Basic error reporting with SumoLogic

For those of you using SumoLogic, here’s a template for reporting errors in your Auth0 logs. I got lazy with the “Failed Exchange” types and lumped them altogether. I might fix that up and repost. It’s only as long as it is because I wanted friendly names for each category instead of the log type short form.

I’m also ignoring “Failed Silent Login” events since those are a normal part of doing business.

This template gives you “failure logs by type and by day”:

Adjust aggregation and display format to suit your needs.

Log types and explanations are documented in more detail here.

| json field=_raw "type" as type
| where type matches "f*" and type != "fsa"
| if (type = "f", "Failed Login", type) as type
| if (type = "fapi", "Failed API Operation", type) as type
| if (type = "fc", "Failed By Connector", type) as type
| if (type = "fce", "Failed Change Email", type) as type
| if (type = "fco", "Failed by CORS", type) as type
| if (type = "fcoa", "Failed Cross Origin Authentication", type) as type
| if (type = "fcp", "Failed Change Password", type) as type
| if (type = "fcph", "Failed Post Change Password Hook", type) as type
| if (type = "fcpn", "Failed Change Phone Number", type) as type
| if (type = "fcpr", "Failed Change Password Request", type) as type
| if (type = "fcpro", "Failed Connector Provisioning", type) as type
| if (type = "fcu", "Failed Change Username", type) as type
| if (type = "fd", "Failed Delegation", type) as type
| if (type = "fdu", "Failed User Deletion", type) as type
| if (type matches "fe*", "Failed Exchange", type) as type
| if (type = "flo", "Failed Logout", type) as type
| if (type = "fn", "Failed Sending Notification", type) as type
| if (type = "fp", "Failed Password", type) as type
| if (type = "fs", "Failed Signup", type) as type
| if (type = "fsa", "Failed Silent Authentication", type) as ignore
| if (type = "fu", "Failed Username or Email", type) as type
| if (type = "fui", "Failed User Import", type) as type
| if (type = "fv", "Failed Verification Email", type) as type
| if (type = "fvr", "Failed Verification Email Request", type) as type
| timeslice by 1d
| count by _timeslice, type
| transpose row _timeslice column type

Also useful: For the generic “Failed Login” log type ("type": "f"), count by description to get a sense of where these generic failures are happening:

| json field=_raw "type" as type
| where type matches "f"
| json field=_raw "description" as description
| count by description
| sort by _count

Example dashboard:

1 Like

Thanks a lot @markd for sharing that!

Edit: What is the point of this? Some log types represent technical debt in your Auth0 environment and applications: use of deprecated Auth0 features, entities doing non-OIDC conformant operations, entities using version 2 search syntax, etc. These issues may not be noticed elsewhere, so running a regular report on log types will help you to clean up your environment.

Made a few improvements here:

  1. I created a CSV of the log event data from,
  2. I’ve created a new query in Sumo Logic that uses the lookup operator to pull additional log event data from the CSV (greatly simplifying the query),
  3. Submitted a request for an “official” CSV maintained by Auth0:

New query:

| json field=_raw "type" as auth0_log_event_code
| lookup event_type from on auth0_log_event_code=event_code
| lookup event_description from on auth0_log_event_code=event_code
| count by auth0_log_event_code, event_type, event_description
| order by _count

Add time-slicing, charting etc. as needed.


1 Like

Thanks a lot Mark! Let the community know if you make any other improvements in the future!