[Logs] Update Logpush dataset field definitions (2026-06-24)

[soheiokamoto]

Summary

Automated sync of Logpush dataset field definitions from data/entities.

New datasets

• Firewall events: A new dataset with fields including AISecurityInjectionScore, AISecurityPIICategories, AISecurityTokenCount, AISecurityUnsafeTopicCategories, Action, ClientASN, ClientASNDescription, ClientCountry, ClientIP, ClientIPClass, ClientRefererHost, ClientRefererPath, ClientRefererQuery, ClientRefererScheme, ClientRequestHost, ClientRequestMethod, ClientRequestPath, ClientRequestProtocol, ClientRequestQuery, ClientRequestScheme, ClientRequestUserAgent, ContentScanObjResults, ContentScanObjSizes, ContentScanObjTypes, Datetime, Description, EdgeColoCode, EdgeResponseStatus, FirewallForAIInjectionScore, FirewallForAIPIICategories, FirewallForAITokenCount, FirewallForAIUnsafeTopicCategories, FraudUserID, Kind, LeakedCredentialCheckResult, MatchIndex, Metadata, OriginResponseStatus, OriginatorRayID, RayID, Ref, RuleID, Source, and ZoneName.
• WebSocket Analytics: A new dataset with fields including BytesReceivedClient, BytesReceivedOrigin, BytesSentClient, BytesSentOrigin, ClientASN, ClientIP, ClientRequestHost, ClientRequestPath, ClientRequestUserAgent, ColoCode, ConnectionCloseReason, ConnectionCloseSource, ConnectionID, ConnectionTransportCloseCode, EdgeEndTimestamp, EdgeStartTimestamp, and RayID.
• WebSocket Analytics: A new dataset with fields including BytesReceivedClient, BytesReceivedOrigin, BytesSentClient, BytesSentOrigin, ClientASN, ClientIP, ClientRequestHost, ClientRequestPath, ClientRequestUserAgent, ColoCode, ConnectionCloseReason, ConnectionCloseSource, ConnectionID, ConnectionTransportCloseCode, EdgeEndTimestamp, EdgeStartTimestamp, and RayID.

Updated fields in existing datasets

• Email Security Alerts (added): BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult.
• Firewall events (added): ZoneName.

Files changed

• src/content/docs/logs/logpush/logpush-job/datasets/account/ — dataset pages
• src/content/docs/logs/logpush/logpush-job/datasets/zone/ — dataset pages
• src/content/changelog/logs/2026-06-24-log-fields-updated.mdx — changelog

Documentation checklist

• Changelog entry added
• Content generated by code generator (DO NOT EDIT manually)

[soheiokamoto]

/bonk please review this automated sync of Logpush dataset field definitions.

Focus on the following:

1. Changelog quality — is the entry clear, accurate, and useful to end users?

2. Field description quality — are the descriptions accurate, clear, and complete?

3. Manual edits at risk of being overwritten — are there any field descriptions that appear
   to have been manually edited directly in cloudflare-docs (e.g. contain context or guidance
   not present in the machine-generated description format)? If so, flag them so the author can
   preserve those edits in the internal source YAML.

[cloudflare-docs-bot]

Review

⏸️ Automatic reviews for this PR are paused.

This PR has already received 2 automatic reviews. To run another review, a codeowner can comment /review or /full-review. To permanently lift the limit for this PR, a codeowner can comment /ignore-review-limit.

Tip: Keep PRs in draft mode until they are ready for review — the bot skips draft PRs automatically.

---

⚠️ 2 warnings found in commit e6c7da8.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

Warnings (2)

File	Issue
changelog/logs/2026-06-24-log-fields-updated.mdx line 13	Duplicated changelog entry — The WebSocket Analytics new dataset bullet is repeated verbatim on lines 12 and 13, listing the exact same fields twice. Fix: Remove the duplicate bullet so each new dataset is listed once.
changelog/logs/2026-06-24-log-fields-updated.mdx line 18	Contradictory dataset classification — Line 11 introduces Firewall events as a new dataset and already includes ZoneName in its field list. Line 18 then lists ZoneName as an added field in the existing Firewall events dataset, which contradicts the claim that it is new and duplicates ZoneName. Fix: Clarify whether Firewall events is new or existing, and remove the redundant ZoneName entry under updated fields.

