Okta Contextual Logs
This tutorial demonstrates how to integrate Okta with Coralogix using either a pulling integration or AWS EventBridge to send your contextual data logs for analysis.
Overview
Okta generates various logs that capture user authentication and authorization events, such as login attempts, user provisioning, and access management. These logs contain valuable information about user activities, security events, and system behavior within your Okta environment.
Coralogix offers two methods to collect and analyze your Okta logs:
Pull Integration: Coralogix can ingest your Okta contextual data logs at specified intervals using our pulling integration.
AWS EventBridge Integration: Alternatively, you can use AWS EventBridge to stream Okta System Log events in real-time to Coralogix.
Both methods allow you to gain insights into system behavior within our platform and troubleshoot problems that arise, with the key difference being pull vs. push-based architecture.
Benefits include:
Security Monitoring. Coralogix enables you to monitor user authentication and access events, detect suspicious activities, and identify potential security threats. Identify patterns, anomalies, and indicators of compromise so that you can respond swiftly to security incidents.
Compliance and Auditing. By collecting and analyzing the context data logs, Coralogix helps you meet regulatory compliance requirements. It provides the ability to track and audit user activities, generate compliance reports, and ensure adherence to industry standards.
Operational Insights. Our monitoring platform allows you to identify usage patterns, troubleshoot issues, track performance metrics, and optimize your Okta environment for improved efficiency.
Using Pull Integration
Permissions
You must have Okta Admin permissions for:
Creating users (Users > Manage users > Create users).
Viewing roles, resources, and admin assignments (Identity and Access Management > View roles, resources, and admin assignments).
Create Okta API Token
Log into your Okta portal with admin credentials and navigate to Directory > People.
Select Add person and create a user to be used for this integration.
Navigate to Security > Administrators and select Add administrator.
In Select admin, select the user you created and assign it the Read-only Administrator role. Then save your changes.
Log into Okta as the new user created according to procedures detailed above.
Navigate to Security > API > Tokens tab.
Select Create token, and copy the token value.
Pull-Integration Configuration
In your Coralogix dashboard, navigate to Data Flow > Contextual Data.
In the Contextual Data section, locate Okta and click on ADD.
Enter the integration details.
- Integration Name
- Account Name (This will appear in your Coralogix UI as your subsystem name.)
- Okta Domain
- Okta API key. Enter previously-copied token value (see step 7).
Click CONNECT to trigger the integration. Your pulled Okta logs should appear in your Coralogix dashboard.
[Optional]** To minimize the Okta admin permission level, limiting it to viewing logs, follow these steps:
- Log into your Okta portal again with admin credentials.
- Navigate to Security > Administrators > Admins tab.
- Edit the new admin that you created, and change the role to Report Administrator. Then, save the changes.
[Recommended] To enhance your monitoring capabilities, select the corresponding extension and deploy it.
Learn more about our Extension Packages here.
Using AWS EventBridge
As an alternative to the pull integration described above, you can use AWS EventBridge to stream Okta System Log events to your AWS environment and then forward them to Coralogix. This push-based approach provides real-time log delivery without the need for API polling.
You'll need to set up an API Destination to Coralogix under AWS EventBridge. Follow our AWS EventBridge integration guide to create and configure the API Destination before proceeding with the Okta log streaming setup.
Prerequisites
- Super admin access to your Okta account
- AWS account with appropriate permissions to configure EventBridge
- Your AWS account ID and preferred region
- An EventBridge API destination to Coralogix already configured following this guide
Configure Okta Log Streaming
In the Okta Admin Console, navigate to Reports > Log Streaming.
Click Add Log Stream to start the wizard.
Select AWS EventBridge from the catalog and click Next.
Fill in the configuration details:
- Name: Provide a unique name for this log stream in Okta
- AWS Event Source Name: Create a unique name without special characters or spaces.
- AWS account ID: Enter your 12-digit AWS account identifier
- AWS region: Select the AWS region closest to your EventBridge target.
Click Save. The log stream should appear on the Log Streaming page with "Active" status.
Create an Event Bus
In the AWS console, go to Amazon EventBridge.
Select Partner event sources from the Integration section of the navigation panel.
Find your partner event source with the format: aws.partner/okta.com/yourOktaSubdomain/yourAWSEventSourceName.
