We're launching a new cybersecurity venture! Learn more about Snowbit >

Create an Account Request Demo

Okta Audit Logs Okta Audit Logs

Last Updated: Mar. 30, 2022

Coralogix provides a seamless integration with Okta SAML service. You can easily send your Okta audit logs to Coralogix.

Prerequisites

General

Private Key – A unique ID that represents your company. The private key can be found under ‘settings’->’ send your logs’. It is located in the upper left corner.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.

SubSystem Name – Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.

Configuration

This document includes cluster dependent URL’s. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.

 Elasticsearch-APISSL CertificatesCluster URL
.comhttps://coralogix-esapi.coralogix.com:9443https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crtcoralogix.com
.ushttps://esapi.coralogix.us:9443https://www.amazontrust.com/repository/AmazonRootCA1.pemcoralogix.us
.inhttps://es-api.app.coralogix.in:9443https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN.pemapp.coralogix.in
.eu2.https://es-api.eu2.coralogix.com:9443https://www.amazontrust.com/repository/AmazonRootCA1.pemapp.eu2.coralogix.com
sg.comhttps://es-api.coralogixsg.com:9443https://www.amazontrust.com/repository/AmazonRootCA1.pemapp.coralogixsg.com

On host machine

If your Coralogix account top level domain is different than ‘.com’ add these environment variables:

CORALOGIX_LOG_URL=https://api.Cluster URL/api/v1/logs

CORALOGIX_TIME_DELTA_URL=https://api.Cluster URL/sdk/v1/time

Here is the Logstash pipeline configuration logstash.conf:

input {
  okta_system_log {
    schedule       => { every => "30s" }
    limit          => 1000
    auth_token_key => "${OKTA_API_KEY}"
    hostname       => "${OKTA_TENANT}.okta.com"
  }
}
output {
  coralogix {
    config_params => {
      "PRIVATE_KEY" => "${CORALOGIX_PRIVATE_KEY}"
      "APP_NAME"    => "${CORALOGIX_APP_NAME:Okta}"
      "SUB_SYSTEM"  => "${CORALOGIX_SUB_SYSTEM:Audit}"
    }
    is_json => true
  }
}

Docker

Build Docker image with your logstash.conf:

ARG LOGSTASH_VERSION=7.4.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
ENV XPACK_MONITORING_ENABLED false
RUN logstash-plugin install --no-verify \
    logstash-output-coralogix \
    logstash-input-okta_system_log
COPY logstash.conf /usr/share/logstash/pipeline/logstash.conf

and then create the container:

docker run \
    --detach \
    --name logstash-okta \
    --restart always \
    --env OKTA_API_KEY=YOUR_OKTA_API_KEY \
    --env OKTA_TENANT=YOUR_OKTA_HOSTNAME \
    --env CORALOGIX_PRIVATE_KEY=YOUR_PRIVATE_KEY \
    $(docker build -q .)

or deploy with docker-compose:

version: '3'
services:
  logstash-okta:
    container_name: logstash
    restart: always
    build:
      context: .
      args:
        LOGSTASH_VERSION: 7.4.2
    environment:
      OKTA_API_KEY: YOUR_OKTA_API_KEY
      OKTA_TENANT: YOUR_OKTA_HOSTNAME
      CORALOGIX_PRIVATE_KEY: YOUR_PRIVATE_KEY

On this page