Auth0 Log Event Type Lookup Table

Might be of interest to some of you: I export my logs to Sumologic. To help with reporting I created a lookup table (CSV file) so I could translate log event type codes to something user friendly. I should automate this with a script but for now the table is maintained manually, and I just recently updated it.

I also submitted a feature request to Auth0 asking them to provide & maintain something equivalent.

2 Likes

Thanks for sharing this @markd!

Hello there ic my version formatted as a PHP array :

private $log_codes = [

        "api_limit" => [
            "event" => "Rate Limit on the Authentication or Management APIs",
            "description" => "The maximum number of requests to the Authentication or Management APIs in given time has reached."
        ], "cls" => [
            "event" => "Code/Link Sent",
            "description" => "Passwordless login code/link has been sent"
        ], "cs" => [
            "event" => "Code Sent",
            "description" => "Passwordless login code has been sent"
        ], "depnote" => [
            "event" => "Deprecation Notice",
        ], "f" => [
            "event" => "Failed Login",
        ], "fapi" => [
            "event" => "Operation on API failed",
        ], "fc" => [
            "event" => "Failed by Connector",
        ], "fce" => [
            "event" => "Failed Change Email",
            "description" => "Failed to change user email"
        ], "fco" => [
            "event" => "Failed by CORS",
            "description" => "Origin is not in the Allowed Origins list for the specified application"
        ], "fcoa" => [
            "event" => "Failed cross-origin authentication",
        ], "fcp" => [
            "event" => "Failed Change Password",
        ], "fcph" => [
            "event" => "Failed Post Change Password Hook",
        ], "fcpn" => [
            "event" => "Failed Change Phone Number",
        ], "fcpr" => [
            "event" => "Failed Change Password Request",
        ], "fcpro" => [
            "event" => "Failed Connector Provisioning",
            "description" => "Failed to provision a AD/LDAP connector"
        ], "fcu" => [
            "event" => "Failed Change Username",
            "description" => "Failed to change username"
        ], "fd" => [
            "event" => "Failed Delegation",
            "description" => "Failed to generate delegation token"
        ], "fdeac" => [
            "event" => "Failed Device Activation",
            "description" => "Failed to activate device."
        ], "fdeaz" => [
            "event" => "Failed Device Authorization Request",
            "description" => "Device authorization request failed."
        ], "fdecc" => [
            "event" => "User Canceled Device Confirmation",
            "description" => "User did not confirm device."
        ], "fdu" => [
            "event" => "Failed User Deletion",
        ], "feacft" => [
            "event" => "Failed Exchange",
            "description" => "Failed to exchange authorization code for Access Token"
        ], "feccft" => [
            "event" => "Failed Exchange",
            "description" => "Failed exchange of Access Token for a Client Credentials Grant"
        ], "fede" => [
            "event" => "Failed Exchange",
            "description" => "Failed to exchange Device Code for Access Token"
        ], "fens" => [
            "event" => "Failed Exchange",
            "description" => "Failed exchange for Native Social Login"
        ], "feoobft" => [
            "event" => "Failed Exchange",
            "description" => "Failed exchange of Password and OOB Challenge for Access Token"
        ], "feotpft" => [
            "event" => "Failed Exchange",
            "description" => "Failed exchange of Password and OTP Challenge for Access Token"
        ], "fepft" => [
            "event" => "Failed Exchange",
            "description" => "Failed exchange of Password for Access Token"
        ], "fepotpft" => [
            "event" => "Failed Exchange",
            "description" => "Failed exchange of Passwordless OTP for Access Token"
        ], "fercft" => [
            "event" => "Failed Exchange",
            "description" => "Failed Exchange of Password and MFA Recovery code for Access Token"
        ], "fertft" => [
            "event" => "Failed Exchange",
            "description" => "Failed Exchange of Refresh Token for Access Token. This could occur if the refresh token is revoked or expired."
        ], "ferrt" => [
            "event" => "Failed Exchange",
            "description" => "Failed Exchange of Rotating Refresh Token. This could occur when reuse is detected."
        ], "fi" => [
            "event" => "Failed invite accept",
            "description" => "Failed to accept a user invitation. This could happen if the user accepts an invitation using a different email address than provided in the "
        ], "invitation" => [
            "event" => ", or due to a system failure while provisioning the invitation",
        ], "flo" => [
            "event" => "Failed Logout",
            "description" => "User logout failed"
