Splunk

Splunk is a data platform that allows companies to analyze any structure data, from any source, across any timescale. Splunk not only makes it easy for companies to understand the health of their system in terms of performance and traffic. It also offers robust SIEM and SOAR (Security Orchestration, Automation, and Response) capabilities via Splunk Enterprise Security and Splunk Phantom, covering monitoring, detection, investigation of security threats, and automation of workflows.

You can create monitoring, alerting, and analysis dashboards in Splunk for Auth0 tenants.

Retrieve Splunk domain, token, and port

To send Auth0 events to Splunk, you will need to know your:

• Splunk instance domain name
• Splunk event collector token
• Port

To get these values:

1. Navigate to your Splunk instance.
2. Copy the domain part of the URL, this is your Splunk Domain. (You may have received this information via email upon Splunk signup as well).
3. From the system menu select Settings > Data Inputs. Select the Add New link under Local Inputs > HTTP Event Collector.
4. Next you'll see a token configuration wizard. Name this new token, we recommend naming it auth0, and click Next.
5. Select a Source type and an Index. Create a new Source type, named auth0, and use main as our Index.
6. Click Review.
7. Review the information displayed and click Submit. Your new token should be created successfully.
8. Copy the value, this is your Token. The default Port is 8088.

Verify TLS Certificate

The default Splunk Cloud instance uses a self-signed certificate. Auth0 recommends using a certificate from a trusted authority. If you are using the default self-signed certificate, the Verify TLS toggle should be turned off.

Set up log event stream in Auth0

1. Log in to the Auth0 Dashboard and go to Logs > Streams (or click Add Integration above)
2. Click + Create Stream.
3. Select Splunk, and enter a unique name for your new Splunk Event Stream.
4. On the next screen, provide the following settings for your Splunk Event Stream:

• Domain - This is the domain URL you copied from Splunk
• Token - This is the token your created in the Splunk dashboard
• Port - By default the port of set to 8088 but can be changed to match you Splunk configuration
• Verify TLS - This toggle should be turned off when using self-signed certificates

1. Click Save. When Auth0 writes the next log event, you'll receive a copy of that log event in Splunk with the source and service set to auth0.

View logs in Splunk

1. Log into your Splunk instance (in this case, Cloud).
2. In the menu bar, select App: Cloud Monitoring...
3. Click Search & Reporting in the sub-menu.
4. In search bar, enter wildcard * and adjust time drop down to the desired window.

Delivery attempts and retries

Auth0 events are delivered to your server via a streaming mechanism that sends each event as it is triggered. If your server is unable to receive the event, Auth0 will try to redeliver it up to three times. If still unsuccessful, Auth0 will log the failure to deliver, and you will be able see these failures in the Health tab for your log stream.