Skip to main content
Glama
takaakisuzuki

R2 Log Analyzer MCP Server

R2 Log Analyzer MCP Server

A remote MCP server that lets you analyze HTTP request logs and WAF/Firewall event logs stored in Cloudflare R2 using natural language via MCP clients such as Claude Desktop.

Runs on Cloudflare Workers with Cloudflare Access OAuth authentication, automatic gzip log decompression, and WAF Payload Logging (encrypted_matched_data) decryption.

Features

  • Natural language log analysis — Simply ask your MCP client something like "Analyze today's WAF blocks"

  • Cloudflare Access OAuth — Secure access control via OAuth 2.1 with PKCE

  • Automatic gzip decompression — Transparently decompresses .log.gz files output by Logpush

  • WAF payload decryption — Automatically decrypts Cloudflare WAF Payload Logging encrypted payloads (HPKE: X25519 + ChaCha20-Poly1305)

  • Durable Objects — Uses Cloudflare Durable Objects for MCP protocol state management

Related MCP server: mcp-server-logs-sieve

Architecture

flowchart LR
    Client["🤖 MCP Client<br/>(Claude / Cursor / Windsurf)"]
    Access["🔐 Cloudflare Access<br/>(OIDC IdP)"]

    subgraph Worker["☁️ Cloudflare Worker — R2 Log Analyzer MCP Server"]
        direction TB
        DO["🧠 Durable Object (McpAgent)<br/>• Log query / analysis<br/>• Streaming aggregation<br/>• gzip decompression<br/>• WAF payload decryption"]
        OAuth["🔑 OAuth Provider<br/>(state & PKCE)"]
    end

    HTTPLogs[("📊 R2 Bucket<br/>HTTP Request Logs")]
    WAFLogs[("🛡️ R2 Bucket<br/>WAF / Firewall Logs")]
    KV[("🗝️ KV Namespace<br/>OAUTH_KV")]
    Logpush["📤 Cloudflare Logpush"]

    Client <-->|"OAuth 2.1 + PKCE"| Access
    Client <-->|"MCP Protocol (SSE)"| Worker

    DO -->|"list / get (parallel x16)"| HTTPLogs
    DO -->|"list / get (parallel x16)"| WAFLogs
    OAuth <--> KV

    Logpush -.->|"ndjson.gz"| HTTPLogs
    Logpush -.->|"ndjson.gz"| WAFLogs

    classDef client fill:#e0f2fe,stroke:#0284c7,color:#0c4a6e
    classDef access fill:#fef3c7,stroke:#d97706,color:#78350f
    classDef worker fill:#ede9fe,stroke:#7c3aed,color:#4c1d95
    classDef storage fill:#dcfce7,stroke:#16a34a,color:#14532d
    classDef pipeline fill:#f1f5f9,stroke:#64748b,color:#0f172a

    class Client client
    class Access access
    class DO,OAuth worker
    class HTTPLogs,WAFLogs,KV storage
    class Logpush pipeline

Available Tools

Tool

Description

list_log_files

List log files in an R2 bucket

query_http_logs

Search and filter HTTP request logs

query_firewall_logs

Search and filter WAF firewall event logs (with automatic payload decryption)

analyze_http_traffic

Top-N analysis of HTTP traffic (by IP, country, path, status code, etc.)

analyze_waf_events

Top-N analysis of WAF events (by action, rule, source, attacker IP, etc.)

get_log_entry

Retrieve details of a specific log entry by RayID

read_raw_log_file

Read a raw log file directly from R2

decrypt_waf_payload

Decrypt an individual WAF encrypted payload (encrypted_matched_data)

Prerequisites

Setup

1. Clone the Repository and Install Dependencies

git clone https://github.com/takaakisuzuki/r2-log-analyzer-mcp.git
cd r2-log-analyzer-mcp
npm install

2. Create a KV Namespace

npx wrangler kv:namespace create "OAUTH_KV"

Set the output ID in kv_namespaces[0].id in wrangler.jsonc.

3. Configure R2 Bucket Names

Set your Logpush destination R2 bucket names in the r2_buckets section of wrangler.jsonc.

"r2_buckets": [
  {
    "binding": "HTTP_LOG_BUCKET",
    "bucket_name": "<your-http-logs-bucket>"
  },
  {
    "binding": "WAF_LOG_BUCKET",
    "bucket_name": "<your-waf-logs-bucket>"
  }
]

Note: Separate buckets may be created for each Logpush dataset. Verify in Cloudflare Dashboard > Analytics & Logs > Logpush.

4. Create a Cloudflare Access OIDC Application

Go to Cloudflare Zero Trust Dashboard > Access > Applications and create a SaaS Application.

