Skip to main content
Sumo Logic

Collect Logs for Auth0

This procedure explains how to collect error logs from Auth0. 

Log Types

Sumo Logic collects the following log types:

  • Logins, both successes and failures
  • Token exchanges, both successes and failures
  • Warnings during logins
  • User deletion
  • Login failure reasons
  • Connection errors
  • User signup events
  • Verification email events
  • Password changes
  • Rate limiting events
  • Other operational events and errors

For more information about Auth0 logs, see https://auth0.com/docs/api/managemen.../Logs/get_logs

Prerequisites

Use the Auth0 Management Portal to configure the extension.  For more information, see https://auth0.com/docs/extensions/sumologic.

Configure a Collector

Use the Sumo Logic Setup Wizard to configure a Custom App.

Configure a Source

Source type is HTTP.

Source Configuration

  • Name: Required
  • Category:
  • Timestamp Parsing Settings:
    • Enable Timestamp Parsing: True
    • Timezone:  Logs are sent in UTC by default and can be auto detected
    • Timestamp Format: Auto Detect
  • Multi-line Parsing Settings:
    • Detect Messages Spanning Multiple Lines: True
    • Multi Line Boundary: Infer Boundaries

Field Extraction Rules

Parse Expression: json "date", "type", "client_id", "client_name", "ip", "user_id"

Sample Log Messages

Example 1:

{
   "date": "2016-02-23T19:57:29.532Z",
   "type": "sapi",
   "client_id": "AaiyAPdpYdesoKnqjj8HJqRn4T5titww",
   "client_name": "My application Name",
   "ip": "190.257.209.19",
   "location_info": {},
   "details": {},
   "user_id": "auth0|56c75c4e42b6359e98374bc2"
}

Example 2:

{
   "date": "2016-11-14T21:50:33.473Z",
   "type": "fp",
   "description": "Wrong email or password.",
   "connection": "Username-Password-Authentication",
   "connection_id": "con_ABCDEF",
   "client_id": "123987LKJsdfmnb",
   "client_name": "www.sumologic.com",
   "ip": "198.0.217.157",
   "user_agent": "Other 0.0.0 / Other 0.0.0",
   "details": {
      "error": {
         "message": "Wrong email or password."
      }
   },
   "user_id": "auth0|123ASD987",
   "user_name": "noone@sumologic.com",
   "strategy": "auth0",
   "strategy_type": "database",
   "_id": "321654987654321654987654321",
   "isMobile": false
}

Query Samples

Logins by Client per Day

_collector="productionappauth0Logs_Collector" 
| json "client_name" 
| where client_name != ""
| timeslice by 1d 
| count by _timeslice, client_name 
| transpose row _timeslice column client_name

Client Version Usage

_collector="productionappauth0Logs_Collector" 
| json "auth0_client.name", "auth0_client.version" 
| concat(%auth0_client.name, " ", %auth0_client.version) as auth0_client_version 
| timeslice 1h 
| count by _timeslice, auth0_client_version 
| transpose row _timeslice column auth0_client_version

Top 10 Recent Errors

_collector="productionappauth0Logs_Collector" 
| json "type", "connection", "description", "client_name" 
| where type != "slo" 
| count client_name, connection, description 
| top 10 client_name, connection, description by _count