Export Logs to Logstash

The Auth0 Logs to Logstash extension consists of a scheduled job that exports your Auth0 logs to Logstash, an open source log management tool that is most often used as part of the ELK stack along with ElasticSearch and Kibana. This document will guide you through the process of setting up this integration.

To learn more, read Getting Started with Logstash in Elastic.

Configure the extension

To install and configure this extension:

  1. Navigate to Auth0 Dashboard > Extensions, and select Auth0 Logs to Logstash. The Install Extension window opens.

    Dashboard - Extensions - Logstash - Extension Mgmt Logstash
  2. Set the following configuration parameters, and select Install:

  • Schedule: The frequency with which logs should be exported. The schedule can be customized even further after creation.

  • BATCH_SIZE: The number of logs to be sent per batch. Maximum is 100. Logs are batched before sending, and multiple batches are sent each time the extension runs.

  • LOGSTASH_URL: Your Logstash URL as defined for use with the logstash-input-http plugin.

  • LOGSTASH_INDEX: Your Logstash Index to which the logs will be routed.

  • LOGSTASH_TOKEN: The token required for your Logstash deployments; this will be included in the query string.

  • LOGSTASH_USER: Your Logstash user.

  • LOGSTASH_PASSWORD: The password associated with your Logstash user.

  • START_FROM: The checkpoint ID of the log from which you want to start sending.

  • SLACK_INCOMING_WEBHOOK_URL: The specific Slack webhook to which you want to send reports from the extension.

  • SLACK_SEND_SUCCESS: Choose whether to send verbose notifications to Slack. Useful for troubleshooting.

  • LOG_LEVEL: The minimal log level of events that you would like sent to Logstash.

  • LOG_TYPES: The events for which logs should be exported.

The integration between Auth0 and Logstash is now in place!

Batch size

When setting your BATCH_SIZE, please keep the following information in mind.

During each time frame/window (defined by your chosen Schedule), outstanding logs will be batched into groups and sent. The size of each group is determined by the BATCH_SIZE value.

In other words, during each window, NUM_BATCHES batches of logs will be sent based on the following logic:

IF (NUM_LOGS modulo 100 == 0): NUM_BATCHES = (NUM_LOGS / BATCH_SIZE) ELSE: NUM_BATCHES = (NUM_LOGS / BATCH_SIZE) + 1

In the ELSE case, the last batch will have < 100 logs.

Use the extension with ElasticSearch

The extension sends logs to the Logstash instance as they are, which includes the _id column, which is not accepted by ElasticSearch. To fix this, you must rename _id to something else. To do this, add a pipeline with filter { mutate { rename => { "_id" => "log_id" } } }.

View results

The integration you just set up created a scheduled job that is responsible for exporting the logs. To view this scheduled job:

  1. Navigate to Auth0 Dashboard > Extensions, and select Installed Extensions.

  2. Select Auth0 Logs to Logstash. The job you just created appears. You can modify its state by toggling the State switch, see when the next run is due, and see the result of the last execution.

    Dashboard - Extensions - Azure - View Cron Jobs

You can view more details by clicking on the job you created. On this page, you can view details for each execution, reschedule the job, access realtime logs, and more.

Dashboard - Extensions - Azure - View Cron Details

Replay logs

In the event of a Logstash failure or service interruption, you can replay the logs starting from the failed log.

To replay logs:

  1. Get the checkpoint ID of the failed log.

  2. Navigate to Auth0 Dashboard > Extensions, and select Installed Extensions.

  3. Select the gear icon to view Auth0 Logs to Logstash extension settings.

  4. Enter the checkpoint ID in the START_FROM field.

  5. Select Save.

Integrate with Slack

This extension can send failed transaction notifications to Slack with the checkpoint code displayed in the message. To set up the integration:

  1. Get the Slack Incoming Webhook URL.

  2. Navigate to Auth0 Dashboard > Extensions, and select Installed Extensions.

  3. Select the gear icon to view Auth0 Logs to Logstash extension settings.

  4. Enter the Slack Incoming Webhook URL in the SLACK_INCOMING_WEBHOOK field.

  5. Select Save.

You can also enable verbose notifications by enabling the SLACK_SEND_SUCCESS setting.

Dashboard - Extensions - Logstash - Slack Message