Coralogix provides a seamless integration with Okta
SAML service. You can easily send your Okta
audit logs to Coralogix.
Logstash
installed, for more information on how to install: https://www.elastic.co/guide/en/logstash/current/installing-logstash.htmlPrivate Key – A unique ID that represents your company. The private key can be found under ‘settings’->’ send your logs’. It is located in the upper left corner.
Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.
SubSystem Name – Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.
This document includes cluster dependent URL’s. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.
Elasticsearch-API | SSL Certificates | Cluster URL | |
---|---|---|---|
.com | https://coralogix-esapi.coralogix.com:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crt | coralogix.com |
.us | https://esapi.coralogix.us:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | coralogix.us |
.in | https://es-api.app.coralogix.in:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN.pem | app.coralogix.in |
.eu2. | https://es-api.eu2.coralogix.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | app.eu2.coralogix.com |
sg.com | https://es-api.coralogixsg.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | app.coralogixsg.com |
If your Coralogix account top level domain is different than ‘.com’ add these environment variables:
CORALOGIX_LOG_URL=https://api.Cluster URL/api/v1/logs
CORALOGIX_TIME_DELTA_URL=https://api.Cluster URL/sdk/v1/time
Here is the Logstash
pipeline configuration logstash.conf:
input {
okta_system_log {
schedule => { every => "30s" }
limit => 1000
auth_token_key => "${OKTA_API_KEY}"
hostname => "${OKTA_TENANT}.okta.com"
}
}
output {
coralogix {
config_params => {
"PRIVATE_KEY" => "${CORALOGIX_PRIVATE_KEY}"
"APP_NAME" => "${CORALOGIX_APP_NAME:Okta}"
"SUB_SYSTEM" => "${CORALOGIX_SUB_SYSTEM:Audit}"
}
is_json => true
}
}
Build Docker
image with your logstash.conf:
ARG LOGSTASH_VERSION=7.4.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
ENV XPACK_MONITORING_ENABLED false
RUN logstash-plugin install --no-verify \
logstash-output-coralogix \
logstash-input-okta_system_log
COPY logstash.conf /usr/share/logstash/pipeline/logstash.conf
and then create the container:
docker run \
--detach \
--name logstash-okta \
--restart always \
--env OKTA_API_KEY=YOUR_OKTA_API_KEY \
--env OKTA_TENANT=YOUR_OKTA_HOSTNAME \
--env CORALOGIX_PRIVATE_KEY=YOUR_PRIVATE_KEY \
$(docker build -q .)
or deploy with docker-compose
:
version: '3'
services:
logstash-okta:
container_name: logstash
restart: always
build:
context: .
args:
LOGSTASH_VERSION: 7.4.2
environment:
OKTA_API_KEY: YOUR_OKTA_API_KEY
OKTA_TENANT: YOUR_OKTA_HOSTNAME
CORALOGIX_PRIVATE_KEY: YOUR_PRIVATE_KEY