The Day After a DDoS Attack: How to Audit Cloudflare Traffic When Your Logs Already Expired
You survived the attack. Origin held, WAF rules fired, traffic normalized around 4AM.
Now it’s the next morning. Your CTO wants a full incident report. Your security team needs attacker fingerprints. Your insurance provider wants documented proof of origin bypass attempts.
You open Cloudflare. Navigate to Analytics → Logs.
The data is gone.
Cloudflare’s Dirty Secret: Your Logs Have an Expiry Date
Cloudflare doesn’t advertise this prominently, but here’s the cold truth by plan:
| Plan | Raw Log Access | Retention Window |
|---|---|---|
| Free | ❌ None | N/A |
| Pro | ❌ None | N/A |
| Business | ✅ Logpush only | 72 hours (push destination required) |
| Enterprise | ✅ Logs API + Logpush | 72 hours max |
Seventy-two hours. That’s the ceiling — even on Enterprise.
A slow-burn DDoS campaign that ran Thursday through Sunday? A credential-stuffing wave you noticed Monday morning? A four-day bot scraping campaign?
All of it. Gone.
What You’re Left With After the Window Closes
Without retained logs, your post-incident toolkit shrinks to near-zero:
- 🔴 No raw request data — only aggregated charts you can’t drill into
- 🔴 No attacker fingerprints — User-Agent strings, ASNs, JA3 TLS hashes, all purged
- 🔴 No origin bypass evidence — nothing to show your legal team or insurer
- 🔴 No baseline for WAF tuning — you’re writing rules based on intuition, not data
- 🔴 No slow-threat visibility — low-and-slow attacks designed to outlast your retention window now have a reliable evasion strategy
You’re doing digital forensics in a room where someone vacuumed up all the fingerprints.
Why “Just Use Logpush to S3” Is Bad Advice for a Busy Team
Every senior DevOps engineer on your Slack will say the same thing within five minutes:
“Just configure Logpush to an S3 bucket. Then query it with Athena. It’s straightforward.”
Here’s what “straightforward” actually looks like on a three-person startup team:
| Task | Time Cost | Ongoing Maintenance |
|---|---|---|
| Create S3 bucket + lifecycle rules | ~45 min | Forgotten costs, bucket sprawl |
| Write IAM policy scoped to Logpush | ~1–2 hrs | Token rotation, permission drift |
| Configure Logpush destination + verify | ~1 hr | Breaks silently on API changes |
| Set up Glue Data Catalog schema | ~2 hrs | Schema drift when Cloudflare adds fields |
| Write + test Athena queries | ~3–4 hrs | SQL-only, no visual interface |
| Build alerting for ingestion failures | ~2–3 hrs | Yet another thing to get paged about |
| Total before you see a single log | ~Half a sprint | 💸 + 📟 forever |
And that’s before you consider the alternatives:
- Datadog Logs: Ingestion billed per GB. One bad traffic spike = a $3,000 invoice you didn’t model.
- Splunk Cloud: Per-GB indexing at enterprise pricing. Routinely the second-biggest line item in an infra budget.
- Elastic/self-hosted: You’ve now traded one operational burden for a bigger one.
None of these are designed for the specific problem of “I just need my Cloudflare request logs to not disappear.”
There’s a Third Option: Retain Everything, Touch Nothing
This is the exact gap [Your Product] was built to close.
No S3 buckets. No IAM rabbit holes. No ingestion bills. No dashboards you have to build yourself.
Paste your Cloudflare API token → Select your domain → Your logs are retained indefinitely in a searchable dashboard.
That’s the entire setup. Under two minutes. No infrastructure to provision, maintain, or monitor.
The 3-Step Workflow (Seriously, That’s It)
Step 1 — Generate a Scoped Cloudflare API Token
In your Cloudflare dashboard, create a token with two permissions only:
Zone → Zone → ReadZone → Logs → Read
Read-only. No write access, ever. Takes 60 seconds.
Step 2 — Paste the Token and Select Your Zone
Drop the token into [Your Product]. Select which Cloudflare zone to monitor. If you’re running multiple domains, add them all — each gets an independent log stream.
Step 3 — View Your Logs. Forever.
From this moment forward, every request hitting your zone is captured, indexed, and stored with no retention limit. The dashboard is live immediately.
💡 Pro tip: Set this up before the next incident, not after. Cloudflare cannot retroactively recover logs that have already been purged from their systems. The two minutes you spend today are the two minutes that make your next 3AM post-mortem survivable.
What a Real Post-DDoS Audit Looks Like With Retained Logs
Once your full request history is preserved, a proper forensic investigation becomes straightforward:
Pin the Exact Attack Window
Isolate requests to the precise hours of the incident — not a 24-hour aggregate, but minute-by-minute granularity. See exactly when the first probe fired and when the last request resolved.
Extract Attacker Fingerprints
- IP clustering: Surface the /24 CIDR blocks and ASNs responsible for volume
- User-Agent analysis: Identify botnet strings, headless browser signatures, and spoofed crawlers
- Path targeting: See which endpoints absorbed the most load — login endpoints? API routes? Checkout?
- HTTP method ratios: Layer 7 floods almost always show anomalous POST/GET distributions
Prove Origin Bypass Attempts
Filter for requests where cf-connecting-ip behavior suggests direct-to-origin probing. Generate a timestamped export for your legal team, insurance claim, or security audit — with the raw log records as evidence, not screenshots.
Tune WAF Rules With Actual Evidence
Stop guessing. Query historical logs for shared headers, URI patterns, and request cadence from the attack window. Write surgical firewall rules from real data, then validate them against the historical traffic before deploying to production.
💡 Pro tip: After every incident, export your top attacking ASNs and load them into Cloudflare IP Access Rules as proactive blocks. Botnets reuse infrastructure. The ASN that hit you last Tuesday will hit someone else tomorrow — and probably come back for you next month.
Common Questions, Answered Directly
“Doesn’t Cloudflare offer a native log retention add-on?” Yes — as part of an Enterprise contract, starting around $200+/month per zone. If that’s already in your budget, great. If you’re a startup or mid-market team, you’re paying Enterprise pricing to solve a problem that shouldn’t cost that much.
“Where is my log data stored? What’s the compliance posture?” Data is encrypted at rest, stored on SOC 2-compliant infrastructure, and never shared or sold. You can export your full dataset in standard formats at any time.
“How does pricing compare to Datadog/Splunk ingestion?” Flat-rate, not per-GB. Your bill doesn’t change when you get attacked. No ingestion surprises the month after a traffic spike.
“Does this work on Cloudflare Free or Pro plans?” Yes. The product pulls logs directly via the Cloudflare API on your behalf. Your Cloudflare plan tier doesn’t gate what we capture going forward.
“What about multi-domain setups?” Add as many zones as you need. Each one gets a dedicated log stream and its own searchable view.
The Real Cost of Not Having This Set Up
The average DDoS post-mortem takes 8–12 hours of engineering time. The average post-mortem without logs takes longer, produces weaker output, and usually ends with “we’re not entirely sure what happened.”
That uncertainty is what gets you hit the same way again.
One incident with no retained logs costs more in wasted engineering hours, missed WAF tuning, and repeat exposure than a year of log retention ever would.
Retain Your Cloudflare Logs — Setup in Under 2 Minutes
✓ No infrastructure to provision or maintain
✓ No per-GB ingestion fees
✓ No retention limits — logs stored indefinitely
✓ Searchable dashboard, live immediately
✓ Read-only API access — we never touch your config→ Start Free — Secure Your Logs Now
Paste your token. Pick your domain. Done. Your next post-mortem will have the receipts.