What is "hostname" in logs and what does affect it?

Ready tI’m investigating why some users can’t log in. I’ve dumped logs to find anything suspicious. There is no correlation with the environment, be it the user browser, OS or platform. What I’ve found is an absolute correlation with “hostname”:

D SELECT
    type, COALESCE(hostname, 'null') AS hn, COUNT(*)
  FROM auth0_logs
  WHERE type='s' OR type='fu' OR type='fp'
  GROUP BY type, hn
  ;
┌─────────┬─────────────────────────────┬──────────────┐
│  type   │             hn              │ count_star() │
│ varchar │           varchar           │    int64     │
├─────────┼─────────────────────────────┼──────────────┤
│ s       │ my.custom.domain.de         │        53160 │
│ fp      │                             │         4073 │
│ fu      │                             │         4155 │
└─────────┴─────────────────────────────┴──────────────┘

(“s”: successful login, “fu”: failed login - wrong email/pass, “fp”: failed login - wrong password)

Now I’m stuck, I can’t backtrack from the missing “hostname” to its root cause. The package “auth0-spa-js” doesn’t contain such substring at all.

Please suggest where to look next.

Hi @olpa

The hostname parameter is null whenever there is a failed login attempt due to a wrong password or other similar causes which would not redirect the user to the next screen.

From what I can see, it appears that the failed login attempts could either be normal users failing to use the correct password (caused by a wrong pw autofill or something similar) or could also indicate some brute-force attempts on these user accounts.

I would suggest to investigate the origin of these login attempts(location and/or IP address used). Could you also let me know if you have undergone a recent user migration or if these failed logins were reported my legitimate users?

Kind Regards,
Nik