cloudflare: don't update fleet health status to degraded pagination completes

Earlier, we were using `.last_response.page` to get the last page index. Since `.last_response.page` starts with the value 0 at every interval, this resulted in collecting the first page 2 times. To prevent this, we've used `.last_response.url.params.Get "page"`. This change bumps minimum Kibana version to ^8.19.4 || ~9.0.7 || ^9.1.4 and adds `do_not_log_failure: true` in set transforms to avoid updating fleet health status to degraded.

Author: brijesh-elastic

packages/cloudflare/_dev/deploy/docker/files/config.yml

@@ -88,3 +88,20 @@ rules:
  "errors": [],
  "messages": []
  }
+ - path: /client/v4/accounts/aaabbbccc/audit_logs
+ methods: ["GET"]
+ request_headers:
+ x-auth-email: user@example.com
+ x-auth-key: xxxxxxxxxx
+ query_params:
+ since: "{since:.*}"
+ page: "4"
+ responses:
+ - status_code: 200
+ body: |-
+ {
+ "result": [],
+ "success": true,
+ "errors": [],
+ "messages": []
+ }

packages/cloudflare/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.32.0"
+ changes:
+ - description: Prevent updating fleet health status to degraded when pagination completes.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16664
 - version: "2.31.1"
  changes:
  - description: Change default start time to 'now - 167h59m' to fix 'logs older than 168h0m0s are not available' error.

packages/cloudflare/data_stream/audit/_dev/test/system/test-default-config.yml

@@ -11,3 +11,5 @@ data_stream:
  auth_email: user@example.com
  auth_key: xxxxxxxxxx
  account: aaabbbccc
+assert:
+ hit_count: 5

packages/cloudflare/data_stream/audit/agent/stream/httpjson.yml.hbs

@@ -38,9 +38,10 @@ response.split:
 response.pagination:
 - set:
  target: url.params.page
- value: '[[if (ne (len .last_response.body.result) 0)]][[add .last_response.page 1]][[end]]'
+ value: '[[if (ne (len .last_response.body.result) 0)]][[add (toInt (.last_response.url.params.Get "page")) 1]][[end]]'
  fail_on_template_error: true
- 
+ do_not_log_failure: true
+
 cursor:
  last_timestamp:
  value: "[[.first_event.when]]"

packages/cloudflare/data_stream/audit/sample_event.json

@@ -1,11 +1,11 @@
 {
  "@timestamp": "2021-11-30T13:42:04.000Z",
  "agent": {
- "ephemeral_id": "c428c629-cf48-43b5-a87e-93c5add0d235",
- "id": "33a24c77-05cc-4158-8802-466fcef333da",
- "name": "elastic-agent-14587",
+ "ephemeral_id": "3c1b2b42-0ed4-4e3d-a006-3fdced104a81",
+ "id": "0392f7e6-a4ab-4de6-b9ef-514d77323416",
+ "name": "elastic-agent-20026",
  "type": "filebeat",
- "version": "8.16.0"
+ "version": "8.19.4"
  },
  "cloud": {
  "account": {
@@ -29,26 +29,27 @@
  },
  "data_stream": {
  "dataset": "cloudflare.audit",
- "namespace": "23666",
+ "namespace": "68685",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "33a24c77-05cc-4158-8802-466fcef333da",
+ "id": "0392f7e6-a4ab-4de6-b9ef-514d77323416",
  "snapshot": false,
- "version": "8.16.0"
+ "version": "8.19.4"
  },
  "event": {
  "action": "rotate_api_key",
  "agent_id_status": "verified",
  "category": [
  "iam"
  ],
+ "created": "2025-12-22T12:51:07.996Z",
  "dataset": "cloudflare.audit",
  "id": "8d3396e8-c903-5a66-9421-00fc34570550",
- "ingested": "2025-10-21T11:10:42Z",
+ "ingested": "2025-12-22T12:51:09Z",
  "kind": "event",
  "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}",
  "outcome": "success",
@@ -57,7 +58,7 @@
  ]
  },
  "input": {
- "type": "cel"
+ "type": "httpjson"
  },
  "related": {
  "ip": [

packages/cloudflare/docs/README.md

@@ -121,11 +121,11 @@ An example event for `audit` looks as following:
 {
  "@timestamp": "2021-11-30T13:42:04.000Z",
  "agent": {
- "ephemeral_id": "c428c629-cf48-43b5-a87e-93c5add0d235",
- "id": "33a24c77-05cc-4158-8802-466fcef333da",
- "name": "elastic-agent-14587",
+ "ephemeral_id": "3c1b2b42-0ed4-4e3d-a006-3fdced104a81",
+ "id": "0392f7e6-a4ab-4de6-b9ef-514d77323416",
+ "name": "elastic-agent-20026",
  "type": "filebeat",
- "version": "8.16.0"
+ "version": "8.19.4"
  },
  "cloud": {
  "account": {
@@ -149,26 +149,27 @@ An example event for `audit` looks as following:
  },
  "data_stream": {
  "dataset": "cloudflare.audit",
- "namespace": "23666",
+ "namespace": "68685",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "33a24c77-05cc-4158-8802-466fcef333da",
+ "id": "0392f7e6-a4ab-4de6-b9ef-514d77323416",
  "snapshot": false,
- "version": "8.16.0"
+ "version": "8.19.4"
  },
  "event": {
  "action": "rotate_api_key",
  "agent_id_status": "verified",
  "category": [
  "iam"
  ],
+ "created": "2025-12-22T12:51:07.996Z",
  "dataset": "cloudflare.audit",
  "id": "8d3396e8-c903-5a66-9421-00fc34570550",
- "ingested": "2025-10-21T11:10:42Z",
+ "ingested": "2025-12-22T12:51:09Z",
  "kind": "event",
  "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}",
  "outcome": "success",
@@ -177,7 +178,7 @@ An example event for `audit` looks as following:
  ]
  },
  "input": {
- "type": "cel"
+ "type": "httpjson"
  },
  "related": {
  "ip": [

packages/cloudflare/manifest.yml

@@ -1,13 +1,13 @@
 name: cloudflare
 title: Cloudflare
-version: "2.31.1"
+version: "2.32.0"
 description: Collect logs from Cloudflare with Elastic Agent.
 type: integration
 format_version: "3.0.2"
 categories: [security, network, cdn_security]
 conditions:
  kibana:
- version: "^8.16.0 || ^9.0.0"
+ version: "^8.19.4 || ~9.0.7 || ^9.1.4"
 icons:
  - src: /img/cf-logo-v.svg
  title: Cloudflare