Administrators access and export Okta System Log events through the Okta Admin Console, the System Log Application Programming Interface (API), Log Streaming, and third-party integrations. The Okta System Log records organizational events for audit, troubleshooting, and security analysis purposes. Okta retains System Log events for 90 days. Review the Customer Data Retention Policy for more information.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- System Log
How are System Log events accessed and exported in the Okta Admin Console?
Review the provided video to learn how to access and export the System Log in the Okta Admin Console.
Navigate to the System Log in the Okta Admin Console, modify the search parameters, and download the results as a Comma-Separated Values (CSV) file.
- Navigate to Reports > System Log.
- Modify the time and date range using the provided controls.
- Construct a System Log query manually using the search input, or use the Advanced Filters dialog to help build a query.
- Review the summary of event counts for the selected range.
- Choose the Download CSV option at the top of the events table to export the data.
The CSV file contains the events that match the provided query up to the limit specified in What is the Maximum Number of Rows Allowed for a CSV Export of Okta System Logs.
NOTE: Okta retains System Log events for 90 days per the Customer Data Retention Policy. If events require a longer retention period, utilize the automated interfaces for exporting System Log events detailed in the subsequent sections.
How does the System Log API automate access to events?
Okta provides System Log events through the System Log API. The API automates access to System Log events for application development, automation, and continuous export. Develop a custom integration or automation to interact with the System Log API, or utilize a third-party provider that offers pre-built connectors.
How does Log Streaming send events to third-party platforms?
Okta Log Streaming configures Okta to automatically send System Log events to supported third-party platforms, such as a Splunk Cloud instance or an Amazon Web Services (AWS) account. Log Streaming obtains all System Log events for the organization at low latency. Configure Log Streaming in the Okta Admin Console or by using a configuration API.
Refer to the provided documentation to configure log streams via the API.
Which third-party integrations ingest Okta System Log events?
Organizations ingest System Log events into third-party platforms for security and incident detection, application monitoring, and custom application logic. Many third-party providers develop connectors to ingest Okta System Log events into their platforms. Administrators configure and authorize these connectors. The connectors utilize the System Log API and implement polling requests to retrieve new System Log events on a regular basis.
Okta supports the System Log API but does not support third-party System Log integrations or connectors. Contact the third-party provider for assistance with connector issues or questions.
Access the provided links to review information about commonly used third-party System Log connectors.
- Splunk
- AWS EventBridge
- NOTE: AWS EventBridge utilizes Log Streaming to obtain System Log events from Okta. Some third-party providers, such as Oort, utilize EventBridge to collect System Log events. Review the Okta AWS EventBridge Streaming Integration for more details.
- Google Chronicle
- SumoLogic
- Elasticsearch / ELK Stack
- DataDog
- Rapid7
- LogRhythm Okta Beat
How do Okta Workflows interact with System Log events?
Okta Workflows provides a platform for identity process automation and integration. While Okta Workflows does not serve as a recommended option for the ongoing export of all System Log events, it facilitates selective automation or integrations.
