Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
67 lines (45 sloc) 2.96 KB

Setup

Just install the package from Splunk Apps.

  • You must use a platform that supports Nodejs (which ships in the box for Splunk).
  • Make sure the SPLUNK_HOME environment variable is pointing to the root directory of your Splunk instance.
  • If your Splunk Web is located behind a proxy server, please configure the HTTP(S)_PROXY environment variable.

Usage

  1. Open the Splunk web interface and go to Settings -> Data -> Data inputs
  2. Add new data input for Auth0 app specifying name, domain, global client ID, global client secret and interval (under "More settings" section)

Global client ID and secret can be found from https://docs.auth0.com/api

Troubleshooting

  • File location for latest log checkpoint: $SPLUNK_HOME/var/lib/splunk/modinputs/auth0/{AUTH0_DOMAIN}-log-checkpoint.txt
  • Log files:
    • $SPLUNK_HOME/var/log/splunk/audit.log
    • $SPLUNK_HOME/var/log/splunk/splunkd.log

Erase data

  1. Open the Splunk web interface, go to Settings -> Data -> Data inputs -> Auth0 and delete the data input
  2. Delete log checkpoint file: $SPLUNK_HOME/var/lib/splunk/modinputs/auth0/{AUTH0_DOMAIN}-log-checkpoint.txt
  3. Perform one of the following searches:
    • Remove all Auth0 events: sourcetype="auth0_logs" | delete
    • Remove specific data input events: source=auth0://{DATA_INPUT_NAME} | delete

If you have insufficient privileges to delete events (and presuming you are admin), go to Settings -> Users and authentication -> Access controls -> Roles -> admin and add the delete_by_keyword capability under Capabilities section.

Generate and publish new package

  1. Make sure to update version number from default/app.conf file.
  2. Install gnutar | instructions
  3. npm install -g flatten-packages
  4. Execute the following:
# include dependencies
cd bin/app/ && rm -rf ./node_modules && npm install --production
flatten-packages

# generate spl package
alias tar='gnutar'
cd ../../..
tar cv splunk-auth0/ -X splunk-auth0/.tarignore > splunk-auth0.tar
gzip splunk-auth0.tar
mv splunk-auth0.tar.gz splunk-auth0.spl

You are ready to upload the new splunk-auth0.spl package to https://apps.splunk.com/app/1884/edit/#/hosting/new

More info see Splunk Documentation - Package your app or add-on

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.