Cloudflare Logs (ELS) and Rate Limiting

* Please note the this applies to the deprecated "/requests" endpoint (documented here)Please use the new "/received" endpoint (documented here) instead.


How do rate limit events appear in ELS?

Limit events appear in a rateLimit object under edge:

  "edge": {
    "bbResult": "0",
    "cacheResponseTime": 0,
    "colo": 0,
    "enabledFlags": 8,
    "endTimestamp": 1484845387517000000,
    "flServerIp": “xxxxxxxxxxxxx”,
    "flServerName": "0f2",
    "flServerPort": 80,
    "pathingOp": "ban",
    "pathingSrc": "user",
    "pathingStatus": "rateLimit",
    "startTimestamp": 1484845387503000000,
    "usedFlags": 0,
    "rateLimit": {
      "ruleId": 10637,
      "mitigationId": "AHCsTutjRY2ddEuJUg3Wrw==",
      "sourceId": "fe80::8286:f2ff:fe07:4c66/64",
      "processedRules": [
          "ruleId": 10637,
          "ruleSrc": "user",
          "status": "ban"

The rateLimit section is populated on any request that matches a rule. Whether that request is actually blocked is indicated by the op field.

What fields are populated in ELS by Rate Limited requests?

The pathing will be as follows for requests that have been blocked by the rate limiter:

  • op: ban
  • src: user
  • status: rateLimit

For requests the have been blocked by the rate limited, the following will be populated:

  • ruleId: this is for now an internal ID (see below)
  • mitigationId: 16 bytes long – identifies the mitigation created by the rate limiter mitigating this request
  • sourceId: This user-visible string is the correlation signature for all requests that are part of this mitigation. Can be an IP address, Oauth token, cookie header, etc. For now, it will only be the IP address for the source that was mitigated.
  • processedRules: This is an array of the rules that were processed a request. Multiple rules can process a request if some of the rules don’t block it. The array has elements, each with three keys:
    • ruleId: an integer which is an internal ID and will not match your API generated ID (for now)
    • ruleSrc: for most users, should be “user”; “protect” means that a Cloudflare system rate limited the request instead of a user-created rule.
    • status: error, allow, simulate, ban (more will come in the future)

Why don’t the ruleId’s match between ELS and the API?

Currently, the ruleID’s that show up in ELS will not match any of the rule ID’s generated by the API. You cannot use those ruleID’s in the API to delete or edit existing rules.

This will change in the near future.

However, the rule ID’s in ELS do have a 1-to-1 correlation with a rule ID from the API.

What do the following values mean?

  • status
    • error: it means the request was allowed, but our system wants to identify it as a potential error for debugging purposes to tune the rate limiter. Customers should treat as “allowed”
Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk