Send Auth0 Events to Splunk

Splunk provides a platform that allows you to easily get insights into all the information generated by your IT infrastructure.

In this example, you will learn how to connect Auth0 to Splunk and stream signup and login events with user contextual information. To implement this with Auth0, you just need to create one Rule in your pipeline.

Record sign-up or log-in event in Splunk

Create a rule that will record user signup and login events for your apps using the Splunk REST API. When enabled, this rule will send events that will then show on Splunk's dashboard:

Please note:

  • Splunk's API supports basic & token-based auth. In this example, we use token-based auth and expect your Splunk credentials to be stored in the global configuration object. Be sure to add your token here before running your rule. Doing this allows you to use your token in multiple rules and prevents you from having to store it directly in the code.

  • For this rule, we send contextual information, such as IP address (can be used to deduce location), application name, and username. However, you can send any number of properties.

  • For this rule, we track the event type using a property called user.app_metadata.signedUp. When the property is set to true, we assume the event is a login. Otherwise, we assume the event is a new signup, and if everything goes well, we set it to true. Thus, the next time the user logs in, the event will be recorded as a login.

function (user, context, callback) {
  const request = require('request');

  user.app_metadata = user.app_metadata || {};
  const endpoint = 'https://http-inputs-mysplunkcloud.example.com:443/services/collector'; // replace with your Splunk HEC endpoint;

  //Add any interesting info to the event
  const hec_event = {
    event: {
      message: user.app_metadata.signedUp ? 'Login' : 'Signup',
      application: context.clientName,
      clientIP: context.request.ip,
      protocol: context.protocol,
      userName: user.name,
      userId: user.user_id
    },
    source: 'auth0',
    sourcetype: 'auth0_activity'
  };

  request.post({
    url: endpoint,
    headers: {
      'Authorization': 'Splunk ' + configuration.SPLUNK_HEC_TOKEN
    },
    strictSSL: true, // set to false if using a self-signed cert
    json: hec_event
  }, function(error, response, body) {
    if (error) return callback(error);
    if (response.statusCode !== 200) return callback(new Error('Invalid operation'));
    user.app_metadata.signedUp = true;
    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
      .then(function () {
        callback(null, user, context);
      })
      .catch(function (err) {
        callback(err);
      });
  });

}

Keep reading

Check out our repository of Auth0 Rules for more great examples: