Auth0 Log Streams Integration
<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.19.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |
</div>
Auth0 offers integrations that push log events via log streams to Elasticsearch or allows an Elastic Agent to make API requests for log events. The Auth0 Log Streams integration package creates a HTTP listener that accepts incoming log events or runs periodic API requests to collect events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch.
The package collects log events either sent via log stream webhooks, or by API request to the Auth0 v2 API.
- In Kibana go to Management > Integrations
- In "Search for integrations" search bar type Auth0
- Click on "Auth0" integration from the search results.
- Click on Add Auth0 button to add Auth0 integration.
The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
For more information, see Auth0’s webpage on integration to Elastic Security.
- Click on Collect Auth0 log streams events via Webhooks to enable it.
- Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the Endpoint URL
https://{{AGENT_ADDRESS}}:8383/auth0/logs. - Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud.
- Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
- From the Auth0 management console, navigate to Logs > Streams and click + Create Stream.
- Choose Custom Webhook.
- Name the new Event Stream appropriately (e.g. Elastic) and click Create.
- In Payload URL, paste the Endpoint URL collected during Step 1 of Configure the Auth0 integration section.
- In Authorization Token, paste the Authorization Token. This must match the value entered in Step 2 of Configure the Auth0 integration section.
- In Content Type, choose application/json.
- In Content Format, choose JSON Lines.
- Click Save.
- From the Auth0 management console, navigate to Applications > Applications and click + Create Application.
- Choose Machine to Machine Application.
- Name the new Application appropriately (e.g. Elastic) and click Create.
- Select the Auth0 Management API option and click Authorize.
- Select the
read:logsandread:logs_userspermissions and then click Authorize. - Navigate to the Settings tab. Take note of the "Domain", "Client ID" and "Client Secret" values in the Basic Information section.
- Click Save Changes.
- In the Elastic Auth0 integration user interface click on Collect Auth0 log events via API requests to enable it.
- Enter value for "URL". This must be an https URL using the Domain value obtained from Auth cloud above.
- Enter value for "Client ID". This must match the "Client ID" value obtained from Auth0 cloud above.
- Enter value for "Client Secret". This must match the "Client Secret" value obtained from Auth0 cloud above.
Enable to collect Auth0 log events for all the applications configured for the chosen log stream.
The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log events are available in the auth0.logs field group.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| auth0.logs.data.audience | API audience the event applies to. | keyword |
| auth0.logs.data.classification | Log stream filters | keyword |
| auth0.logs.data.client_id | ID of the client (application). | keyword |
| auth0.logs.data.client_name | Name of the client (application). | keyword |
| auth0.logs.data.connection | Name of the connection the event relates to. | keyword |
| auth0.logs.data.connection_id | ID of the connection the event relates to. | keyword |
| auth0.logs.data.date | Date when the event occurred in ISO 8601 format. | date |
| auth0.logs.data.description | Description of this event. | text |
| auth0.logs.data.details | Additional useful details about this event (values here depend upon event type). | flattened |
| auth0.logs.data.hostname | Hostname the event applies to. | keyword |
| auth0.logs.data.ip | IP address of the log event source. | ip |
| auth0.logs.data.is_mobile | Whether the client was a mobile device (true) or desktop/laptop/server (false). | boolean |
| auth0.logs.data.location_info.city_name | Full city name in English. | keyword |
| auth0.logs.data.location_info.continent_code | Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). | keyword |
| auth0.logs.data.location_info.country_code | Two-letter Alpha-2 ISO 3166-1 country code | keyword |
| auth0.logs.data.location_info.country_code3 | Three-letter Alpha-3 ISO 3166-1 country code | keyword |
| auth0.logs.data.location_info.country_name | Full country name in English. | keyword |
| auth0.logs.data.location_info.latitude | Global latitude (horizontal) position. | keyword |
| auth0.logs.data.location_info.longitude | Global longitude (vertical) position. | keyword |
| auth0.logs.data.location_info.time_zone | Time zone name as found in the tz database. | keyword |
| auth0.logs.data.log_id | Unique log event identifier | keyword |
| auth0.logs.data.login.completedAt | Time at which the operation was completed | date |
| auth0.logs.data.login.elapsedTime | The total amount of time in milliseconds the operation took to complete. | long |
| auth0.logs.data.login.initiatedAt | Time at which the operation was initiated | date |
| auth0.logs.data.login.stats.loginsCount | Total number of logins performed by the user | long |
| auth0.logs.data.scope | Scope permissions applied to the event. | keyword |
| auth0.logs.data.strategy | Name of the strategy involved in the event. | keyword |
| auth0.logs.data.strategy_type | Type of strategy involved in the event. | keyword |
| auth0.logs.data.tenant_name | The name of the auth0 tenant. | keyword |
| auth0.logs.data.type | Type of event. | keyword |
| auth0.logs.data.user_agent | User agent string from the client device that caused the event. | text |
| auth0.logs.data.user_id | ID of the user involved in the event. | keyword |
| auth0.logs.data.user_name | Name of the user involved in the event. | keyword |
| auth0.logs.log_id | Unique log event identifier | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event timestamp. | constant_keyword |
| event.module | Event timestamp. | constant_keyword |
| input.type | Input type. | keyword |
**Example**
An example event for logs looks as following:
{
"@timestamp": "2021-11-03T03:06:05.696Z",
"agent": {
"ephemeral_id": "ca08f8bd-d4b8-4ea2-aefa-eb285a0b32c6",
"id": "212c7c0c-b1d6-427f-b567-7cc8887732b9",
"name": "elastic-agent-75377",
"type": "filebeat",
"version": "8.13.0"
},
"auth0": {
"logs": {
"data": {
"classification": "Login - Failure",
"date": "2021-11-03T03:06:05.696Z",
"description": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs",
"details": {
"error": {
"message": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs",
"oauthError": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs. Please go to 'https://manage.auth0.com/#/applications/aI61p8I8aFjmYRliLWgvM9ev97kCCNDB/settings' and make sure you are sending the same callback url from your application.",
"payload": {
"attempt": "http://localhost:3000/callback",
"client": {
"clientID": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB"
},
"code": "unauthorized_client",
"message": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs",
"name": "CallbackMismatchError",
"status": 403
},
"type": "callback-url-mismatch"
},
"qs": {
"client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB",
"redirect_uri": "http://localhost:3000/callback",
"response_type": "code",
"scope": "openid profile",
"state": "Vz6G2zZf95/FCOQALrpvd4bS6jx5xvRos2pVldFAiw4="
}
},
"hostname": "dev-yoj8axza.au.auth0.com",
"type": "Failed login"
}
}
},
"data_stream": {
"dataset": "auth0.logs",
"namespace": "12089",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "212c7c0c-b1d6-427f-b567-7cc8887732b9",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "failed-login",
"agent_id_status": "verified",
"category": [
"authentication"
],
"dataset": "auth0.logs",
"id": "90020211103030609732115389415260839021644201259064885298",
"ingested": "2024-11-11T15:35:02Z",
"kind": "event",
"original": "{\"data\":{\"connection_id\":\"\",\"date\":\"2021-11-03T03:06:05.696Z\",\"description\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"details\":{\"body\":{},\"error\":{\"message\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"oauthError\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs. Please go to 'https://manage.auth0.com/#/applications/aI61p8I8aFjmYRliLWgvM9ev97kCCNDB/settings' and make sure you are sending the same callback url from your application.\",\"payload\":{\"attempt\":\"http://localhost:3000/callback\",\"authorized\":[],\"client\":{\"clientID\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\"},\"code\":\"unauthorized_client\",\"message\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"name\":\"CallbackMismatchError\",\"status\":403},\"type\":\"callback-url-mismatch\"},\"qs\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"redirect_uri\":\"http://localhost:3000/callback\",\"response_type\":\"code\",\"scope\":\"openid profile\",\"state\":\"Vz6G2zZf95/FCOQALrpvd4bS6jx5xvRos2pVldFAiw4=\"}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103030609732115389415260839021644201259064885298\",\"type\":\"f\",\"user_agent\":\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\"},\"log_id\":\"90020211103030609732115389415260839021644201259064885298\"}",
"outcome": "failure",
"type": [
"info"
]
},
"input": {
"type": "http_endpoint"
},
"log": {
"level": "error"
},
"network": {
"type": "ipv4"
},
"source": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.143"
},
"tags": [
"preserve_original_event",
"forwarded",
"auth0-logstream"
],
"user_agent": {
"device": {
"name": "Other"
},
"name": "Firefox",
"original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0",
"os": {
"name": "Ubuntu"
},
"version": "93.0."
}
}
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.19.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.18.1 | pass:[] Bug fix (View pull request) Fix dashboard visualisations containing empty data. |
8.13.0 or higher |
| 1.18.0 | pass:[] Enhancement (View pull request) Allow @custom pipeline access to event.original without setting preserve_original_event. |
8.13.0 or higher |
| 1.17.0 | pass:[] Enhancement (View pull request) Add pull v2/logs API input. |
8.13.0 or higher |
| 1.16.0 | pass:[] Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.15.0 | pass:[] Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.14.2 | pass:[] Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.14.1 | pass:[] Enhancement (View pull request) Improve wording on elapsed time in milliseconds. |
8.7.1 or higher |
| 1.14.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.13.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.12.0 | pass:[] Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest. |
8.7.1 or higher |
| 1.11.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.10.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.9.0 | pass:[] Enhancement (View pull request) Convert visualizations to lens. |
8.7.1 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.1.0 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0. |
8.1.0 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Update package-spec version to 2.7.0. |
8.1.0 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
8.1.0 or higher |
| 1.4.1 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
8.1.0 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
8.1.0 or higher |
| 1.3.1 | pass:[] Enhancement (View pull request) Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load |
8.1.0 or higher |
| 1.3.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.2.2 | pass:[] Bug fix (View pull request) Remove duplicate field. |
7.16.0 or higher 8.0.0 or higher |
| 1.2.1 | pass:[] Enhancement (View pull request) Use ECS geo.location definition. |
7.16.0 or higher 8.0.0 or higher |
| 1.2.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.4.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.1.1 | pass:[] Enhancement (View pull request) Update package name and description to align with standard wording |
7.16.0 or higher 8.0.0 or higher |
| 1.1.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.3.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.0.0 | pass:[] Enhancement (View pull request) Make GA |
7.16.0 or higher 8.0.0 or higher |
| 0.1.4 | pass:[] Enhancement (View pull request) Update Readme |
— |
| 0.1.3 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
— |
| 0.1.2 | pass:[] Bug fix (View pull request) Fix documentation bug |
— |
| 0.1.1 | pass:[] Bug fix (View pull request) Update Auth0 logo image |
— |
| 0.1.0 | pass:[] Enhancement (View pull request) Initial commit |
— |