A simple Prometheus exporter for Auth0 log events, which allows you to collect metrics from Auth0 and expose them in a format that can be consumed by Prometheus.
It can be difficult to monitor Auth0 tenant events on a Prometheus stack, especially compared to other monitoring systems such as Datadog. This Prometheus exporter aims to simplify this, making it easier to expose tenant events.
- Auth0 account.
- Auth0 tenant management API client credentials.
- Required Grants:
read:users
orread:user_idp_tokens
,read:clients
orread:client_keys
,read:logs
- Required Grants:
- (Optional) Auth0 tenant management API static token.
If you just want to try the exporter locally without installation, you can do so by using Nix.
nix run github:tfadeyi/auth0-simple-exporter export -- --tls.disabled
The quickest way to install the exporter is through Helm, make sure you have your Auth0 credentials at hand.
export TOKEN="< auth0 management API static static token >"
export DOMAIN="< auth0 tenant domain >"
# Installing by passing in secret directly
helm repo add auth0-exporter https://tfadeyi.github.io/auth0-simple-exporter
helm upgrade prod auth0-exporter/auth0-exporter --install --create-namespace -n auth0-exporter \
--set auth0.domain="$DOMAIN" --set auth0.token="$TOKEN" --set exporter.tls.disabled=true
This will install the exporter running with TLS disabled.
-
Binaries can be downloaded from Releases page.
-
Download and run exporter's binary with TLS disabled.
export TOKEN="< auth0 management API static static token >" export DOMAIN="< auth0 tenant domain >" curl -LJO https://github.com/tfadeyi/auth0-simple-exporter/releases/download/v0.0.2/auth0-simple-exporter-linux-amd64.tar.gz && \ tar -xzvf auth0-simple-exporter-linux-amd64.tar.gz && \ cd auth0-simple-exporter-linux-amd64 ./auth0-simple-exporter export --tls.disabled
-
-
The recommended way to get the Docker Image is to pull the prebuilt image from the project's Github Container Registry.
$ docker pull ghcr.io/tfadeyi/auth0-simple-exporter:latest
To use a specific version, you can pull a versioned tag.
$ docker pull ghcr.io/tfadeyi/auth0-simple-exporter:[TAG]
To integrate the exporter with Docker Compose, follow these steps:
- Create a
.env
file (ideally named to match the tenant, e.g., .env.tenant1) and define the following variables:
TOKEN=< auth0 management API static static token >
DOMAIN=< auth0 tenant domain >"
CLIENT_SECRET=<auth0 management API client-secret>
CLIENT_ID=<auth0 management API client-id>
- Update your
docker-compose.yaml
file to include the exporter as a service. Below is an example configuration for a single exporter setup:
services:
metric-exporter:
image: ghcr.io/tfadeyi/auth0-simple-exporter:latest
container_name: metric-exporter
env_file:
- .env.tenant1
command: export --tls.disabled
ports:
- "9301:9301"
- For a multi-tenant setup, you can configure multiple exporter services pointing to different
.env
files:
services:
metric-exporter:
image: ghcr.io/tfadeyi/auth0-simple-exporter:latest
container_name: metric-exporter
env_file:
- .env
command: export --tls.disabled
ports:
- "9301:9301"
metric-exporter2:
image: ghcr.io/tfadeyi/auth0-simple-exporter:latest
container_name: metric-exporter2
env_file:
- .env.tenant1
command: export --tls.disabled
ports:
- "9302:9301"
- Configure Prometheus to scrape metrics from the exporters. Below is an example
prometheus.yaml
configuration (this assumes you are running Prometheus in the same docker network as the exporter):
- job_name: auth0_exporter1
metrics_path: /metrics
static_configs:
- targets: ['metric-exporter:9301']
relabel_configs:
- source_labels: [ __address__ ]
target_label: __param_target
- source_labels: [ __param_target ]
target_label: instance
- target_label: __address__
replacement: metric-exporter:9301
- job_name: auth0_exporter2
metrics_path: /metrics
static_configs:
- targets: ['metric-exporter2:9302']
relabel_configs:
- source_labels: [ __address__ ]
target_label: __param_target
- source_labels: [ __param_target ]
target_label: instance
- target_label: __address__
replacement: metric-exporter2:9302
-
This shows a simple installation of the exporter helm chart, running with TLS disabled.
export TOKEN="< auth0 management API static static token >" export DOMAIN="< auth0 tenant domain >"
# Installing by passing in secret directly helm repo add auth0-exporter https://tfadeyi.github.io/auth0-simple-exporter helm upgrade --install --create-namespace -n auth0-exporter auth0-exporter/auth0-exporter \ --set auth0.domain="$DOMAIN" --set auth0.token="$TOKEN" \ --set exporter.tls.disabled=true
More info on the helm deployment can be found here.