        ], "fn" => [
            "event" => "Failed Sending Notification",
            "description" => "Failed to send email notification"
        ], "fp" => [
            "event" => "Failed Login (Incorrect Password",
        ], "fs" => [
            "event" => "Failed Signup",
        ], "fsa" => [
            "event" => "Failed Silent Auth",
        ], "fu" => [
            "event" => "Failed Login (Invalid Email/Username",
        ], "fui" => [
            "event" => "Failed users import",
            "description" => "Failed to import users"
        ], "fv" => [
            "event" => "Failed Verification Email",
            "description" => "Failed to send verification email"
        ], "fvr" => [
            "event" => "Failed Verification Email Request",
            "description" => "Failed to process verification email request"
        ], "gd_auth_failed" => [
            "event" => "MFA Auth failed",
            "description" => "Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure."
        ], "gd_auth_rejected" => [
            "event" => "MFA Auth rejected",
            "description" => "A user rejected a Multi-factor authentication request via push-notification."
        ], "gd_auth_succeed" => [
            "event" => "MFA Auth success",
            "description" => "Multi-factor authentication success."
        ], "gd_enrollment_complete" => [
            "event" => "MFA enrollment complete",
            "description" => "A first time MFA user has successfully enrolled using one of the factors."
        ], "gd_otp_rate_limit_exceed" => [
            "event" => "Too many failures",
            "description" => "A user, during enrollment or authentication, enters an incorrect code more than the maximum allowed number of times. Ex=> A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row."
        ], "gd_recovery_failed" => [
            "event" => "Recovery failed",
            "description" => "A user enters a wrong recovery code when attempting to authenticate."
        ], "gd_recovery_rate_limit_exceed" => [
            "event" => "Too many failures",
            "description" => "A user enters a wrong recovery code too many times."
        ], "gd_recovery_succeed" => [
            "event" => "Recovery success",
            "description" => "A user successfully authenticates with a recovery code."
        ], "gd_send_email" => [
            "event" => "Email Sent",
            "description" => "Email for MFA successfully sent."
        ], "gd_send_pn" => [
            "event" => "Push notification sent",
            "description" => "Push notification for MFA sent successfully sent."
        ], "gd_send_pn_failure" => [
            "event" => "Push notification sent",
            "description" => "Push notification for MFA failed."
        ], "gd_send_sms" => [
            "event" => "SMS sent",
            "description" => "SMS for MFA successfully sent."
        ], "gd_send_sms_failure" => [
            "event" => "SMS sent failures",
            "description" => "Attempt to send SMS for MFA failed."
        ], "gd_send_voice" => [
            "event" => "Voice call made",
            "description" => "Voice call for MFA successfully made."
        ], "gd_send_voice_failure" => [
            "event" => "Voice call failure",
            "description" => "Attempt to make Voice call for MFA failed."
        ], "gd_start_auth" => [
            "event" => "Second factor started",
            "description" => "Second factor authentication event started for MFA."
        ], "gd_start_enroll" => [
            "event" => "Enroll started",
            "description" => "Multi-factor authentication enroll has started."
        ], "gd_start_enroll_failed" => [
            "event" => "Enrollment failed",
            "description" => "Push to start enrollement failed."
        ], "gd_tenant_update" => [
            "event" => "Guardian tenant update",
        ], "gd_unenroll" => [
            "event" => "Unenroll device account",
            "description" => "Device used for second factor authentication has been unenrolled."
        ], "gd_update_device_account" => [
            "event" => "Update device account",
            "description" => "Device used for second factor authentication has been updated."
        ], "gd_webauthn_challenge_failed" => [
            "event" => "Enrollment challenge issued",
            "description" => "User failed to verify Webauthn factor."
        ], "gd_webauthn_enrollment_failed" => [
            "event" => "Enroll failed",
            "description" => "WebAuthn factor enrollment failed."
        ], "limit_delegation" => [
            "event" => "Too Many Calls to /delegation",
            "description" => "Rate limit exceeded to /delegation endpoint"
        ], "limit_mu" => [
            "event" => "Blocked IP Address",
            "description" => "An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, see Attack Protection"
        ], "limit_wc" => [
            "event" => "Blocked Account",
            "description" => "An IP address is blocked because it reached the maximum failed login attempts into a single account."