Style Guide Review

✅ No style-guide issues found.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command	Description
/review	Runs a review now. Incremental if a prior review exists, full if not.
/full-review	Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit	Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/changelog/	@cloudflare/pm-changelogs, @cloudflare/product-owners
/src/content/docs/logs/	@soheiokamoto, @angelampcosta, @rianvdm, @dcpena, @cloudflare/product-owners

[ask-bonk]

Review Summary

This PR adds two new Logpush datasets (Firewall events and WebSocket Analytics, both account- and zone-scoped), updates the Email Security Alerts dataset with five new fields, and adds a changelog entry. The changes follow the established code-generator pattern.

Issues that need attention

1. Changelog duplication — the "New datasets" section lists WebSocket Analytics twice (lines 12 and 13). This should be deduplicated; one entry is enough even though the dataset is available in both scopes.

2. Grammar issues in field descriptions — The new account/firewall_events.md contains several awkward or grammatically incorrect descriptions. Because these files are code-generated, the fixes need to be applied in the internal source YAML so they are not overwritten by future syncs. The same issues also exist in the zone-scoped file, so fixing upstream will improve both.

3. Changelog title length — The title is quite long and repeats "in Cloudflare Logs" at the end. Consider shortening it (for example, "New Logpush datasets and updated fields").

Please address the duplication in the changelog before merging.

[ask-bonk]

Duplicate entry: WebSocket Analytics is already listed on line 12. This appears to be a code-generator bug — the dataset exists in both account and zone scopes, but the changelog should only list it once under "New datasets."

[ask-bonk]

Grammar issue (fix in upstream YAML): "The ASN of the visitor as string." → should be "as a string."

[ask-bonk]

Grammar issue (fix in upstream YAML): "The referer query-string was requested by the visitor." is awkward. Suggest "The referer query string requested by the visitor."

[ask-bonk]

Grammar issue (fix in upstream YAML): "The query-string was requested by the visitor." is awkward. Suggest "The query string requested by the visitor."

[ask-bonk]

Grammar issue (fix in upstream YAML): "HTTP response status code returned to browser." → should be "returned to the browser."

[ask-bonk]

Grammar issue (fix in upstream YAML): "HTTP origin response status code returned to browser." → should be "returned to the browser."

[ask-bonk]

I've completed the review of PR #31674.

Labels applied

Added documentation (the PR already had product:logs, product:changelog, and size/l).

Summary of changes

The PR is an automated sync that introduces:

• New datasets — firewall_events and websocket_analytics for both account and zone scopes.
• Updated fields — Email Security Alerts gains BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult. The zone-scoped firewall_events gains ZoneName.
• Changelog entry — 2026-06-24-log-fields-updated.mdx documents the additions.

Issues flagged

I submitted a REQUEST CHANGES review with inline comments pointing out:

1. Changelog duplication — WebSocket Analytics is listed twice in the “New datasets” section (lines 12 and 13). This should be deduplicated before merging.
2. Grammar issues in generated field descriptions — Several descriptions in account/firewall_events.md need fixes in the internal source YAML so they aren’t overwritten by future syncs:
   • “The ASN of the visitor as string.” → missing article (“as a string”).
   • “The referer query-string was requested by the visitor.” and “The query-string was requested by the visitor.” → awkward passive voice.
   • “HTTP response status code returned to browser.” / “HTTP origin response status code returned to browser.” → missing “the” before “browser”.
3. Changelog title — It is very long and redundant (“in Cloudflare Logs” is unnecessary on the Logs changelog). Suggested shortening it.

These issues are minor but the duplication in the changelog is worth fixing before merge.

github run

[github-actions]

Preview URL: https://58253702.preview.developers.cloudflare.com
Preview Branch URL: https://sync-log-fields-2026-06-24.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/changelog/post/2026-06-24-log-fields-updated/	https://sync-log-fields-2026-06-24.preview.developers.cloudflare.com/changelog/post/2026-06-24-log-fields-updated/