Okta's Enhanced System Log Report - Part I Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

Okta's Enhanced System Log Report - Part I

Jul 21, 2016 | by Eric Karlinsky in Security
For years, Okta has provided over a dozen reports that allow admins to view usage and other events in the system in a convenient and performant way. These reports were widely used by customers, especially the System Log report. Of course, things can always be better and Okta customers have provided great feedback about our reporting capabilities over time. The most popular request - by far - was the ability to customize reports. This month, Okta released its enhanced system log, powered by Okta’s new platform-level big data analytics service.

Here is the original problem: custom reports - at least most implementations thereof (that we’ve seen) - suck! They’re slow, they can be confusing, and some even require that admins learn a new skill set, like SQL. Put bluntly, it’s a poor admin experience, and that’s not the Okta way.

Reporting is just a manifestation of logging – that is, reports can only be as good as the information that's gathered and organized in the system. We knew this endeavor had to be more than a facelift of our existing reports to satisfy the need of Okta admins. And of course, we've got plans: We want to be the secure connection between people and technology. To that end, the more visibility we have and the more actionable intelligence we are able to leverage, the stronger the Okta product is going to be across the board.

That’s why over a year ago, Okta went back to the drawing board. We completely overhauled our logging infrastructure so that event data could be fetched in real-time and with low latency (and I mean real-time…. events show up in the log in under 10 milliseconds). On top of that, we built a brand new presentation layer, dubbed the System Log, to allow admins to interact with the data and use filters to customize what’s displayed - all while surfacing even more data about each specific event.

I'm excited to introduce the new System Log to you in a two-part blog series. Today, we'll cover the basics, and later we'll up the ante and cover some other cool features that may not be readily apparent. Let's get started!

First things first, here's the System Log of old:
 Old System Log

And here’s what the System Log looks like now:

New System Log

You'll immediately notice that the UI has completely changed. Let's talk about the latest enhancements (we'll get into all the details later in the post): 
  • Events are logged in real-time. Seriously. Event-to-log times average less than 10 milliseconds
  • You can now change the Time Zone of all System Log Events 
  • You can filter the system log using either Basic partial string queries or Advanced Filtering. 
  • You can view events in a list view or map view. 
  • Dozens of metadata attributes are now stored and presented for each event, drill down to your heart's content.
Remember how I mentioned the platform-level big data analytics service. This truly covers it all!
Less talking; more doing? Well then, let’s get all Hands-On with it.

Time Zone Selection

Events display in the time zone of your choice. For example, if you choose Eastern Daylight Time (EDT) in the drop down:
User-added image
Your events will display with that adjustment:
User-added image
And if you change to Pacific Daylight Time (PDT) in the drop-down:
User-added image
The same events will be adjusted to match the chosen time zone:

User-added image

This makes it a lot easier for admins all over the globe to triage events and investigate any incidents. Pretty cool, huh? We're just getting started...

Simple Search

The new features of System Logs allow admins to search the logs and/or apply filters in real time. Try it: Search for all or part of a user's name and click the magnifying glass.

User-added image
Notice that the events in the System Log are filtered to include only events where an attribute matches that string. In this case, it's all of the events that were done to or by "Eric"

User-added image

This is called partial string search and it's a quick and dirty way to filter down the thousands of events in the System Log report to a more manageable set.

Map View

Those of you with the keen eye noticed that there is another button at the top-left part of the events pane:
User-added image

When you click on that you’ll notice something pretty cool:

User-added image
A map view!

All applicable events in the System Log are tagged with geolocation data, which means they can be plotted on a map. The screenshot above shows a density diagram for where events in this org have occurred over the given timeframe. You can see a lot of activity around the United States, some in the EU, and a little bit more down in Australia. You can always flip back and forth from the map to the list view in the report. And yes, the data set is the same in both views, so the map shows only the results from your current search filters (in this case “Eric”).

Feel free to zoom in and out and drag the map around - you’ll get even more detail:

User-added image

Now you can see at-a-glance where authentication activity in your organization is happening and find suspicious locations with ease.

Simple Search and a Map View are handy and quick ways to visualize Okta event data. In the second part of this blog series, I will up the ante with Advanced Search, which lets you filter data more precisely. If you have questions about the System Log enhancements, submit a Question on the community, Tweet at us @Okta or send an email to community@okta.com.