R2 Log Analyzer MCP Server
Analyzes HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 buckets, with automatic gzip decompression and WAF payload decryption.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@R2 Log Analyzer MCP ServerAnalyze today's WAF blocks"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
R2 Log Analyzer MCP Server
A remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as Claude Desktop.
Runs on Cloudflare Workers with Cloudflare Access OAuth authentication, automatic gzip log decompression, and WAF Payload Logging (encrypted_matched_data) decryption.
Features
Natural language log analysis — Simply ask your MCP client something like "Analyze today's WAF blocks"
Cloudflare Access OAuth — Secure access control via OAuth 2.1 with PKCE
Automatic gzip decompression — Transparently decompresses
.log.gzfiles output by LogpushWAF payload decryption — Automatically decrypts Cloudflare WAF Payload Logging encrypted payloads (HPKE: X25519 + ChaCha20-Poly1305)
Durable Objects — Uses Cloudflare Durable Objects for MCP protocol state management
Related MCP server: mcp-server-logs-sieve
Architecture
flowchart LR
Client["🤖 MCP Client<br/>(Claude / Cursor / Windsurf)"]
Access["🔐 Cloudflare Access<br/>(OIDC IdP)"]
subgraph Worker["☁️ Cloudflare Worker — R2 Log Analyzer MCP Server"]
direction TB
DO["🧠 Durable Object (McpAgent)<br/>• Log query / analysis<br/>• Streaming aggregation<br/>• gzip decompression<br/>• WAF payload decryption"]
OAuth["🔑 OAuth Provider<br/>(state & PKCE)"]
end
HTTPLogs[("📊 R2 Bucket<br/>HTTP Request Logs")]
WAFLogs[("🛡️ R2 Bucket<br/>WAF / Firewall Logs")]
KV[("🗝️ KV Namespace<br/>OAUTH_KV")]
Logpush["📤 Cloudflare Logpush"]
Client <-->|"OAuth 2.1 + PKCE"| Access
Client <-->|"MCP Protocol (SSE)"| Worker
DO -->|"list / get (parallel x16)"| HTTPLogs
DO -->|"list / get (parallel x16)"| WAFLogs
OAuth <--> KV
Logpush -.->|"ndjson.gz"| HTTPLogs
Logpush -.->|"ndjson.gz"| WAFLogs
classDef client fill:#e0f2fe,stroke:#0284c7,color:#0c4a6e
classDef access fill:#fef3c7,stroke:#d97706,color:#78350f
classDef worker fill:#ede9fe,stroke:#7c3aed,color:#4c1d95
classDef storage fill:#dcfce7,stroke:#16a34a,color:#14532d
classDef pipeline fill:#f1f5f9,stroke:#64748b,color:#0f172a
class Client client
class Access access
class DO,OAuth worker
class HTTPLogs,WAFLogs,KV storage
class Logpush pipelineAvailable Tools
Tool | Description |
| List log files in an R2 bucket |
| Search and filter HTTP request logs |
| Search and filter WAF firewall event logs (with automatic payload decryption) |
| Top-N analysis of HTTP traffic (by IP, country, path, status code, etc.) |
| Top-N analysis of WAF events (by action, rule, source, attacker IP, etc.) |
| Retrieve details of a specific log entry by RayID |
| Read a raw log file directly from R2 |
| Decrypt an individual WAF encrypted payload ( |
Prerequisites
A Cloudflare account (Workers, R2, KV, Durable Objects, Access)
Logpush configured to output logs to R2 buckets
HTTP requests dataset
Firewall events dataset
A Cloudflare Access OIDC application
Setup
1. Clone the Repository and Install Dependencies
git clone https://github.com/takaakisuzuki/r2-log-analyzer-mcp.git
cd r2-log-analyzer-mcp
npm install2. Create a KV Namespace
npx wrangler kv:namespace create "OAUTH_KV"Set the output ID in kv_namespaces[0].id in wrangler.jsonc.
3. Configure R2 Bucket Names
Set your Logpush destination R2 bucket names in the r2_buckets section of wrangler.jsonc.
"r2_buckets": [
{
"binding": "HTTP_LOG_BUCKET",
"bucket_name": "<your-http-logs-bucket>"
},
{
"binding": "WAF_LOG_BUCKET",
"bucket_name": "<your-waf-logs-bucket>"
}
]Note: Separate buckets may be created for each Logpush dataset. Verify in Cloudflare Dashboard > Analytics & Logs > Logpush.
4. Create a Cloudflare Access OIDC Application
Go to Cloudflare Zero Trust Dashboard > Access > Applications and create a SaaS Application.
