Export Log Events with Rules

Auth0 recommends that you try our log streaming service to send all your log data to a third-party service.

You can create an Auth0 rule to capture specific events, such as user signups, logins, and user location, then send that data to your preferred analytics service. Here are some links to services you can choose from:

Rule examples

Here are a few examples of rules. In most cases, before you run the rule, you will need to have a write key value that you obtain from the service and store it in the rule's global configuration object. The following examples require a write key value.

For more examples, see our Auth0 Rules Repository on GitHub.

Keen

Keen provides a service to capture and analyze events generated in your apps. In this example, the rule sends contextual information, such as IP address (to deduce location), user ID, and username. For this rule, we track the event type using the property user.signedUp. When the property is set to true, we assume the event is a login. Otherwise, we assume the event is a new signup, and set it to true. Thus, the next time the user logs in, the event will be recorded as a login.

function(user, context, callback) {

  var request = require('request');

  if(user.signedUp){
    return callback(null, user, context);
  }

  var writeKey = configuration.KEENIO_WRITE_KEY;
  var projectId = configuration.KEENIO_PROJECT_ID;
  var eventCollection = 'signups';

  var keenEvent = {
    userId: user.user_id,
    name: user.name,
    ip: context.request.ip //Potentially any other properties in the user profile/context
  };

  request.post({
      method: 'POST',
      url: 'https://api.keen.io/3.0/projects/' + projectId + '/events/' + eventCollection,
      headers: {
        "Authorization: " + writeKey,
        'Content-type': 'application/json'
      },
      body: JSON.stringify(keenEvent),
      }, 
      function (e, r, body) {
        if( e ) return callback(e,user,context);
        //We assume everything went well
        user.persistent.signedUp = true;
        return callback(null, user, context);
       });
}

Segment

Segment provides a large number of analytics with a single API. In this example, the rule sends signup and login events to Segment. We will use Segment's Node.js library to record the Auth0 data.

function(user, context, callback) {
  var Analytics = require('analytics-node');
  var analytics = new Analytics(configuration.WRITE_KEY, { flushAt: 1 });

  // Note: Set { flushAt: 1 } and use analytics.flush to ensure
  // the data is sent to Segment before the rule/Webtask terminates

  // Identify your user
  analytics.identify({
      userId: user.user_id,
      traits: {
      email: user.email,
      signed_up: user.created_at,
      login_count: user.logins_count
    },
    "context": {
      "userAgent": context.request.UserAgent,
      "ip": context.request.ip
    }
  });
  analytics.track({
    userId: user.user_id,
    event: 'Logged In',
    properties: {
      clientName: context.clientName,
      clientID: context.clientID,
      connection: context.connection
    },
    "context": {
      "userAgent": context.request.UserAgent,
      "ip": context.request.ip
    }
  });
  analytics.flush(function(err, batch){
    callback(null, user, context);
  });
}

Splunk

Splunk provides a web interface for searching, monitoring, and examining data. In this example, the rule sends signup and login events to Splunk. We will use Splunk's REST API to record the Auth0 data. Splunk's API supports basic and token-based auth. In this example, we use token-based auth.

For this rule, we track the event type using the property user.app_metadata.signedUp as in the Keen example above.

function (user, context, callback) {
  const request = require('request');

  user.app_metadata = user.app_metadata || {};
  const endpoint = 'https://http-inputs-mysplunkcloud.example.com:443/services/collector'; // replace with your Splunk HEC endpoint;

  //Add any interesting info to the event
  const hec_event = {
    event: {
      message: user.app_metadata.signedUp ? 'Login' : 'Signup',
      application: context.clientName,
      clientIP: context.request.ip,
      protocol: context.protocol,
      userName: user.name,
      userId: user.user_id
    },
    source: 'auth0',
    sourcetype: 'auth0_activity'
  };

  request.post({
    url: endpoint,
    headers: {
      'Authorization': 'Splunk ' + configuration.SPLUNK_HEC_TOKEN
    },
    strictSSL: true, // set to false if using a self-signed cert
    json: hec_event
  }, function(error, response, body) {
    if (error) return callback(error);
    if (response.statusCode !== 200) return callback(new Error('Invalid operation'));
    user.app_metadata.signedUp = true;
    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
      .then(function () {
        callback(null, user, context);
      })
      .catch(function (err) {
        callback(err);
      });
  });

}

Learn more