Stream Logs to Splunk

You can create monitoring, alerting, and analysis dashboards in Splunk for Auth0 tenants. Auth0 provides a dashboard that you can use to visualize the data from your Auth0 tenant. The app allows you to use recommended aggregations from Auth0, or to use them as a starting point to create your own custom visualizations. To learn more, read Use Auth0 App for Splunk.

To send Auth0 events to Splunk, you will need to:

  1. Create Splunk token and copy domain and port information.

  2. Configure the Auth0 event stream.

  3. Test configuration.

Create Splunk token

  1. Go to your Splunk instance. Copy the domain name part of the URL, this is your Splunk Domain. (You may have received this information via email upon Splunk signup.)

  2. Go to Systems > Settings > Data Inputs and select Add New under Local Inputs > HTTP Event Collector.

  3. Use the wizard to name this new token. We recommend naming it auth0.

  4. Click Next.

  5. Create a new Source type named auth0, and use main as the Index.

  6. Click Review. Review the information displayed and click Submit.

  7. Copy the value displayed. This is your Token. The default Port is 8088.

Configure the Auth0 event stream

  1. Go to Dashboard > Monitoring > Streams and click Create Stream.

    Dashboard Monitoring Streams
  2. Select Splunk and enter a unique name for your new stream.

    Dashboard Monitoring Streams Create Splunk Stream
  3. Click Create.

  4. Configure the event source by providing your Domain, Token, and Port. By default, the port of set to 8088 but can be changed to match your Splunk configuration. The Verify TLS toggle should be disabled when using self-signed certificates.

    Dashboard Monitoring Streams Splunk Settings Tab
  5. Click Save.

Test configuration

When Auth0 writes the next log event, you'll receive a copy of that log event in Splunk with the source and service set to auth0.

  1. Log into your Splunk instance (in this case, Cloud).

  2. In the menu bar, select App: Cloud Monitoring...

  3. Click Search & Reporting in the sub-menu.

  4. In the search bar, enter the wildcard * and adjust the time drop-down to the desired window.

Delivery attempts and retries

Auth0 events are delivered to your server via a streaming mechanism that sends each event as it is triggered. If your server is unable to receive the event, Auth0 will try to redeliver it up to three times. If still unsuccessful, Auth0 will log the failure to deliver, and you will be able to see these failures in the Health tab for your log stream.

Learn more