Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

R2 Log Analyzer Server

БесплатноНе проверен

A remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as C

GitHubEmbed

Описание

A remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as Claude Desktop.

README

A remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as Claude Desktop.

Runs on Cloudflare Workers with Cloudflare Access OAuth authentication, automatic gzip log decompression, and WAF Payload Logging (encrypted_matched_data) decryption.

Features

  • Natural language log analysis — Simply ask your MCP client something like "Analyze today's WAF blocks"
  • Cloudflare Access OAuth — Secure access control via OAuth 2.1 with PKCE
  • Automatic gzip decompression — Transparently decompresses .log.gz files output by Logpush
  • WAF payload decryption — Automatically decrypts Cloudflare WAF Payload Logging encrypted payloads (HPKE: X25519 + ChaCha20-Poly1305)
  • Durable Objects — Uses Cloudflare Durable Objects for MCP protocol state management

Architecture

flowchart LR
    Client["🤖 MCP Client<br/>(Claude / Cursor / Windsurf)"]
    Access["🔐 Cloudflare Access<br/>(OIDC IdP)"]

    subgraph Worker["☁️ Cloudflare Worker — R2 Log Analyzer MCP Server"]
        direction TB
        DO["🧠 Durable Object (McpAgent)<br/>• Log query / analysis<br/>• Streaming aggregation<br/>• gzip decompression<br/>• WAF payload decryption"]
        OAuth["🔑 OAuth Provider<br/>(state &amp; PKCE)"]
    end

    HTTPLogs[("📊 R2 Bucket<br/>HTTP Request Logs")]
    WAFLogs[("🛡️ R2 Bucket<br/>WAF / Firewall Logs")]
    KV[("🗝️ KV Namespace<br/>OAUTH_KV")]
    Logpush["📤 Cloudflare Logpush"]

    Client <-->|"OAuth 2.1 + PKCE"| Access
    Client <-->|"MCP Protocol (SSE)"| Worker

    DO -->|"list / get (parallel x16)"| HTTPLogs
    DO -->|"list / get (parallel x16)"| WAFLogs
    OAuth <--> KV

    Logpush -.->|"ndjson.gz"| HTTPLogs
    Logpush -.->|"ndjson.gz"| WAFLogs

    classDef client fill:#e0f2fe,stroke:#0284c7,color:#0c4a6e
    classDef access fill:#fef3c7,stroke:#d97706,color:#78350f
    classDef worker fill:#ede9fe,stroke:#7c3aed,color:#4c1d95
    classDef storage fill:#dcfce7,stroke:#16a34a,color:#14532d
    classDef pipeline fill:#f1f5f9,stroke:#64748b,color:#0f172a

    class Client client
    class Access access
    class DO,OAuth worker
    class HTTPLogs,WAFLogs,KV storage
    class Logpush pipeline

Available Tools

Tool Description
list_log_files List log files in an R2 bucket
query_http_logs Search and filter HTTP request logs
query_firewall_logs Search and filter WAF firewall event logs (with automatic payload decryption)
analyze_http_traffic Top-N analysis of HTTP traffic (by IP, country, path, status code, etc.)
analyze_waf_events Top-N analysis of WAF events (by action, rule, source, attacker IP, etc.)
get_log_entry Retrieve details of a specific log entry by RayID
read_raw_log_file Read a raw log file directly from R2
decrypt_waf_payload Decrypt an individual WAF encrypted payload (encrypted_matched_data)

Prerequisites

Setup

1. Clone the Repository and Install Dependencies

git clone https://github.com/takaakisuzuki/r2-log-analyzer-mcp.git
cd r2-log-analyzer-mcp
npm install

2. Create a KV Namespace

npx wrangler kv:namespace create "OAUTH_KV"

Set the output ID in kv_namespaces[0].id in wrangler.jsonc.

3. Configure R2 Bucket Names

Set your Logpush destination R2 bucket names in the r2_buckets section of wrangler.jsonc.

"r2_buckets": [
  {
    "binding": "HTTP_LOG_BUCKET",
    "bucket_name": "<your-http-logs-bucket>"
  },
  {
    "binding": "WAF_LOG_BUCKET",
    "bucket_name": "<your-waf-logs-bucket>"
  }
]

Note: Separate buckets may be created for each Logpush dataset. Verify in Cloudflare Dashboard > Analytics & Logs > Logpush.

4. Create a Cloudflare Access OIDC Application

Go to Cloudflare Zero Trust Dashboard > Access > Applications and create a SaaS Application.

