Basic error reporting with SumoLogic

markd · 2018-12-09 17:08:27 UTC

For those of you using SumoLogic, here’s a template for reporting errors in your Auth0 logs. I got lazy with the “Failed Exchange” types and lumped them altogether. I might fix that up and repost. It’s only as long as it is because I wanted friendly names for each category instead of the log type short form.

I’m also ignoring “Failed Silent Login” events since those are a normal part of doing business.

This template gives you “failure logs by type and by day”:

Adjust aggregation and display format to suit your needs.

Log types and explanations are documented in more detail here.

_sourceCategory=[YOUR AUTH0 LOGS SOURCE CATEGORY]
| json field=_raw "type" as type
| where type matches "f*" and type != "fsa"
| if (type = "f", "Failed Login", type) as type
| if (type = "fapi", "Failed API Operation", type) as type
| if (type = "fc", "Failed By Connector", type) as type
| if (type = "fce", "Failed Change Email", type) as type
| if (type = "fco", "Failed by CORS", type) as type
| if (type = "fcoa", "Failed Cross Origin Authentication", type) as type
| if (type = "fcp", "Failed Change Password", type) as type
| if (type = "fcph", "Failed Post Change Password Hook", type) as type
| if (type = "fcpn", "Failed Change Phone Number", type) as type
| if (type = "fcpr", "Failed Change Password Request", type) as type
| if (type = "fcpro", "Failed Connector Provisioning", type) as type
| if (type = "fcu", "Failed Change Username", type) as type
| if (type = "fd", "Failed Delegation", type) as type
| if (type = "fdu", "Failed User Deletion", type) as type
| if (type matches "fe*", "Failed Exchange", type) as type
| if (type = "flo", "Failed Logout", type) as type
| if (type = "fn", "Failed Sending Notification", type) as type
| if (type = "fp", "Failed Password", type) as type
| if (type = "fs", "Failed Signup", type) as type
| if (type = "fsa", "Failed Silent Authentication", type) as ignore
| if (type = "fu", "Failed Username or Email", type) as type
| if (type = "fui", "Failed User Import", type) as type
| if (type = "fv", "Failed Verification Email", type) as type
| if (type = "fvr", "Failed Verification Email Request", type) as type
| timeslice by 1d
| count by _timeslice, type
| transpose row _timeslice column type

Also useful: For the generic “Failed Login” log type ("type": "f"), count by description to get a sense of where these generic failures are happening:

_sourceCategory=auth0/prod
| json field=_raw "type" as type
| where type matches "f"
| json field=_raw "description" as description
| count by description
| sort by _count

markd · 2018-12-09 17:14:29 UTC

Example dashboard:

konrad.sopala · 2018-12-10 11:44:40 UTC

Thanks a lot @markd for sharing that!

markd · 2018-12-21 16:48:34 UTC

Edit: What is the point of this? Some log types represent technical debt in your Auth0 environment and applications: use of deprecated Auth0 features, entities doing non-OIDC conformant operations, entities using version 2 search syntax, etc. These issues may not be noticed elsewhere, so running a regular report on log types will help you to clean up your environment.

Made a few improvements here:

I created a CSV of the log event data from https://auth0.com/docs/logs#log-data-event-listing,
I’ve created a new query in Sumo Logic that uses the lookup operator to pull additional log event data from the CSV (greatly simplifying the query),
Submitted a request for an “official” CSV maintained by Auth0: https://github.com/auth0/docs/issues/7075

New query:

_sourceCategory=auth0
| json field=_raw "type" as auth0_log_event_code
| lookup event_type from https://raw.githubusercontent.com/dmark/auth0-cli-utilities/master/auth0_log_event_table.csv on auth0_log_event_code=event_code
| lookup event_description from https://raw.githubusercontent.com/dmark/auth0-cli-utilities/master/auth0_log_event_table.csv on auth0_log_event_code=event_code
| count by auth0_log_event_code, event_type, event_description
| order by _count

Add time-slicing, charting etc. as needed.

Results:

konrad.sopala · 2018-12-27 16:05:13 UTC

Thanks a lot Mark! Let the community know if you make any other improvements in the future!