Articles

Stream Auth0 Logs to Splunk and Datadog (2026)

April 16, 2026 4 min read

Auth0’s logging capabilities are surprisingly flexible, but the real magic happens when you realize you can stream all of it, not just sample it, to external systems like Splunk and Datadog for deep analysis and alerting.

Let’s see what this looks like in practice. Imagine a user logs in, and Auth0 emits a login.success event. This event, along with its associated metadata (user ID, IP address, client, etc.), is immediately forwarded to your configured destinations.

{
  "type": "login.success",
  "client_id": "abc123def456ghi789",
  "client_name": "My Awesome App",
  "date": "2023-10-27T10:30:00.123Z",
  "ip": "192.0.2.1",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
  "user_id": "auth0|abcdef1234567890",
  "connection": "Username-Password-Authentication",
  "provider": "auth0",
  "strategy": "auth0",
  "connection_id": "con_xyz987zyx654wvu321",
  "tenant_id": "ten_uvw123vuw456rst789",
  "organization_id": "org_rst789tsr654qpo321",
  "organization_name": "My Organization",
  "audience": "https://api.myawesomeapp.com",
  "access_token": "ey...", // Truncated for brevity
  "access_token_audience": "https://api.myawesomeapp.com",
  "access_token_scopes": {
    "openid": {},
    "profile": {},
    "email": {}
  },
  "auth0_client": {
    "name": "auth0-php",
    "version": "6.0.0"
  },
  "request_id": "req_abcdef1234567890abcdef1234567890"
}

This raw JSON event is what gets sent to your Splunk HTTP Event Collector or Datadog HTTP Log Intake.

The core problem Auth0 logging solves is providing a centralized, auditable record of authentication and authorization events. Without external streaming, you’re limited to Auth0’s dashboard and its retention policies. By streaming logs, you gain:

  1. Long-term Retention: Store logs indefinitely without incurring Auth0’s higher data egress fees.
  2. Advanced Analytics: Correlate Auth0 events with other application logs, infrastructure metrics, and security events in Splunk or Datadog.
  3. Real-time Alerting: Set up alerts for suspicious login patterns (e.g., multiple failed attempts from the same IP, logins from unusual geographic locations) that might indicate an attack.
  4. Compliance Audits: Easily generate reports for security and compliance audits by querying your central log store.

Auth0 offers two primary mechanisms for streaming logs:

  • Log Streaming: This is the built-in feature where you configure destinations directly within the Auth0 dashboard. It’s designed for real-time, high-volume data transfer. You can select specific event types to stream, or send everything. Destinations can include HTTP endpoints (for Splunk, Datadog, or custom solutions), AWS Kinesis, Azure Event Hubs, and Google Cloud Pub/Sub.
  • Export API: For ad-hoc retrieval or scenarios where streaming isn’t feasible, you can use the Auth0 Management API’s /logs endpoint to pull historical log data. This is less common for real-time monitoring but useful for batch processing or historical analysis not covered by the stream.

To set this up for Splunk, you’ll need:

  1. Splunk HTTP Event Collector (HEC): Enable HEC in Splunk (Settings -> Data Inputs -> HTTP Event Collector). Create a new token, assign it to an index (e.g., auth0), and note the token value and the HEC URL (e.g., https://your-splunk-instance.com:8088/services/collector).
  2. Auth0 Log Stream: In Auth0, navigate to Monitoring -> Log Streaming. Click "Create Log Stream." Choose "HTTP" as the destination. Paste your Splunk HEC URL into the "Endpoint URL" field. In the "Custom Headers" section, add Authorization: Splunk your_hec_token_here. Select the event types you want to stream (or leave all selected for full fidelity).

For Datadog, the process is similar:

  1. Datadog HTTP Log Intake: In Datadog, navigate to Logs -> Configuration -> Processing Pipelines. You’ll typically use an HTTP source. Datadog provides an intake URL for logs, often in the format https://http-intake.logs.datadoghq.com/api/v2/logs. You’ll also need an API key.
  2. Auth0 Log Stream: In Auth0, create another "HTTP" log stream. Use the Datadog intake URL as the "Endpoint URL." For the "Custom Headers," you’ll typically use DD-API-KEY: your_datadog_api_key and potentially DD-Source: auth0 and DD-Tags: env:production,service:auth0. Select your desired event types.

The most surprising thing about Auth0’s log streaming is how little configuration is actually required on the Auth0 side for basic setup. You define the endpoint and authentication, and Auth0 handles the rest, reliably pushing events as they occur. The complexity shifts entirely to the receiving system (Splunk/Datadog) for parsing, indexing, and visualization.

The real power comes in parsing those JSON logs within Splunk or Datadog. For instance, in Splunk, you’d configure your HEC to automatically extract fields from JSON. If not, you might need to use rex or kv commands in your search queries:

index=auth0 sourcetype="auth0" earliest=-1h
| spath input=_raw output=json_data // if auto-extraction failed
| search json_data.type="login.failure"
| stats count by json_data.ip, json_data.user_id

In Datadog, you’d create a log processing pipeline to parse the incoming JSON and tag the relevant fields, making them searchable and usable in dashboards and monitors.

The next hurdle you’ll likely encounter is efficiently querying and visualizing this data, especially when correlating Auth0 events with other application or infrastructure logs.

Want structured learning?

Take the full Auth0 course →