Coralogix provides a seamless integration with Okta
SAML service. You can easily send your Okta
audit logs to Coralogix.
Logstash
installed, for more information on how to install: https://www.elastic.co/guide/en/logstash/current/installing-logstash.htmllogstash-plugin install logstash-input-okta_system_log
Private Key – Your Coralogix private key
Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.
SubSystem Name – Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.
Here is the Logstash
pipeline configuration logstash.conf:
input {
okta_system_log {
schedule => { every => "30s" }
limit => 1000
auth_token_key => "${OKTA_API_KEY}"
hostname => "${OKTA_TENANT}.okta.com"
}
}
filter {
ruby {code => "
event.set('[@metadata][event]', event.to_json)
"}
}
output {
http {
url => ""<your cluster singles url>"
http_method => "post"
headers => ["private_key", "${CORALOGIX_PRIVATE_KEY}"]
format => "json_batch"
codec => "json"
mapping => {
"applicationName" => "${CORALOGIX_APP_NAME:Okta}"
"subsystemName" => "${CORALOGIX_SUB_SYSTEM:Audit}"
"computerName" => "%{host}"
"text" => "%{[@metadata][event]}"
}
http_compression => true
automatic_retries => 5
retry_non_idempotent => true
connect_timeout => 30
keepalive => false
}
}
Depending on your accounts geo location you will need to provide a url to the configuration above:
Cluster Name | URL |
---|---|
EU | https://api.coralogix.com/logs/rest/singles |
EU2 | https://api.eu2.coralogix.com/logs/rest/singles |
US | https://api.coralogix.us/logs/rest/singles |
SG | https://api.coralogixsg.com/logs/rest/singles |
IN | https://api.app.coralogix.in/logs/rest/singles |
Build Docker
image with your logstash.conf:
ARG LOGSTASH_VERSION=7.4.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
ENV XPACK_MONITORING_ENABLED false
RUN logstash-plugin install --no-verify \
logstash-input-okta_system_log
COPY logstash.conf /usr/share/logstash/pipeline/logstash.conf
and then create the container:
docker run \
--detach \
--name logstash-okta \
--restart always \
--env OKTA_API_KEY=YOUR_OKTA_API_KEY \
--env OKTA_TENANT=YOUR_OKTA_HOSTNAME \
--env CORALOGIX_PRIVATE_KEY=YOUR_PRIVATE_KEY \
$(docker build -q .)
or deploy with docker-compose
:
version: '3'
services:
logstash-okta:
container_name: logstash
restart: always
build:
context: .
args:
LOGSTASH_VERSION: 7.4.2
environment:
OKTA_API_KEY: YOUR_OKTA_API_KEY
OKTA_TENANT: YOUR_OKTA_HOSTNAME
CORALOGIX_PRIVATE_KEY: YOUR_PRIVATE_KEY
If you have any questions or need additional guidance, our support team is available 24/7 via our in-app chat!