Okta Audit Logs

Last Updated: Sep. 01, 2022

Coralogix provides a seamless integration with Okta SAML service. You can easily send your Okta audit logs to Coralogix.

Prerequisites

Have Logstash installed, for more information on how to install: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html
logstash-input-okta_system_log plugin installed
- You can use the below command to install it.

logstash-plugin install logstash-input-okta_system_log

General

Private Key – A unique ID that represents your company. The private key can be found under ‘settings’->’ send your logs’. It is located in the upper left corner.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.

SubSystem Name – Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.

Configuration

Here is the Logstash pipeline configuration logstash.conf:

input {
  okta_system_log {
    schedule       => { every => "30s" }
    limit          => 1000
    auth_token_key => "${OKTA_API_KEY}"
    hostname       => "${OKTA_TENANT}.okta.com"
  }
}
filter {
  ruby {code => "
                event.set('[@metadata][event]', event.to_json)
                "}
}

output {
  http {
        url => ""<your cluster singles url>"
        http_method => "post"
        headers => ["private_key", "${CORALOGIX_PRIVATE_KEY}"]
        format => "json_batch"
        codec => "json"
        mapping => {
            "applicationName" => "${CORALOGIX_APP_NAME:Okta}"
            "subsystemName" => "${CORALOGIX_SUB_SYSTEM:Audit}"
            "computerName" => "%{host}"
            "text" => "%{[@metadata][event]}" 
        }
        http_compression => true
        automatic_retries => 5
        retry_non_idempotent => true
        connect_timeout => 30
        keepalive => false
        }
}

Parameters and descriptions

Depending on your accounts geo location you will need to provide a url to the configuration above:

Cluster Name	URL
EU	https://api.coralogix.com/logs/rest/singles
EU2	https://api.eu2.coralogix.com/logs/rest/singles
US	https://api.coralogix.us/logs/rest/singles
SG	https://api.coralogixsg.com/logs/rest/singles
IN	https://api.app.coralogix.in/logs/rest/singles

Docker

Build Docker image with your logstash.conf:

ARG LOGSTASH_VERSION=7.4.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
ENV XPACK_MONITORING_ENABLED false
RUN logstash-plugin install --no-verify \
    logstash-input-okta_system_log
COPY logstash.conf /usr/share/logstash/pipeline/logstash.conf

and then create the container:

docker run \
    --detach \
    --name logstash-okta \
    --restart always \
    --env OKTA_API_KEY=YOUR_OKTA_API_KEY \
    --env OKTA_TENANT=YOUR_OKTA_HOSTNAME \
    --env CORALOGIX_PRIVATE_KEY=YOUR_PRIVATE_KEY \
    $(docker build -q .)

or deploy with docker-compose:

version: '3'
services:
  logstash-okta:
    container_name: logstash
    restart: always
    build:
      context: .
      args:
        LOGSTASH_VERSION: 7.4.2
    environment:
      OKTA_API_KEY: YOUR_OKTA_API_KEY
      OKTA_TENANT: YOUR_OKTA_HOSTNAME
      CORALOGIX_PRIVATE_KEY: YOUR_PRIVATE_KEY

If you have any questions or need additional guidance, our support team is available 24/7 via our in-app chat!

Download our logo in high resolution

<img width="96" height="96" src="https://coralogix.com/wp-content/uploads/2020/01/Okta@2x.png" alt="Okta Audit Logs"> Okta Audit Logs