 \u0432\u0438\u0431\u0440\u0430\u0442\u0438 \u0437 \u0440\u043e\u0437\u0443\u043c\u043e\u043c, \u044f\u043a\u0456 \u043f\u043e\u043b\u044f \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0442\u0438.<\/p>\n\n\n\n
Timestamp format: rfc3339<\/mark><\/em><\/p>\n\n\n\n
\u0412\u0441\u0435 \u0456\u043d\u0448\u0435 – \u043f\u043e \u0431\u0430\u0436\u0430\u043d\u043d\u044e.<\/p>\n\n\n\n
\u041b\u043e\u0433\u0438 \u043f\u043e\u0447\u043d\u0443\u0442\u044c \u043f\u0438\u0441\u0430\u0442\u0438\u0441\u044f \u043d\u0435 \u043e\u0434\u0440\u0430\u0437\u0443, \u0430 \u0437 \u0434\u0435\u044f\u043a\u043e\u044e \u0437\u0430\u0442\u0440\u0438\u043c\u043a\u043e\u044e, \u0446\u0435 \u0442\u0440\u0435\u0431\u0430 \u0432\u0440\u0430\u0445\u043e\u0432\u0443\u0432\u0430\u0442\u0438. \u042f\u043a\u0449\u043e \u0432 \u043b\u043e\u0433\u0430\u0445 nginx’a<\/strong> \u043f\u043e\u0431\u0430\u0447\u0438\u0442\u0435<\/p>\n\n\n\n
\"POST \/ HTTP\/2.0\" 200 2 \"-\" \"Go-http-client\/2.0\"<\/code><\/pre>\n\n\n\n
\u0437\u043d\u0430\u0447\u0438\u0442\u044c \u0432\u0441\u0435 \u043f\u0440\u043e\u0439\u0448\u043b\u043e \u0443\u0441\u043f\u0456\u0448\u043d\u043e.<\/p>\n","protected":false},"excerpt":{"rendered":"
\u042f\u043a \u0432\u0456\u0434\u043e\u043c\u043e, \u043b\u043e\u0433\u0438 \u0443 CloudFlare (CF) \u0434\u0438\u0432\u0438\u0442\u0438\u0441\u044f \u0434\u0443\u0436\u0435 \u043d\u0435\u0437\u0440\u0443\u0447\u043d\u043e. \u0410 \u043e\u0442 \u0432 kibana – \u0437\u043e\u0432\u0441\u0456\u043c \u0456\u043d\u0448\u0430 \u0440\u0456\u0447. \u041d\u0430\u0448\u0435 \u0437\u0430\u0432\u0434\u0430\u043d\u043d\u044f \u0437\u0440\u043e\u0431\u0438\u0442\u0438 \u043f\u0435\u0440\u0435\u0441\u0438\u043b\u043a\u0443 log’\u0456\u0432 \u0443 logstash. \u0414\u0430\u043d\u0430 \u0441\u0442\u0430\u0442\u0442\u044f \u043f\u0440\u0438\u043f\u0443\u0441\u043a\u0430\u0454, \u0449\u043e \u0443 \u0432\u0430\u0441 \u0432\u0436\u0435 \u0454 \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0438\u0439 ELK \u0441\u0442\u0435\u043a \u0456 \u0440\u043e\u0437\u043a\u0430\u0436\u0435, \u044f\u043a \u0434\u043e\u0434\u0430\u0442\u0438 \u0432 \u0456\u0441\u043d\u0443\u044e\u0447\u0438\u0439 \u0441\u0442\u0435\u043a \u043d\u043e\u0432\u0438\u0439 source, \u0442\u043e\u0431\u0442\u043e CF. \u0421\u0442\u0430\u0442\u0442\u044f \u0431\u0443\u0434\u0435 \u0440\u043e\u0437\u0431\u0438\u0442\u0430 \u043d\u0430 2 \u0447\u0430\u0441\u0442\u0438\u043d\u0438: Logstash \u0456 CF<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,15],"tags":[],"class_list":["post-6729","post","type-post","status-publish","format-standard","hentry","category-others","category-www"],"_links":{"self":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/6729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6729"}],"version-history":[{"count":1,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/6729\/revisions"}],"predecessor-version":[{"id":6730,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/6729\/revisions\/6730"}],"wp:attachment":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}