METRICKEEPER
Get Early Access //
← Back to Archive
// Cloudflare Logs 2026-06-08 6 min read

Is It a Real User? Tracking Suspicious IP Patterns Over a 90-Day Window Without an Enterprise SIEM

header

Most attacks don’t happen in a single day.

Many of the most interesting security incidents unfold slowly over weeks or months. A scraper tests your defenses. A botnet rotates through residential IPs. An attacker probes endpoints gradually to avoid triggering rate limits.

The problem?

By the time someone asks, “Has this IP been hitting us before?”, the evidence is often gone.

The Hidden Cost of Short Log Retention

Cloudflare provides powerful traffic visibility.

But for many teams, log data exists inside a rolling retention window.

That creates a simple but expensive problem:

You can’t investigate what you can no longer see.

Three months after a suspicious traffic spike, you may discover:

  • Historical requests disappeared
  • Firewall events are unavailable
  • Bot traffic patterns are incomplete
  • Root-cause analysis becomes guesswork

The result is slower incident response and lower confidence in every security investigation.

Why 90 Days Matters More Than You Think

Most engineering teams focus on real-time alerts.

The bigger challenge is understanding behavior over time.

Imagine a suspicious IP address that:

  • Appears once every few days
  • Crawls different endpoints each week
  • Never exceeds rate limits
  • Slowly maps your application structure

No individual request looks dangerous.

The pattern only becomes obvious when you analyze activity across weeks or months.

Without long-term retention, that visibility disappears.

The Traditional Solution: Build a Logging Pipeline

When teams realize they need longer retention, they usually discover Cloudflare Logpush.

In theory, it’s a solid solution.

In practice, it often becomes another infrastructure project.

Option 1: Logpush → AWS S3 → Athena

Typical setup includes:

  1. Creating an S3 bucket
  2. Writing IAM policies
  3. Configuring bucket permissions
  4. Setting up Logpush jobs
  5. Creating Athena tables
  6. Managing query performance
  7. Monitoring storage growth

For experienced cloud engineers, this is manageable.

For everyone else, it’s operational overhead.

TaskTime Required
S3 Setup15-30 min
IAM Configuration15-45 min
Athena Configuration30-60 min
Testing & TroubleshootingVariable
Ongoing MaintenanceForever

The logs are retained.

Now you have infrastructure to maintain.

Option 2: Enterprise SIEM Platforms

The alternative is forwarding everything into platforms like Datadog or Splunk.

The setup is easier.

The invoice is not.

As traffic grows, so do:

  • Ingestion costs
  • Indexing fees
  • Retention charges
  • Query expenses

Many startups discover that storing logs becomes more expensive than generating them.

The Simpler Alternative: Retain Everything Without Managing Anything

What most teams actually want is straightforward:

  • Keep Cloudflare logs forever
  • Search them instantly
  • Avoid infrastructure work
  • Avoid surprise bills

That’s exactly what our platform does.

No buckets.

No IAM policies.

No Athena.

No SIEM deployment.

How It Works

The workflow takes less than two minutes.

Step 1: Paste Your Cloudflare API Token

Create a Cloudflare API token with the required permissions.

Paste it into the dashboard.

That’s it.

Step 2: Choose Your Domain

Select the domain you want to archive.

We automatically connect to your Cloudflare account and begin collecting logs.

No manual pipeline configuration required.

Step 3: Search Your Logs Forever

Your traffic data becomes available inside a searchable dashboard.

Investigate:

  • Security incidents
  • Suspicious IP addresses
  • Bot activity
  • Traffic spikes
  • Historical outages
  • API anomalies

Whether the event happened yesterday or six months ago, the data remains available.

A Real Example: Investigating a Suspicious IP

Suppose an engineer notices unusual traffic from a specific IP address.

With standard retention:

  • Last week’s activity is visible
  • Older requests may be gone
  • Timeline reconstruction becomes impossible

With indefinite retention:

  • View every request from that IP
  • Track behavior across months
  • Identify endpoint discovery patterns
  • Correlate traffic with deployment events
  • Confirm whether activity escalated over time

Instead of guessing, you have evidence.

Why Developers Prefer This Approach

Developers generally don’t wake up wanting to build another analytics pipeline.

They want answers.

Our platform focuses on removing operational complexity.

No infrastructure.

No maintenance.

No ingestion surprises.

No retention deadlines.

Just searchable Cloudflare logs that remain available when you need them.

Pro Tip: The most valuable logs are usually the ones you didn’t know you’d need until weeks later.

Stop Losing Historical Context

Every deleted log removes future debugging capability.

Every expired security event limits future investigations.

Every retention boundary creates a blind spot.

Long-term visibility shouldn’t require building a data platform or paying enterprise SIEM prices.

If Cloudflare traffic data matters to your business, retaining it indefinitely is one of the simplest ways to improve security investigations, incident response, and operational debugging.

Secure Your Logs in Under 2 Minutes

Keep Every Cloudflare Log. Forever.

Paste your API token, choose your domain, and start retaining Cloudflare logs immediately.

  • No infrastructure
  • No S3 buckets
  • No IAM policies
  • No Athena setup
  • No enterprise SIEM costs
  • Searchable historical logs forever

Get started now and preserve the data you’ll wish you had during your next investigation.

Get Early Access →