How to detect invalid login in a rule

Is there a way inside a rule to detect if a login was unsuccessful? Or do rules only fire on successful logins? I am looking to send logs from auth0 to another service when a invalid login happens. Hoping I can just do this via a rule.

Saw this other thread, but no solution was provided. Detect invalid login attempts and lock user in a rule

Hi @pbr0ck3r,

Welcome to the Auth0 Community!

One of the Auth0 engineering types may correct me but I believe rules only execute after successful authentication.

1 Like

Hi @pbr0ck3r,

@markd is correct, rules run after successful logins.

You could use a log stream to monitor failed logins.

Let me know if this works for you,

1 Like

Hey @markd @dan.woda ,

Thanks so much for the quick response. I will check out Log streams.

1 Like

Hi @dan.woda: Will log streams replace the various logging extensions (the HTTP based ones at least)?

@markd I think eventually. Log streams is essentially an improvement on log extensions. It was built to for better delivery time and volume. If you want to know more I can reach out to the relevant folks.

1 Like

All good, thanks. I will ping my TAM if I need more details. Good to see functionality like getting rolled in to the core product!

1 Like

@markd Log streams is a huge one for me. It is a great improvement. Sounds good!

Looking into the AWS Event Bridge stuff. My end goal is to get the logs into S3. Would be cool if I could just go straight to a bucket from Auth0.

This is a great idea for an API. Have the API offer an HTTP endpoint to point the log stream at and then write the individual logs as JSON files to a bucket. Could work with any of the object storage services out there.

Hi @dan.woda,
We want to use log streams to post to sentry, but we only want to post our failures. Is there a way to filter the events sent from the stream?



Welcome to the Community!

Not that I know right now, you would need to handle that on your side. You should be able to look for log event type ‘f’ and filter out the other noise.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.