-
From the repository root directory run:
make build # or for multiple systems make build-all-platforms
-
The exporter can be used via Nix.
nix run github:tfadeyi/auth0-simple-exporter export -- --tls.disabled
-
You can use
Octopus Deploy
to the deploy the exporter to your cluster. Simply add the following as the Feed URL.https://tfadeyi.github.io/auth0-simple-exporter
Usage:
exporter export [flags]
Flags:
--auth0.client-id string Auth0 management api client-id.
--auth0.client-secret string Auth0 management api client-secret.
--auth0.domain string Auth0 tenant's domain. (i.e: <tenant_name>.eu.auth0.com).
--auth0.from string Point in time from were to start fetching auth0 logs. (format: RFC3339) (default Now)
--auth0.token string Auth0 management api static token. (the token can be used instead of client credentials).
-h, --help help for export
--log.level string Exporter log level (debug, info, warn, error). (default "warn")
--namespace string Exporter's namespace.
--pprof.enabled Enabled pprof profiling on the exporter on port :6060. (help: https://jvns.ca/blog/2017/09/24/profiling-go-with-pprof/).
--pprof.listen-address int Port where the pprof webserver will listen on. (default 6060)
--probe.listen-address int Port where the probe webserver will listen on. (default 8081)
--probe.path string URL Path under which to expose the probe metrics. (default "probe")
--subsystem string Exporter's subsystem.
--tls.auto Allow the exporter to use autocert to renew its certificates with letsencrypt.
(Can only be used if the exporter is publicly accessible by the internet)
--tls.cert-file string Path to the PEM encoded certificate for the auth0-exporter metrics to serve.
--tls.disabled Run exporter without TLS. TLS is enabled by default.
--tls.hosts strings The different allowed hosts for the exporter. Only works when --tls.auto has been enabled.
--tls.key-file string Path to the PEM encoded key for the auth0-exporter metrics server.
--web.listen-address int Port where the exporter webserver will listen on. (default 8080)
--web.path string URL Path under which to expose the collected auth0 metrics. (default "metrics")
- TOKEN, Auth0 management API static token.
- DOMAIN, Auth0 tenant domain.
- CLIENT_SECRET, Auth0 management API client-secret, (not required if setting the token).
- CLIENT_ID, Auth0 management API client-id, (not required if setting the token).
Monitor the percentage of failed logins in the Auth0 tenant:
(tenant_failed_login_operations_total / tenant_login_operations_total) * 100
Monitor the number current logged-in users for a client application in Auth0 tenant:
(tenant_login_operations_total{client="ChatGPT"} - tenant_failed_login_operations_total{client="ChatGPT"}) - (tenant_logout_operations_total{client="ChatGPT"} - tenant_failed_logout_operations_total{client="ChatGPT"})
Metric | Meaning | Labels |
---|---|---|
tenant_sign_up_operations_total |
The total number of signup operations. | client |
tenant_failed_sign_up_operations_total |
The number of failed signup operations. (codes: fs) | client |
Metric | Meaning | Labels |
---|---|---|
tenant_login_operations_total |
The total number of login operations. | client |
tenant_failed_login_operations_total |
The number of failed login operations. (codes: f,fp,fu) | client |
Metric | Meaning | Labels |
---|---|---|
tenant_logout_operations_total |
The total number of logout operations. | client |
tenant_failed_logout_operations_total |
The number of failed logout operations. (codes: flo) | client |
The other exposed metrics can be found here.
-
When the Prometheus scraping job interval is too frequent the exporter might encounter api-rate limit from Auth0. To mitigate this try increasing the scraping interval for the job.
-
Currently, not all logs/events from Auth0 are exposed, if a metric is not exposed, feel free to open a feature request.
Example Prometheus configuration for the exporter. Replace AUTH0-EXPORTER-HOSTNAME
with your instance's hostname.
scrape_configs:
- job_name: auth0_exporter
metrics_path: /metrics
static_configs:
- targets: ['<<AUTH0-EXPORTER-HOSTNAME>>:9301']
relabel_configs:
- source_labels: [ __address__ ]
target_label: __param_target
- source_labels: [ __param_target ]
target_label: instance
- target_label: __address__
replacement: <<AUTH0-EXPORTER-HOSTNAME>>:9301
Similar to other Golang projects, this projects makes use of make for building and testing the source code.
Before start development, add your tenant's Auth0 credentials to the env-dev.sh
, this help when developing using Nix.
Once the credentials are added, you can start the development environment by:
$ source env-dev.sh
$ develop
This will boot up a Nix devshell with the need tools and information.
Everyone is welcome to contribute to the project.
Please see CONTRIBUTING.md for information on how to get started.
Feedback is always appreciated, whether it's a bug or feature request, feel free to open an issue using one of the templates.
Apache 2.0, see LICENSE.md.