  1. Application type: OIDC

  2. Scopes: openid, email, profile

  3. Redirect URLs:

    • Production: https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/callback

    • Local development: http://localhost:8788/callback

Note the following values after creation:

  • Client ID

  • Client Secret

  • Authorization URL

  • Token URL

  • JWKS URL (Certificate URL)

5. Set Secrets

npx wrangler secret put ACCESS_CLIENT_ID
npx wrangler secret put ACCESS_CLIENT_SECRET
npx wrangler secret put ACCESS_TOKEN_URL
npx wrangler secret put ACCESS_AUTHORIZATION_URL
npx wrangler secret put ACCESS_JWKS_URL
npx wrangler secret put COOKIE_ENCRYPTION_KEY  # Generate with: openssl rand -hex 32

6. Deploy

npm run deploy

7. Configure WAF Payload Decryption (Optional)

Enable WAF Payload Logging to encrypt and log the content of request bodies that match WAF rules.

Generate a Key Pair

Generate a key pair via Cloudflare Dashboard > Security > WAF > Managed rules > target ruleset > Configure payload logging, or use matched-data-cli:

cargo install matched-data-cli
matched-data-cli generate-key-pair

Set the Private Key

npx wrangler secret put MATCHED_PAYLOAD_PRIVATE_KEY
# Enter the generated private key (base64-encoded)

Register the public key in the Managed Ruleset payload logging settings in the Cloudflare Dashboard.

Once configured, Metadata.encrypted_matched_data will be recorded in logs when a WAF rule matches request body content, and this MCP server will automatically decrypt it.

Local Development

# Set secrets in .dev.vars
cat > .dev.vars << 'EOF'
ACCESS_CLIENT_ID=<your-client-id>
ACCESS_CLIENT_SECRET=<your-client-secret>
ACCESS_TOKEN_URL=<your-token-url>
ACCESS_AUTHORIZATION_URL=<your-authorization-url>
ACCESS_JWKS_URL=<your-jwks-url>
COOKIE_ENCRYPTION_KEY=<random-hex-string>
MATCHED_PAYLOAD_PRIVATE_KEY=<optional-private-key>
EOF

# Start the development server
npm run dev

Test the connection with MCP Inspector:

npx @modelcontextprotocol/inspector@latest
# URL: http://localhost:8788/sse

Connecting from MCP Clients

Claude Desktop

Go to Settings > Developer > Edit Config and add the following:

{
  "mcpServers": {
    "r2-log-analyzer": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sse"
      ]
    }
  }
}

On the first connection, a browser window will open showing the Cloudflare Access authentication screen.

Windsurf / Cursor

Type: command, Command:

npx mcp-remote https://r2-log-analyzer-mcp.<your-subdomain>.workers.dev/sse

Usage Examples

You can query your MCP client (e.g., Claude Desktop) like this:

Analyze today's WAF firewall event logs
Show me the IPs with the most 403 status codes in yesterday's HTTP traffic
Show details for RayID 9dd222669c879d35
What are the most common attack patterns in this week's WAF blocks?

Project Structure

src/
├── index.ts              # Main entry point, MCP tool definitions
├── access-handler.ts     # Cloudflare Access OAuth handler
├── matched-data.ts       # WAF payload decryption (HPKE)
└── workers-oauth-utils.ts # OAuth/CSRF/PKCE utilities

Logpush Configuration Tips

When configuring Logpush to R2, using separate prefixes makes management easier:

  • HTTP requests: http_requests/{DATE}/

  • Firewall events: firewall_events/{DATE}/

If you use WAF payload decryption, make sure to include the Metadata field in your Logpush job data fields.

Log Schema

HTTP Requests — Key Fields

Field

Description

EdgeStartTimestamp

Request received timestamp

ClientIP / ClientCountry

Client information

ClientRequestHost / ClientRequestMethod / ClientRequestPath

Request details

EdgeResponseStatus / OriginResponseStatus

Response status

CacheCacheStatus

Cache status

SecurityAction / SecurityRuleID

Security action

BotScore / BotScoreSrc

Bot detection score

WAFAttackScore / WAFSQLiAttackScore / WAFXSSAttackScore

WAF attack scores

RayID

Request ID

Firewall Events — Key Fields

Field

Description

Datetime

Event timestamp

Action

Action taken (block, challenge, log, etc.)

ClientIP / ClientCountry

Client information

ClientRequestHost / ClientRequestMethod / ClientRequestPath

Request details

Description

Rule description

RuleID

Rule ID

Source

Security product (firewallManaged, firewallCustom, etc.)

Metadata

Metadata (encrypted_matched_data, ruleset_version, etc.)

LeakedCredentialCheckResult

Leaked credential check result

RayID

Request ID

Tech Stack

License

MIT

F
license - not found
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/takaakisuzuki/r2-log-analyzer-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server