R2 Log Analyzer Server
БесплатноНе проверенA remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as C
Описание
A remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as Claude Desktop.
README
A remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as Claude Desktop.
Runs on Cloudflare Workers with Cloudflare Access OAuth authentication, automatic gzip log decompression, and WAF Payload Logging (encrypted_matched_data) decryption.
Features
- Natural language log analysis — Simply ask your MCP client something like "Analyze today's WAF blocks"
- Cloudflare Access OAuth — Secure access control via OAuth 2.1 with PKCE
- Automatic gzip decompression — Transparently decompresses
.log.gzfiles output by Logpush - WAF payload decryption — Automatically decrypts Cloudflare WAF Payload Logging encrypted payloads (HPKE: X25519 + ChaCha20-Poly1305)
- Durable Objects — Uses Cloudflare Durable Objects for MCP protocol state management
Architecture
flowchart LR
Client["🤖 MCP Client<br/>(Claude / Cursor / Windsurf)"]
Access["🔐 Cloudflare Access<br/>(OIDC IdP)"]
subgraph Worker["☁️ Cloudflare Worker — R2 Log Analyzer MCP Server"]
direction TB
DO["🧠 Durable Object (McpAgent)<br/>• Log query / analysis<br/>• Streaming aggregation<br/>• gzip decompression<br/>• WAF payload decryption"]
OAuth["🔑 OAuth Provider<br/>(state & PKCE)"]
end
HTTPLogs[("📊 R2 Bucket<br/>HTTP Request Logs")]
WAFLogs[("🛡️ R2 Bucket<br/>WAF / Firewall Logs")]
KV[("🗝️ KV Namespace<br/>OAUTH_KV")]
Logpush["📤 Cloudflare Logpush"]
Client <-->|"OAuth 2.1 + PKCE"| Access
Client <-->|"MCP Protocol (SSE)"| Worker
DO -->|"list / get (parallel x16)"| HTTPLogs
DO -->|"list / get (parallel x16)"| WAFLogs
OAuth <--> KV
Logpush -.->|"ndjson.gz"| HTTPLogs
Logpush -.->|"ndjson.gz"| WAFLogs
classDef client fill:#e0f2fe,stroke:#0284c7,color:#0c4a6e
classDef access fill:#fef3c7,stroke:#d97706,color:#78350f
classDef worker fill:#ede9fe,stroke:#7c3aed,color:#4c1d95
classDef storage fill:#dcfce7,stroke:#16a34a,color:#14532d
classDef pipeline fill:#f1f5f9,stroke:#64748b,color:#0f172a
class Client client
class Access access
class DO,OAuth worker
class HTTPLogs,WAFLogs,KV storage
class Logpush pipeline
Available Tools
| Tool | Description |
|---|---|
list_log_files |
List log files in an R2 bucket |
query_http_logs |
Search and filter HTTP request logs |
query_firewall_logs |
Search and filter WAF firewall event logs (with automatic payload decryption) |
analyze_http_traffic |
Top-N analysis of HTTP traffic (by IP, country, path, status code, etc.) |
analyze_waf_events |
Top-N analysis of WAF events (by action, rule, source, attacker IP, etc.) |
get_log_entry |
Retrieve details of a specific log entry by RayID |
read_raw_log_file |
Read a raw log file directly from R2 |
decrypt_waf_payload |
Decrypt an individual WAF encrypted payload (encrypted_matched_data) |
Prerequisites
- A Cloudflare account (Workers, R2, KV, Durable Objects, Access)
- Logpush configured to output logs to R2 buckets
- HTTP requests dataset
- Firewall events dataset
- A Cloudflare Access OIDC application
Setup
1. Clone the Repository and Install Dependencies
git clone https://github.com/takaakisuzuki/r2-log-analyzer-mcp.git
cd r2-log-analyzer-mcp
npm install
2. Create a KV Namespace
npx wrangler kv:namespace create "OAUTH_KV"
Set the output ID in kv_namespaces[0].id in wrangler.jsonc.
3. Configure R2 Bucket Names
Set your Logpush destination R2 bucket names in the r2_buckets section of wrangler.jsonc.
"r2_buckets": [
{
"binding": "HTTP_LOG_BUCKET",
"bucket_name": "<your-http-logs-bucket>"
},
{
"binding": "WAF_LOG_BUCKET",
"bucket_name": "<your-waf-logs-bucket>"
}
]
Note: Separate buckets may be created for each Logpush dataset. Verify in Cloudflare Dashboard > Analytics & Logs > Logpush.
4. Create a Cloudflare Access OIDC Application
Go to Cloudflare Zero Trust Dashboard > Access > Applications and create a SaaS Application.
- Application type: OIDC
- Scopes:
openid,email,profile - Redirect URLs:
- Production:
https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/callback - Local development:
http://localhost:8788/callback
- Production:
Note the following values after creation:
- Client ID
- Client Secret
- Authorization URL
- Token URL
- JWKS URL (Certificate URL)
5. Set Secrets
npx wrangler secret put ACCESS_CLIENT_ID
npx wrangler secret put ACCESS_CLIENT_SECRET
npx wrangler secret put ACCESS_TOKEN_URL
npx wrangler secret put ACCESS_AUTHORIZATION_URL
npx wrangler secret put ACCESS_JWKS_URL
npx wrangler secret put COOKIE_ENCRYPTION_KEY # Generate with: openssl rand -hex 32
6. Deploy
npm run deploy
7. Configure WAF Payload Decryption (Optional)
Enable WAF Payload Logging to encrypt and log the content of request bodies that match WAF rules.
