In this article

Secure authentication allows people to buy products from e-commerce sites, log into social media and email, protect their private information, and much more. Most user-facing web applications include authentication so users can log in securely. If your users have issues logging in to your application, you need to find and fix them as quickly as possible.

There are serious potential issues you can run into regarding authentication. For instance, malicious users may be looking for ways to compromise your application, and security breaches can cost a company millions of dollars.

That’s why it’s important to monitor and log user authentication flows—both to proactively detect issues with authentication when they are happening so you can monitor your server for changes that do not reflect your usage and also to provide a record that you can audit later if your application is compromised.

But how do you log and monitor authentication flows? In this article, you’ll learn:

  • Why login monitoring and authentication logs are important
  • How to log authentication flows and what information you need to include in your authentication logs
  • Which issues authentication logs can help you find and resolve

The next image shows how an observability platform like New Relic allows you to review your log messages. With New Relic, you can observe patterns in your logs, whether that's issues with billing, recurring errors, or login attempts.

The value of login monitoring using authentication logs

As an observability platform, the New Relic stance on monitoring is simple: you should monitor all the services in your application if possible. That includes logging all the events in your application, including authentication flows. With New Relic, that is as easy as instrumenting your application with an agent and turning on logs in context to automatically start logging all of your application events, including those related to authentication.

Login flows are a very common part of the user experience in many applications. In fact, for applications that rely on user authentication, many of the most important interactions can only happen after a user has logged in. This is true for both user-facing and internal applications. In the case of internal applications, issues with logging in can compromise worker productivity and security.

To make matters more complicated, many companies use multiple authentication systems for different groups of users, such as OAuth and SAML. Third-party authentication services include Okta, AuthO, and Google, and many companies even create custom authentication solutions. Examples include using Rails or .NET libraries for authentication. Combine that with the fact that authentication flows often depend on other pages, navigation bars, and components, which can also potentially lead to issues that make it difficult to log in.

If you’re dealing with multiple authentication flows and systems, problems with any of them can lead to cascading downstream effects. So how do you ensure you’re properly logging and monitoring these flows?

Take these approaches to monitor authentication:

  • Set up log management if you haven’t already. If you are new to log management, see How to manage an application log. Log management involves instrumenting your services and setting up log forwarding as needed. Once again, you should be logging all events in your application, regardless of whether they are related to authentication. The exception is sensitive data that you don’t want to log, though you have the option to hide or mask sensitive data.
  • Make sure that your authentication logs include attributes that allow you to identify the authentication service where the logs originated. New Relic will handle this for you automatically, but if you are using a custom solution or a platform that doesn’t automatically add identifying data, you should use a standardized format such as JSON and, if needed, customize your authentication logs to ensure they provide useful data you can visualize and analyze. With New Relic, you can also use tags to better organize your data. 
  • Logs are more useful in the context of other relevant telemetry data. If you’re using an observability platform like New Relic, use automatic pattern finding to detect unusual patterns in your logs.

What to include in your auth logs

New Relic observability platform uses agents that will automatically log events for you without the need to install or maintain third-party software. However, if you’re writing your own authentication logs from scratch, they should include the following data:

  • Who: If a user logs into your application, the log should identify that user.
  • What: What action the user took, such as a successful or failed login attempt.
  • When: All logs should include a timestamp, including authentication logs.
  • How: Which login service was used? This information is particularly important if your application uses multiple login services.
  • Where: The log should include the IP address of the user. This can help you pinpoint issues that are specific to certain regions.

You’ll also want your log data to be structured as opposed to unstructured. You can parse structured logs, making it easier to filter and search your logs.

Here’s a basic example of an unstructured log:

6/15/2022 15:34:03: Log in user ‘Albert Einstein’ success

While this includes a timestamp and basic login information about a user, it doesn’t include important information such as the IP address or the service being used. Also, it doesn’t use a format like JSON to make the data easily parseable. That would make it tough to actually analyze authentication log flows if a problem comes up.

Here’s an example of a structured log that’s easier to parse and includes more data:

6/15/2022 15:34:03: { actionType: ‘logIn’, service: ‘rails bcrypt’, user: ‘Albert Einstein’, ip: 1.1.1.1 result: ‘success’ }

As you can see, the data is now organized into key-value pairs like actionType and service. This makes it easier to filter and search your log data by specific keys. You could filter by specific services to see how each service is performing, filter by actionType to specifically look at the latency or error rate of ‘logIn’ actions, and so on.

What if you don’t want to go to the trouble of formatting, creating, and outputting custom logs? With New Relic, you can automatically instrument all the services in your environment and set up logs in context.

Get started with Log Management using New Relic.

What you can potentially find using standardized auth log reports

Monitoring your authentication flows can help you detect these issues:

  • Security threats: For instance, you might see a spike in login attempts or failed login attempts, or in the case of a DoS attack, you might see fewer login attempts.
  • Login errors: A spike in errors or an increase in failed login attempts might indicate that there’s an error in the login process. By ensuring there are logs at each step of the process, including visits to the sign-in page and redirects to success or error pages, you can pinpoint exactly where issues are happening in the process.
  • Login trends: Analyze trends in your login data, ranging from page latency to total sign-ins over time.
  • Manage data for compliance: For data compliance purposes, you may be required to store log data such as security data for an extended period of time. Often security incidents don’t come to light until months or even years later, and you can review archived log data as needed.

With New Relic, you can automatically start monitoring your entire application in minutes, including your login flows, and then visualize and analyze your data using prebuilt dashboards.

Get started with monitoring authentication logs.

Start monitoring your entire application in minutes, including your login flows, and then visualize and analyze your data using our prebuilt dashboards.

Sign up for a free account to start monitoring your authentication logs today.