Exporting Okta Log Data Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000bnemsay&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fexporting-okta-log-data
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Exporting Okta Log Data
Published: May 23, 2017   -   Updated: Mar 6, 2018

Okta generates large amounts of data that customers may find useful. This document provides information about the various methods you can use to access and ingest that data.

Notes: For information about our general data retention policy, see Okta Data Retention Policy.


Contents


Okta's System Log and Reports

Okta includes a robust System Log and also many reports you can run to collect and analyze, and also export, data.

System Log

Our System Log (Reports > System Log) displays detailed information about different types of events over a specified time range:

User-added image

In addition to customizing and filtering the system log based on your own requirements, you can also download a .csv file of events for your own use by clicking the Download CSV link above the Events table.

Note: Log data older than 3 month is not accessible in the System Log (see the Okta Data Retention Policy). If you wish to access data older than 3 months, you can download it from our deprecated System Log by pointing your browser to /report/system_log

See our online help topic about our System Log for more details.

Reports

The Reports page displays report data that details how your end users leverage their Okta accounts. Data includes information such as app usage and access, deprovisioning details, and the exposure of suspicious activity, including OpenID Connect events.

To run any report, click the report name, enter the parameters at the top of the screen, and finally click Run Report. After running a report, click the Download CSV link to obtain a csv version for your own use.

See our online help topic about Reports for more details.


SIEM Integrations

Note: All 3rd party tools utilize the Okta API to acquire and manage Okta log data. Okta supports the API but does not support 3rd party or open source tooling and integration.

We provide various ways to ingest data to Security Information and Event Management (SIEM) solutions. Here are some examples:

Splunk

Splunk customers can leverage a Splunk supported tool to query the Okta API. To obtain the tool, and for usage details, see: https://splunkbase.splunk.com/app/2806/​

QRadar

For details, see: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.dsm.doc/r_supported_dsm_list.html?lang=en

SumoLogic

For details, see: https://github.com/SumoLogic/okta-events

ELK / ElasticSearch

For details, see:

Rapid7

For details, see: https://www.rapid7.com/docs/Okta-UserInsight-Solution-Brief.pdf

LogRythm

For details, see:


API Integrations

Note: All 3rd party tools utilize the Okta API to acquire and manage Okta log data. Okta supports the API but does not support 3rd party or open source tooling and integration.

We provide the ability to integrate with all SIEMs using our logs and events APIs. Using these APIs, you can poll for new data and continually push that data into your SIEM.

For details see:


Community Solutions

Note: We will collect and reference a few community provided options. Okta supports the API but does not support the solutions referenced below.

Bulk Export Using Powershell

The following solution will do a bulk export of data from the events API using Powershell:

https://github.com/mbegan/Okta-Scripts/blob/master/saveEventLogs.md

Post a Comment

Comments

  • Bill Blaney on August 11, 2017

    FYI, AlienVault's USM Anywhere app now includes connectivity to Okta log data:

    AlienApp for Okta: This release includes the new AlienApp for Okta which enhances the threat detection capabilities of USM Anywhere by collecting and analyzing log data from Okta. The AlienApp for Okta regularly queries the Okta API for information such as authentication events, user profile updates, user state changes, application and group assignment, and Okta platform changes. This data is parsed and displayed as Events and Alarms in the USM Anywhere interface and summarized in a new dashboard view.  

    https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-okta-config.htm