Select the log stream and click Associate with an event bus.
Configure required permissions and click Associate.
The partner event source is now associated with an event bus of the same name.
Create a Rule
Create a EventBridge Rule to route events into a API Destination configured to Coralogix.
The API Destination to Coralogix should appear under EventBridge > Integration > API destinations.
If you have not already created an EventBridge API destination to Coralogix follow our AWS EventBridge Integration Guide
Under Buses > Rules, select the newly created event bus and click Create rule.
Set the Name and the Event bus as your partner event source.
Set the Rule type as Rule with an event pattern.
Select AWS events or EventBridge partner events option.
Configure the Event pattern:
Select Use pattern form as the Creation method.
Select EventBridge partners as the Event source.
Select Okta as the Partner.
Select All Events as the Event type or any specific event type.
Click Next.
Create a target for this rule and configure the API destination to Coralogix:
Select EventBridge API destination as the Target type.
Select Use an exisiting API destination and select the Coralogix API destination created.
Create or Assign an IAM role for execution.
Review & Create the EventBridge Rule.
Check your Coralogix dashboard to see the incoming Okta logs.
The logs will have a similar structure as the following example:
{
"version": "0",
"id": "4ab6d852-09e9-1036-fc04-2e22004b3c3f",
"detail-type": "SystemLog",
"source": "aws.partner/okta.com/coralogix/okta-events",
"account": "999999999999",
"time": "2023-05-30T14:17:58Z",
"region": "us-east-1",
"resources": [],
"detail": {
"actor": {
"id": "00uttidj04jqI21bA1d6",
"type": "User",
"alternateId": "user@customer.biz",
"displayName": "A User",
"detailEntry": null
},
"client": {
"userAgent": {
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"os": "Mac OS X",
"browser": "CHROME"
},
"zone": "null",
"device": "Computer",
"id": null,
"ipAddress": "127.0.0.1",
"geographicalContext": {
"city": "Fictionville",
"state": "Pennsylvania",
"country": "United States",
"postalCode": "19513",
"geolocation": {
"lat": 41.1286,
"lon": -73.4835
}
}
},
"device": null,
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"interface": null,
"authenticationStep": 0,
"externalSessionId": "102BoThue9qT2uRBdaO_Z9msg"
},
"displayMessage": "User accessing Okta admin app",
"eventType": "user.session.access_admin_app",
"outcome": {
"result": "SUCCESS",
"reason": null
},
"published": "2023-05-30T14:17:58.126Z",
"securityContext": {
"asNumber": 6167,
"asOrg": "verizon",
"isp": "verizon",
"domain": "myvzw.com",
"isProxy": false
},
"severity": "INFO",
"debugContext": {
"debugData": {
"requestId": "ZHYFlX6QY0rHqq1oihP7CwAACSI",
"dtHash": "e463841eed07369aeb7ace43a41fcef75ccefa573ced0420039c16b0e3d7cc99",
"requestUri": "/admin/sso/callback",
"url": "/admin/sso/callback?code=******&state=vdC6CnQXeZqyxBJKBVmtej9wMnF4nM1r"
}
},
"legacyEventType": "app.admin.sso.login.success",
"transaction": {
"type": "WEB",
"id": "ZHYFlX6QY0rHqq1oihP7CwAACSI",
"detail": {}
},
"uuid": "c6ed294a-fef4-11ed-a5b1-bbb7c1de1a4b",
"version": "0",
"request": {
"ipChain": [
{
"ip": "127.0.0.1",
"geographicalContext": {
"city": "Fictionville",
"state": "Pennsylvania",
"country": "United States",
"postalCode": "19513",
"geolocation": {
"lat": 41.1286,
"lon": -73.4835
}
},
"version": "V4",
"source": null
}
]
},
"target": [
{
"id": "00uttidj04jqI21bA1d6",
"type": "AppUser",
"alternateId": "user@evership.biz",
"displayName": "A User",
"detailEntry": null
}
]
}
}
Additional Resources
| Documentation | Okta Audit Logs |
| Blog | Okta Log Insights with Coralogix |
Support
Need help?
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at support@coralogix.com.
Light
light
dark
User Guides
DataPrime
Integrations
OpenTelemetry
Developer Portal