Auth0 Logs to Splunk

The Auth0 Logs to Splunk is a scheduled job that takes all of your Auth0 logs and exports them to Splunk.

Configuring the Extension

To install and configure this extension, click on the Auth0 Logs to Splunk box in the list of provided extensions on the Extensions page of the Management Portal. The Install Extension window pops open.

At this point you should set the following configuration variables:

  • Schedule: How often the job will run. The schedule can be customized even further after creation.
  • START_FROM: The checkpoint ID of the log from where you want to start. The value will be the log id (GUID).
  • SPLUNK_URL: Your Splunk Cloud URL.
  • SPLUNK_TOKEN: Your Splunk Token.
  • SPLUNK_COLLECTOR_PORT: The Port of your HTTP Collector Endpoint.
  • SPLUNK_COLLECTOR_PATH: The HTTP Collector Endpoint to be used. If you use the /raw endpoint, make sure to append a channel as a querystring parameter, like this: /services/collector/raw?channel=FE0ECFAD-13D5-401B-847D-77833BD77131. More information can be found in the Splunk documentation.
  • BATCH_SIZE: The amount of logs to be read on each execution. Maximum is 100.
  • LOG_LEVEL: The minimal log level of events that you would like sent to Splunk.
  • LOG_TYPES: The events for which logs should be exported.

Once you have provided this information, click the Install button to finish installing the extension.

Retrieve the required information from Splunk

The HTTP Event Collector (HEC) is an endpoint that lets you send application events into Splunk Enterprise using the HTTP or Secure HTTP (HTTPS) protocols. In order to configure a new HTTP Event Collector for Auth0 logs and acquire the URL, Token and Port information, follow the next steps:

This tutorial follows the step for Splunk Cloud. In case this is the first HEC you will configure for your account make sure that the Event Collector is enabled. You can find details on how to do this here.

  1. Navigate to your Splunk Cloud URL. You must have received this information via email upon signup. From the system menu select Settings > Data Inputs.

  1. Select the Add New link under Local Inputs > HTTP Event Collector.

  1. A wizard, that will configure a new token for receiving data over HTTP, is displayed. Set a name for this new token and click Next. We recommend naming it auth0.

  1. Select a Source type and an Index. We will create a new Source type, named auth0, and use main as our Index. Click Review.

  1. Review the information displayed and click Submit.

  2. Your new token should be created successfully. Copy the value, this is your SPLUNK_TOKEN.

  1. Let's make a quick test to ensure the HEC is properly configured. Open a command prompt window or terminal. Type the following cURL statement to test out your token. Be sure to replace <host> with your Splunk Enterprise or Splunk Cloud server's hostname, and <token> with the token you just copied to the Clipboard:

URL prefixes

The <host> value is based on your Splunk Cloud URL. When creating requests to Splunk Cloud, you must add a prefix to the URI of the hostname according to your subscription. For self-service Splunk Cloud plans, pre-pend the hostname with input-. For all other Splunk Cloud plans, pre-pend the hostname with http-inputs-. For this example we have subscribed for a self-service Splunk Cloud plan, so we will use the input- prefix. You can find more details here.

As a response you should receive the following JSON:

Navigate to your Splunk Cloud URL. Click on Search & Reporting. Click on Data Summary and select your host at the popup window.

Splunk uses the Splunk Search Processing Language (SPL). For the search we executed above the search value would be host="input-<host>:8088", where the <host> value is your Splunk Cloud URL. Click here for more info.

When the results of the search are displayed you should be able to see at least one entry, for our Hello World example.

Now that we have confirmed our Splunk setup we can finish the Auth0 side configuration and start pushing logs.

  1. Head back to the Auth0 Dashboard and go to the Settings of the Splunk Extension. Set the following values:
  • SPLUNK_TOKEN: the value of the Splunk Token you created, same one you used for our Hello World example.
  • SPLUNK_URL: Your Splunk HTTP Collector Endpoint. It should like the following: https://<prefix>-<host>:8088/services/collector. The <host> is your Splunk Cloud URL. The <prefix> is either input- or http-inputs- (see note at previous step).
  • SPLUNK_COLLECTOR_PORT: The Port of your HTTP Collector Endpoint. Default is 8088. Save your changes. A new CRON job is created and will be executed according to the Schedule value you selected for the extension.

Using Your Installed Extension

To view all scheduled jobs, navigate to the Extensions page of the Management Portal, click on the Installed Extensions link, and select the Auth0 Logs to Splunk line. There you can see the job you just created, modify its state by toggling the State switch, see when the next run is due and what was the result of the last execution.

You can view more details by clicking on the job you created. In this page you can view details for each execution, reschedule, access realtime logs, and more.

That's it, you are done! When the CRON job has executed at least one you can now navigate to your Splunk Cloud URL and view your Auth0 Logs. Follow the same steps as before to search for the data associated with your host (Search & Reporting > Data Summary > select host).