For those of you using SumoLogic, here’s a template for reporting errors in your Auth0 logs. I got lazy with the “Failed Exchange” types and lumped them altogether. I might fix that up and repost. It’s only as long as it is because I wanted friendly names for each category instead of the log type short form.
I’m also ignoring “Failed Silent Login” events since those are a normal part of doing business.
This template gives you “failure logs by type and by day”:
Adjust aggregation and display format to suit your needs.
Log types and explanations are documented in more detail here.
_sourceCategory=[YOUR AUTH0 LOGS SOURCE CATEGORY]
| json field=_raw "type" as type
| where type matches "f*" and type != "fsa"
| if (type = "f", "Failed Login", type) as type
| if (type = "fapi", "Failed API Operation", type) as type
| if (type = "fc", "Failed By Connector", type) as type
| if (type = "fce", "Failed Change Email", type) as type
| if (type = "fco", "Failed by CORS", type) as type
| if (type = "fcoa", "Failed Cross Origin Authentication", type) as type
| if (type = "fcp", "Failed Change Password", type) as type
| if (type = "fcph", "Failed Post Change Password Hook", type) as type
| if (type = "fcpn", "Failed Change Phone Number", type) as type
| if (type = "fcpr", "Failed Change Password Request", type) as type
| if (type = "fcpro", "Failed Connector Provisioning", type) as type
| if (type = "fcu", "Failed Change Username", type) as type
| if (type = "fd", "Failed Delegation", type) as type
| if (type = "fdu", "Failed User Deletion", type) as type
| if (type matches "fe*", "Failed Exchange", type) as type
| if (type = "flo", "Failed Logout", type) as type
| if (type = "fn", "Failed Sending Notification", type) as type
| if (type = "fp", "Failed Password", type) as type
| if (type = "fs", "Failed Signup", type) as type
| if (type = "fsa", "Failed Silent Authentication", type) as ignore
| if (type = "fu", "Failed Username or Email", type) as type
| if (type = "fui", "Failed User Import", type) as type
| if (type = "fv", "Failed Verification Email", type) as type
| if (type = "fvr", "Failed Verification Email Request", type) as type
| timeslice by 1d
| count by _timeslice, type
| transpose row _timeslice column type
Also useful: For the generic “Failed Login” log type ("type": "f"
), count by description to get a sense of where these generic failures are happening:
_sourceCategory=auth0/prod
| json field=_raw "type" as type
| where type matches "f"
| json field=_raw "description" as description
| count by description
| sort by _count