Create monitoring, alerting, and analysis dashboards with Splunk
Splunk is a data platform that allows companies to analyze any structure data, from any source, across any timescale. Splunk not only makes it easy for companies to understand the health of their system in terms of performance and traffic. It also offers robust SIEM and SOAR (Security Orchestration, Automation, and Response) capabilities via Splunk Enterprise Security and Splunk Phantom, covering monitoring, detection, investigation of security threats, and automation of workflows.
Out of the box security monitoring
Use the custom Splunk dashboard to automatically visualize critical security signals coming from Auth0. Security teams can monitor authorization traffic, analyze anomalies, and set up alerts for high-risk actions with higher confidence.
Visual insights and faster response time
Collect and visualize data in order to identify trends without needing any development effort, allowing for faster discovery of potential problems or risks. Configure thresholds and alerts for suspicious events take place, enabling you to respond faster.
Better decision making
Auth0's event data provides rich contextual information to help our customers make informed decisions in regards to their future system architecture and development. Easily leverage this information to make more informed decisions.
You can create monitoring, alerting, and analysis dashboards in Splunk for Auth0 tenants.
Retrieve Splunk domain, token, and port
To send Auth0 events to Splunk, you will need to know your:
- Splunk instance domain name
- Splunk event collector token
To get these values:
- Navigate to your Splunk instance.
- Copy the domain part of the URL, this is your Splunk Domain. (You may have received this information via email upon Splunk signup as well).
- From the system menu select Settings > Data Inputs. Select the Add New link under Local Inputs > HTTP Event Collector.
- Next you'll see a token configuration wizard. Name this new token, we recommend naming it auth0, and click Next.
- Select a Source type and an Index. Create a new Source type, named
auth0, and use main as our Index.
- Click Review.
- Review the information displayed and click Submit. Your new token should be created successfully.
- Copy the value, this is your Token. The default Port is
Verify TLS Certificate
The default Splunk Cloud instance uses a self-signed certificate. Auth0 recommends using a certificate from a trusted authority. If you are using the default self-signed certificate, the Verify TLS toggle should be turned off.
Set up log event stream in Auth0
- Log in to the Auth0 Dashboard and go to Logs > Streams (or click Add Integration above)
- Click + Create Stream.
- Select Splunk, and enter a unique name for your new Splunk Event Stream.
- On the next screen, provide the following settings for your Splunk Event Stream:
- Domain - This is the domain URL you copied from Splunk
- Token - This is the token your created in the Splunk dashboard
- Port - By default the port of set to 8088 but can be changed to match you Splunk configuration
- Verify TLS - This toggle should be turned off when using self-signed certificates
- Click Save. When Auth0 writes the next log event, you'll receive a copy of that log event in Splunk with the
View logs in Splunk
- Log into your Splunk instance (in this case, Cloud).
- In the menu bar, select App: Cloud Monitoring...
- Click Search & Reporting in the sub-menu.
- In search bar, enter wildcard
*and adjust time drop down to the desired window.
Delivery attempts and retries
Auth0 events are delivered to your server via a streaming mechanism that sends each event as it is triggered. If your server is unable to receive the event, Auth0 will try to redeliver it up to three times. If still unsuccessful, Auth0 will log the failure to deliver, and you will be able see these failures in the Health tab for your log stream.