        ], "limit_sul" => [
            "event" => "Blocked Account",
            "description" => "A user is temporarily prevented from logging in because they reached the maximum logins per time period from the same IP address. For more information, see Attack Protection."
        ], "mfar" => [
            "event" => "MFA Required",
            "description" => "A user has been prompted for multi-factor authentication (MFA). When using Adaptive MFA, Auth0 includes details about the risk assessment."
        ], "mgmt_api_read" => [
            "event" => "Management API read Operation",
            "description" => "API GET operation returning secrets completed successfully"
        ], "oidc_backchannel_logout_failed" => [
            "event" => "Failed OIDC Back-Channel Logout request",
            "description" => "Failed OIDC Back-Channel Logout request"
        ], "oidc_backchannel_logout_succeeded" => [
            "event" => "Successful OIDC Back-Channel Logout request",
            "description" => "Successful OIDC Back-Channel Logout request"
        ], "pla" => [
            "event" => "Pre-login assessment",
            "description" => "This log is generated before a login and helps in monitoring the behavior of bot detection without having to enable it."
        ], "pwd_leak" => [
            "event" => "Breached password",
            "description" => "Someone behind the IP address ip attempted to login with a leaked password."
        ], "resource_cleanup" => [
            "event" => "Refresh token excess warning",
            "description" => "Emitted when resources exceeding defined limits were removed."
        ], "s" => [
            "event" => "Success Login",
            "description" => "Successful login event."
        ], "sapi" => [
            "event" => "Success API Operation",
            "description" => "Successful management API write event."
        ], "sce" => [
            "event" => "Success Change Email",
        ], "scoa" => [
            "event" => "Success cross-origin authentication",
        ], "scp" => [
            "event" => "Success Change Password",
        ], "scpn" => [
            "event" => "Success Change Phone Number",
        ], "scpr" => [
            "event" => "Success Change Password Request",
        ], "scu" => [
            "event" => "Success Change Username",
        ], "sd" => [
            "event" => "Success Delegation",
        ], "sdu" => [
            "event" => "Success User Deletion",
            "description" => "User successfully deleted"
        ], "seacft" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of authorization code for Access Token"
        ], "seccft" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of Access Token for a Client Credentials Grant"
        ], "sede" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of device code for Access Token"
        ], "sens" => [
            "event" => "Success Exchange",
            "description" => "Native Social Login"
        ], "seoobft" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of Password and OOB Challenge for Access Token"
        ], "seotpft" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of Password and OTP Challenge for Access Token"
        ], "sepft" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of Password for Access Token"
        ], "sercft" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of Password and MFA Recovery code for Access Token"
        ], "sertft" => [
            "event" => "Success Exchange",
            "description" => "Successful exchange of Refresh Token for Access Token"
        ], "si" => [
            "event" => "Successful invite accept",
            "description" => "Successfully accepted a user invitation"
        ], "signup_pwd_leak" => [
            "event" => "Breached password",
            "description" => "Someone behind the IP address ip attempted to signup with a leaked password."
        ], "srrt" => [
            "event" => "Success Revocation",
            "description" => "Successfully revoked a Refresh Token"
        ], "slo" => [
            "event" => "Success Logout",
            "description" => "User successfully logged out"
        ], "ss" => [
            "event" => "Success Signup",
        ], "ssa" => [
            "event" => "Success Silent Auth",
        ], "sui" => [
            "event" => "Success users import",
            "description" => "Successfully imported users"
        ], "sv" => [
            "event" => "Success Verification Email",
            "description" => "Successfully consumed email verification link"
        ], "svr" => [
            "event" => "Success Verification Email Request",
            "description" => "Successfully called verification email endpoint. Verification email in queue to send."
        ], "ublkdu" => [
            "event" => "User login block released",
            "description" => "User block setup by anomaly detection has been released"
        ], "w" => [
            "event" => "Warnings During Login",
            "description" => "Filters for logs of type warning during login"
        ]
    ];
1 Like

Thanks for sharing @laurent.payet!