Okta Log Events Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Okta System Log records events related to your organization and provides an audit trail of platform activity. This input will pull the following Okta Log Event object into Graylog, so you can perform further data analysis on the activity occurring in your organization.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

In your third-party configuration, set the following values to integrate with Graylog:

In order for Graylog to pull system logs from an Okta tenant, an API key must be generated with the appropriate level of access. Please follow this guide to create an API key.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

API key

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Okta Content Pack

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option	Description
Global	Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.
Node	Select the Graylog node this input will be associated with.
Title	Assign a unique title to the input. Example: `Okta Input for XYZ Source`.
Domain name	Your Okta Domain (also known as Okta URL). Copy your domain from the Okta Developer Console. For information on finding your domain, see: https://developer.okta.com/docs/guides/find-your-domain/overview/
API key	The token used to authenticate Graylog’s requests to Okta. Create an API token on the Okta Developer Console. For information on creating an Okta API token, see: https://developer.okta.com/docs/guides/create-an-api-token/overview/
Pull Log Events Since	The lower time bound of the Okta log events. Determines how much historical data Graylog pulls from Okta when the Input starts. If not provided, 1 polling interval of historical data is pulled. The timestamp must be in ISO-8601 format.”
Polling interval	Determines how often the input will check for new log data stored in Okta. The default is 30 seconds and the lowest allowable value is 5 seconds.
Polling interval time unit	Choose the interval time unit for polling (Hours, Seconds or Minutes).
Allow throttling this input (Checkbox)	Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
Store Full Message?(Checkbox)	Permits Graylog to store the raw log data in the `full_message` field for each log message. Selection can result in a significant increase in the amount of data stored.
Keyword filter (optional)	The keyword filter is optional and filters log event results. Keyword filters cannot have more than 10 keywords (space-separated) and keywords cannot have more than 40 characters.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.