Application type: OIDC
Scopes:
openid,email,profileRedirect URLs:
Production:
https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/callbackLocal development:
http://localhost:8788/callback
Note the following values after creation:
Client ID
Client Secret
Authorization URL
Token URL
JWKS URL (Certificate URL)
5. Set Secrets
npx wrangler secret put ACCESS_CLIENT_ID
npx wrangler secret put ACCESS_CLIENT_SECRET
npx wrangler secret put ACCESS_TOKEN_URL
npx wrangler secret put ACCESS_AUTHORIZATION_URL
npx wrangler secret put ACCESS_JWKS_URL
npx wrangler secret put COOKIE_ENCRYPTION_KEY # Generate with: openssl rand -hex 326. Deploy
npm run deploy7. Configure WAF Payload Decryption (Optional)
Enable WAF Payload Logging to encrypt and log the content of request bodies that match WAF rules.
Generate a Key Pair
Generate a key pair via Cloudflare Dashboard > Security > WAF > Managed rules > target ruleset > Configure payload logging, or use matched-data-cli:
cargo install matched-data-cli
matched-data-cli generate-key-pairSet the Private Key
npx wrangler secret put MATCHED_PAYLOAD_PRIVATE_KEY
# Enter the generated private key (base64-encoded)Register the public key in the Managed Ruleset payload logging settings in the Cloudflare Dashboard.
Once configured, Metadata.encrypted_matched_data will be recorded in logs when a WAF rule matches request body content, and this MCP server will automatically decrypt it.
Local Development
# Set secrets in .dev.vars
cat > .dev.vars << 'EOF'
ACCESS_CLIENT_ID=<your-client-id>
ACCESS_CLIENT_SECRET=<your-client-secret>
ACCESS_TOKEN_URL=<your-token-url>
ACCESS_AUTHORIZATION_URL=<your-authorization-url>
ACCESS_JWKS_URL=<your-jwks-url>
COOKIE_ENCRYPTION_KEY=<random-hex-string>
MATCHED_PAYLOAD_PRIVATE_KEY=<optional-private-key>
EOF
# Start the development server
npm run devTest the connection with MCP Inspector:
npx @modelcontextprotocol/inspector@latest
# URL: http://localhost:8788/sseConnecting from MCP Clients
Claude Desktop
Go to Settings > Developer > Edit Config and add the following:
{
"mcpServers": {
"r2-log-analyzer": {
"command": "npx",
"args": [
"mcp-remote",
"https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sse"
]
}
}
}On the first connection, a browser window will open showing the Cloudflare Access authentication screen.
Windsurf / Cursor
Type: command, Command:
npx mcp-remote https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sseUsage Examples
You can query your MCP client (e.g., Claude Desktop) like this:
Analyze today's WAF firewall event logsShow me the IPs with the most 403 status codes in yesterday's HTTP trafficShow details for RayID 9dd222669c879d35What are the most common attack patterns in this week's WAF blocks?Project Structure
src/
├── index.ts # Main entry point, MCP tool definitions
├── access-handler.ts # Cloudflare Access OAuth handler
├── matched-data.ts # WAF payload decryption (HPKE)
└── workers-oauth-utils.ts # OAuth/CSRF/PKCE utilitiesLogpush Configuration Tips
When configuring Logpush to R2, using separate prefixes makes management easier:
HTTP requests:
http_requests/{DATE}/Firewall events:
firewall_events/{DATE}/
If you use WAF payload decryption, make sure to include the Metadata field in your Logpush job data fields.
Log Schema
HTTP Requests — Key Fields
Field | Description |
| Request received timestamp |
| Client information |
| Request details |
| Response status |
| Cache status |
| Security action |
| Bot detection score |
| WAF attack scores |
| Request ID |
Firewall Events — Key Fields
Field | Description |
| Event timestamp |
| Action taken (block, challenge, log, etc.) |
| Client information |
| Request details |
| Rule description |
| Rule ID |
| Security product (firewallManaged, firewallCustom, etc.) |
| Metadata ( |
| Leaked credential check result |
| Request ID |
Tech Stack
Cloudflare Workers — Serverless runtime
Cloudflare Durable Objects — MCP session management
Cloudflare R2 — Log storage
Cloudflare KV — OAuth state management
Cloudflare Access — Authentication
MCP SDK — Model Context Protocol
agents — Cloudflare Agents framework
@hpke/core — WAF payload decryption (HPKE)
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/takaakisuzuki/r2-log-analyzer-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server