Generate a Key Pair
Generate a key pair via Cloudflare Dashboard > Security > WAF > Managed rules > target ruleset > Configure payload logging, or use matched-data-cli:
cargo install matched-data-cli
matched-data-cli generate-key-pair
Set the Private Key
npx wrangler secret put MATCHED_PAYLOAD_PRIVATE_KEY
# Enter the generated private key (base64-encoded)
Register the public key in the Managed Ruleset payload logging settings in the Cloudflare Dashboard.
Once configured, Metadata.encrypted_matched_data will be recorded in logs when a WAF rule matches request body content, and this MCP server will automatically decrypt it.
Local Development
# Set secrets in .dev.vars
cat > .dev.vars << 'EOF'
ACCESS_CLIENT_ID=<your-client-id>
ACCESS_CLIENT_SECRET=<your-client-secret>
ACCESS_TOKEN_URL=<your-token-url>
ACCESS_AUTHORIZATION_URL=<your-authorization-url>
ACCESS_JWKS_URL=<your-jwks-url>
COOKIE_ENCRYPTION_KEY=<random-hex-string>
MATCHED_PAYLOAD_PRIVATE_KEY=<optional-private-key>
EOF
# Start the development server
npm run dev
Test the connection with MCP Inspector:
npx @modelcontextprotocol/inspector@latest
# URL: http://localhost:8788/sse
Connecting from MCP Clients
Claude Desktop
Go to Settings > Developer > Edit Config and add the following:
{
"mcpServers": {
"r2-log-analyzer": {
"command": "npx",
"args": [
"mcp-remote",
"https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sse"
]
}
}
}
On the first connection, a browser window will open showing the Cloudflare Access authentication screen.
Windsurf / Cursor
Type: command, Command:
npx mcp-remote https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sse
Usage Examples
You can query your MCP client (e.g., Claude Desktop) like this:
Analyze today's WAF firewall event logs
Show me the IPs with the most 403 status codes in yesterday's HTTP traffic
Show details for RayID 9dd222669c879d35
What are the most common attack patterns in this week's WAF blocks?
Project Structure
src/
├── index.ts # Main entry point, MCP tool definitions
├── access-handler.ts # Cloudflare Access OAuth handler
├── matched-data.ts # WAF payload decryption (HPKE)
└── workers-oauth-utils.ts # OAuth/CSRF/PKCE utilities
Logpush Configuration Tips
When configuring Logpush to R2, using separate prefixes makes management easier:
- HTTP requests:
http_requests/{DATE}/ - Firewall events:
firewall_events/{DATE}/
If you use WAF payload decryption, make sure to include the Metadata field in your Logpush job data fields.
Log Schema
HTTP Requests — Key Fields
| Field | Description |
|---|---|
EdgeStartTimestamp |
Request received timestamp |
ClientIP / ClientCountry |
Client information |
ClientRequestHost / ClientRequestMethod / ClientRequestPath |
Request details |
EdgeResponseStatus / OriginResponseStatus |
Response status |
CacheCacheStatus |
Cache status |
SecurityAction / SecurityRuleID |
Security action |
BotScore / BotScoreSrc |
Bot detection score |
WAFAttackScore / WAFSQLiAttackScore / WAFXSSAttackScore |
WAF attack scores |
RayID |
Request ID |
Firewall Events — Key Fields
| Field | Description |
|---|---|
Datetime |
Event timestamp |
Action |
Action taken (block, challenge, log, etc.) |
ClientIP / ClientCountry |
Client information |
ClientRequestHost / ClientRequestMethod / ClientRequestPath |
Request details |
Description |
Rule description |
RuleID |
Rule ID |
Source |
Security product (firewallManaged, firewallCustom, etc.) |
Metadata |
Metadata (encrypted_matched_data, ruleset_version, etc.) |
LeakedCredentialCheckResult |
Leaked credential check result |
RayID |
Request ID |
Tech Stack
- Cloudflare Workers — Serverless runtime
- Cloudflare Durable Objects — MCP session management
- Cloudflare R2 — Log storage
- Cloudflare KV — OAuth state management
- Cloudflare Access — Authentication
- MCP SDK — Model Context Protocol
- agents — Cloudflare Agents framework
- @hpke/core — WAF payload decryption (HPKE)
License
MIT
Установка R2 Log Analyzer Server
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/takaakisuzuki/r2-log-analyzer-mcpFAQ
R2 Log Analyzer Server MCP бесплатный?
Да, R2 Log Analyzer Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для R2 Log Analyzer Server?
Нет, R2 Log Analyzer Server работает без API-ключей и переменных окружения.
R2 Log Analyzer Server — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить R2 Log Analyzer Server в Claude Desktop, Claude Code или Cursor?
Открой R2 Log Analyzer Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare R2 Log Analyzer Server with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