  1. Application type: OIDC
  2. Scopes: openid, email, profile
  3. Redirect URLs:
    • Production: https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/callback
    • Local development: http://localhost:8788/callback

Note the following values after creation:

  • Client ID
  • Client Secret
  • Authorization URL
  • Token URL
  • JWKS URL (Certificate URL)

5. Set Secrets

npx wrangler secret put ACCESS_CLIENT_ID
npx wrangler secret put ACCESS_CLIENT_SECRET
npx wrangler secret put ACCESS_TOKEN_URL
npx wrangler secret put ACCESS_AUTHORIZATION_URL
npx wrangler secret put ACCESS_JWKS_URL
npx wrangler secret put COOKIE_ENCRYPTION_KEY  # Generate with: openssl rand -hex 32

6. Deploy

npm run deploy

7. Configure WAF Payload Decryption (Optional)

Enable WAF Payload Logging to encrypt and log the content of request bodies that match WAF rules.

Generate a Key Pair

Generate a key pair via Cloudflare Dashboard > Security > WAF > Managed rules > target ruleset > Configure payload logging, or use matched-data-cli:

cargo install matched-data-cli
matched-data-cli generate-key-pair

Set the Private Key

npx wrangler secret put MATCHED_PAYLOAD_PRIVATE_KEY
# Enter the generated private key (base64-encoded)

Register the public key in the Managed Ruleset payload logging settings in the Cloudflare Dashboard.

Once configured, Metadata.encrypted_matched_data will be recorded in logs when a WAF rule matches request body content, and this MCP server will automatically decrypt it.

Local Development

# Set secrets in .dev.vars
cat > .dev.vars << 'EOF'
ACCESS_CLIENT_ID=<your-client-id>
ACCESS_CLIENT_SECRET=<your-client-secret>
ACCESS_TOKEN_URL=<your-token-url>
ACCESS_AUTHORIZATION_URL=<your-authorization-url>
ACCESS_JWKS_URL=<your-jwks-url>
COOKIE_ENCRYPTION_KEY=<random-hex-string>
MATCHED_PAYLOAD_PRIVATE_KEY=<optional-private-key>
EOF

# Start the development server
npm run dev

Test the connection with MCP Inspector:

npx @modelcontextprotocol/inspector@latest
# URL: http://localhost:8788/sse

Connecting from MCP Clients

Claude Desktop

Go to Settings > Developer > Edit Config and add the following:

{
  "mcpServers": {
    "r2-log-analyzer": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sse"
      ]
    }
  }
}

On the first connection, a browser window will open showing the Cloudflare Access authentication screen.

Windsurf / Cursor

Type: command, Command:

npx mcp-remote https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sse

Usage Examples

You can query your MCP client (e.g., Claude Desktop) like this:

Analyze today's WAF firewall event logs
Show me the IPs with the most 403 status codes in yesterday's HTTP traffic
Show details for RayID 9dd222669c879d35
What are the most common attack patterns in this week's WAF blocks?

Project Structure

src/
├── index.ts              # Main entry point, MCP tool definitions
├── access-handler.ts     # Cloudflare Access OAuth handler
├── matched-data.ts       # WAF payload decryption (HPKE)
└── workers-oauth-utils.ts # OAuth/CSRF/PKCE utilities

Logpush Configuration Tips

When configuring Logpush to R2, using separate prefixes makes management easier:

  • HTTP requests: http_requests/{DATE}/
  • Firewall events: firewall_events/{DATE}/

If you use WAF payload decryption, make sure to include the Metadata field in your Logpush job data fields.

Log Schema

HTTP Requests — Key Fields

Field Description
EdgeStartTimestamp Request received timestamp
ClientIP / ClientCountry Client information
ClientRequestHost / ClientRequestMethod / ClientRequestPath Request details
EdgeResponseStatus / OriginResponseStatus Response status
CacheCacheStatus Cache status
SecurityAction / SecurityRuleID Security action
BotScore / BotScoreSrc Bot detection score
WAFAttackScore / WAFSQLiAttackScore / WAFXSSAttackScore WAF attack scores
RayID Request ID

Firewall Events — Key Fields

Field Description
Datetime Event timestamp
Action Action taken (block, challenge, log, etc.)
ClientIP / ClientCountry Client information
ClientRequestHost / ClientRequestMethod / ClientRequestPath Request details
Description Rule description
RuleID Rule ID
Source Security product (firewallManaged, firewallCustom, etc.)
Metadata Metadata (encrypted_matched_data, ruleset_version, etc.)
LeakedCredentialCheckResult Leaked credential check result
RayID Request ID

Tech Stack

License

MIT

from github.com/takaakisuzuki/r2-log-analyzer-mcp

Установка R2 Log Analyzer Server

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/takaakisuzuki/r2-log-analyzer-mcp

FAQ

R2 Log Analyzer Server MCP бесплатный?

Да, R2 Log Analyzer Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для R2 Log Analyzer Server?

Нет, R2 Log Analyzer Server работает без API-ключей и переменных окружения.

R2 Log Analyzer Server — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить R2 Log Analyzer Server в Claude Desktop, Claude Code или Cursor?

Открой R2 Log Analyzer Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare R2 Log Analyzer Server with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai