[Logs] Update Log fields (#28296)

This updates Log fields.

They are synced from internal `entities` repo's fields templates.

Changelog file is added manually.

Author: soheiokamoto

src/content/changelog/logs/2026-03-09-log-fields-updated.mdx

@@ -0,0 +1,27 @@
+---
+title: New MCP Portal Logs dataset and new fields across multiple Logpush datasets in Cloudflare Logs
+description: New MCP Portal Logs dataset is now available, along with new fields for multiple Logpush datasets in Cloudflare Logs.
+date: 2026-03-09
+---
+
+Cloudflare has added new fields across multiple [Logpush datasets](/logs/logpush/logpush-job/datasets/):
+
+### New dataset
+
+- **MCP Portal Logs**: A new dataset with fields including `ClientCountry`, `ClientIP`, `ColoCode`, `Datetime`, `Error`, `Method`, `PortalAUD`, `PortalID`, `PromptGetName`, `ResourceReadURI`, `ServerAUD`, `ServerID`, `ServerResponseDurationMs`, `ServerURL`, `SessionID`, `Success`, `ToolCallName`, `UserEmail`, and `UserID`.
+
+### New fields in existing datasets
+
+- **DEX Application Tests**: `HTTPRedirectEndMs`, `HTTPRedirectStartMs`, `HTTPResponseBody`, and `HTTPResponseHeaders`.
+- **DEX Device State Events**: `ExperimentalExtra`.
+- **Firewall Events**: `FraudUserID`.
+- **Gateway HTTP**: `AppControlInfo` and `ApplicationStatuses`.
+- **Gateway DNS**: `InternalDNSDurationMs`.
+- **HTTP Requests**: `FraudEmailRisk`, `FraudUserID`, and `PayPerCrawlStatus`.
+- **Network Analytics Logs**: `DNSQueryName`, `DNSQueryType`, and `PFPCustomTag`.
+- **WARP Toggle Changes**: `UserEmail`.
+- **WARP Config Changes**: `UserEmail`.
+- **Zero Trust Network Session Logs**: `SNI`.
+
+For the complete field definitions for each dataset, refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/).
+

src/content/docs/logs/logpush/logpush-job/datasets/account/dex_application_tests.md

@@ -141,12 +141,30 @@ Type: `string`
 
 HTTP test method. HTTP tests only.
 
+## HTTPRedirectEndMs
+
+Type: `int`
+
+HTTP test redirect end timestamp, in milliseconds elapsed since test start. HTTP tests only. Refer to [Resource timing](https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API/Using_the_Resource_Timing_API) for more details.
+
+## HTTPRedirectStartMs
+
+Type: `int`
+
+HTTP test redirect start timestamp, in milliseconds elapsed since test start. HTTP tests only. Refer to [Resource timing](https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API/Using_the_Resource_Timing_API) for more details.
+
 ## HTTPRequestStartMs
 
 Type: `int`
 
 HTTP test result request start, in milliseconds since test start. HTTP tests only. Refer to [Resource timing](https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API/Using_the_Resource_Timing_API) for more details.
 
+## HTTPResponseBody
+
+Type: `string`
+
+HTTP response body. HTTP tests only.
+
 ## HTTPResponseBodyBytes
 
 Type: `int`
@@ -165,6 +183,12 @@ Type: `int`
 
 HTTP test result header bytes. HTTP tests only.
 
+## HTTPResponseHeaders
+
+Type: `array[object]`
+
+HTTP response headers, for example `[{"name": "Content-Type", "value": "text/html"}]`. HTTP tests only.
+
 ## HTTPResponseStartMs
 
 Type: `int`

src/content/docs/logs/logpush/logpush-job/datasets/account/dex_device_state_events.md

@@ -135,6 +135,12 @@ Type: `string`
 
 The WARP client's DoH subdomain.
 
+## ExperimentalExtra
+
+Type: `object`
+
+Additional unstructured data sent by the WARP client. This field may change at any time.
+
 ## FirewallEnabled
 
 Type: `bool`
@@ -271,7 +277,7 @@ The public IPv6 postal code of the device assigned by the ISP, for example `9000
 
 Type: `string`
 
-The WARP client connection mode, e.g. `warp+doh`, `proxy`.
+The WARP client connection mode, for example, `warp+doh`, `proxy`.
 
 ## NetworkReceivedBPS
 
@@ -313,7 +319,7 @@ The top applications by percentage of RAM used, for example `[{"name": "app0", "
 
 Type: `string`
 
-The WARP client connection status, e.g. `connected`, `paused`.
+The WARP client connection status, for example, `connected`, `paused`.
 
 ## SwitchLocked
 
@@ -349,7 +355,7 @@ The tunnel type the device uses to establish a connection to the edge, if any. C
 
 Type: `string`
 
-The colo code where the client is connected to our API. e.g. `DFW` or `none`.
+The colo code where the client is connected to our API, for example, `DFW` or `none`.
 
 ## WiFiStrengthDBM
 

src/content/docs/logs/logpush/logpush-job/datasets/account/dlp_forensic_copies.md

@@ -49,7 +49,7 @@ Captured request/response data, base64-encoded.
 
 Type: `string`
 
-Phase of the HTTP request this forensic copy was captured from (i.e. "request" or "response").
+Phase of the HTTP request this forensic copy was captured from (that is, "request" or "response").
 
 ## TriggeredRuleID
 

src/content/docs/logs/logpush/logpush-job/datasets/account/email_security_alerts.md

@@ -1,7 +1,7 @@
 ---
 # Code generator. DO NOT EDIT.
 
-title: Email security Alerts
+title: Email Security Alerts
 pcx_content_type: configuration
 sidebar:
   order: 21
@@ -13,7 +13,7 @@ The descriptions below detail the fields available for `email_security_alerts`.
 
 Type: `string`
 
-The canonical ID for an Email security Alert (for example, '4WtWkr6nlBz9sNH-2024-08-28T15:32:35').
+The canonical ID for an Email Security Alert (for example, '4WtWkr6nlBz9sNH-2024-08-28T15:32:35').
 
 ## AlertReasons
 
@@ -25,7 +25,7 @@ Human-readable list of findings which contributed to this message's final dispos
 
 Type: `array[object]`
 
-List of objects containing metadata of attachments contained in this message (for example, [{"Md5": "91f073bd208689ddbd248e8989ecae90", "Sha1": "62b77e14e2c43049c45b5725018e78d0f9986930", "Sha256": "3b57505305e7162141fd898ed87d08f92fc42579b5047495859e56b3275a6c06", "Ssdeep": "McAQ8tPlH25e85Q2OiYpD08NvHmjJ97UfPMO47sekO:uN9M553OiiN/OJ9MM+e3", "Name": "attachment.gif", "ContentTypeProvided": "image/gif", "ContentTypeComputed": "application/x-msi", "Encrypted": true, "Decrypted": true]}, ...]).
+List of objects containing metadata of attachments contained in this message (for example, [{"Md5": "91f073bd208689ddbd248e8989ecae90", "Sha1": "62b77e14e2c43049c45b5725018e78d0f9986930", "Sha256": "3b57505305e7162141fd898ed87d08f92fc42579b5047495859e56b3275a6c06", "Ssdeep": "McAQ8tPlH25e85Q2OiYpD08NvHmjJ97UfPMO47sekO:uN9M553OiiN/OJ9MM+e3", "Name": "attachment.gif", "ContentTypeProvided": "image/gif", "ContentTypeComputed": "application/x-msi", "Encrypted": true, "Decrypted": true}, ...]).
 
 ## CC
 
@@ -67,7 +67,7 @@ List of links detected in this message, benign or otherwise; limited to 100 in t
 
 Type: `string`
 
-The message's mode of transport to Email security. <br />Possible values are <em>unset</em> \| <em>api</em> \| <em>direct</em> \| <em>bcc</em> \| <em>journal</em> \| <em>retroScan</em>.
+The message's mode of transport to Email Security. <br />Possible values are <em>unset</em> \| <em>api</em> \| <em>direct</em> \| <em>bcc</em> \| <em>journal</em> \| <em>retroScan</em>.
 
 ## MessageID
 
@@ -85,7 +85,7 @@ The origin of the message. <br />Possible values are <em>unset</em> \| <em>inter
 
 Type: `string`
 
-The original sender address as determined by Email security mail processing (for example, 'firstlast@cloudflare.com').
+The original sender address as determined by Email Security mail processing (for example, 'firstlast@cloudflare.com').
 
 ## ReplyTo
 
@@ -151,7 +151,7 @@ Value of the Subject header provided by the sender.
 
 Type: `array[string]`
 
-Threat categories attributed by Email security processing (for example, 'CredentialHarvester', 'Dropper').
+Threat categories attributed by Email Security processing (for example, 'CredentialHarvester', 'Dropper').
 
 ## Timestamp
 

src/content/docs/logs/logpush/logpush-job/datasets/account/gateway_dns.md

@@ -171,6 +171,12 @@ Type: `array[string]`
 
 The IPs used to correlate existing FQDN matching policy between Gateway DNS and Gateway proxy.
 
+## InternalDNSDurationMs
+
+Type: `int`
+
+The time it took for the internal DNS to respond.
+
 ## InternalDNSFallbackStrategy
 
 Type: `string`

src/content/docs/logs/logpush/logpush-job/datasets/account/gateway_http.md

@@ -21,6 +21,12 @@ Type: `string`
 
 Action performed by gateway on the HTTP request.
 
+## AppControlInfo
+
+Type: `object`
+
+Information about application control operations, APIs, and groups that matched the HTTP request.
+
 ## ApplicationIDs
 
 Type: `array[int]`
@@ -33,6 +39,12 @@ Type: `array[string]`
 
 Names of the applications that matched the HTTP request parameters.
 
+## ApplicationStatuses
+
+Type: `array[string]`
+
+Statuses of the applications that matched the HTTP request parameters.
+
 ## BlockedFileHash
 
 Type: `string`
@@ -203,9 +215,9 @@ The private app AUD, if any.
 
 ## ProxyEndpoint
 
-Type: ``
-
+Type: `string`
 
+The proxy endpoint used on the HTTP request, if any.
 
 ## Quarantined
 

src/content/docs/logs/logpush/logpush-job/datasets/account/mcp_portal_logs.md

@@ -0,0 +1,124 @@
+---
+# Code generator. DO NOT EDIT.
+
+title: MCP Portal Logs
+pcx_content_type: configuration
+sidebar:
+  order: 21
+---
+
+The descriptions below detail the fields available for `mcp_portal_logs`.
+
+## ClientCountry
+
+Type: `string`
+
+Country code of the client IP address.
+
+## ClientIP
+
+Type: `string`
+
+IP address of the client that initiated the request.
+
+## ColoCode
+
+Type: `string`
+
+Colo code of the data center that processed the request (for example, 'DFW').
+
+## Datetime
+
+Type: `int or string`
+
+The date and time the request was made.
+
+## Error
+
+Type: `string`
+
+The error message if the request failed and there is additional information.
+
+## Method
+
+Type: `string`
+
+The JSON-RPC method of the request (for example, 'tools/call', 'prompts/get', 'resources/read').
+
+## PortalAUD
+
+Type: `string`
+
+Audience tag of the MCP Portal.
+
+## PortalID
+
+Type: `string`
+
+Unique identifier of the MCP Portal.
+
+## PromptGetName
+
+Type: `string`
+
+For prompts/get requests, the name of the prompt being fetched.
+
+## ResourceReadURI
+
+Type: `string`
+
+For resources/read requests, the URI of the resource being fetched.
+
+## ServerAUD
+
+Type: `string`
+
+Audience tag of the upstream MCP Server.
+
+## ServerID
+
+Type: `string`
+
+Unique identifier of the upstream MCP Server.
+
+## ServerResponseDurationMs
+
+Type: `int`
+
+The time in milliseconds it took for the upstream MCP server to respond.
+
+## ServerURL
+
+Type: `string`
+
+URL of the upstream MCP Server.
+
+## SessionID
+
+Type: `string`
+
+Unique identifier of the stateful MCP session associated with the request.
+
+## Success
+
+Type: `bool`
+
+If the request succeeded.
+
+## ToolCallName
+
+Type: `string`
+
+For tools/call requests, the name of the tool being called.
+
+## UserEmail
+
+Type: `string`
+
+Email address of the authenticated user who performed the request.
+
+## UserID
+
+Type: `string`
+
+Unique identifier of the authenticated user who performed the request.

src/content/docs/logs/logpush/logpush-job/datasets/account/network_analytics_logs.md

@@ -57,6 +57,18 @@ Type: `string`
 
 The unique site identifier of the Cloudflare data center that received the packet (for example, 'ams01', 'sjc01', 'lhr01').
 
+## DNSQueryName
+
+Type: `string`
+
+The DNS query name (domain) that was queried, if the packet is a DNS query.
+
+## DNSQueryType
+
+Type: `string`
+
+The DNS query type (for example, A, AAAA, MX, TXT), if the packet is a DNS query.
+
 ## Datetime
 
 Type: `int or string`
@@ -321,6 +333,12 @@ Type: `string`
 
 The action that Cloudflare systems took on the packet. <br />Possible values are <em>pass</em> \| <em>drop</em>.
 
+## PFPCustomTag
+
+Type: `int`
+
+The custom network analytics tag set by Programmable Flow Protection program, if any.
+
 ## ProtocolState
 
 Type: `string`

src/content/docs/logs/logpush/logpush-job/datasets/account/warp_config_changes.md

@@ -74,3 +74,9 @@ The device serial number.
 Type: `int or string`
 
 Time the event was ingested.
+
+## UserEmail
+
+Type: `string`
+
+The Access user email.