The Okta System Log records events of interest in the organization that may be of interest for purposes such as audit, troubleshooting, and security analysis. These events are made available in the org through several interfaces, including the Okta Admin Console, the System Log API, Log Streaming, and third-party integrations from cloud services providers such as Splunk and LogRhythm.
This article describes the various interfaces that can be used to access and export System Log events and provides references to commonly used integrations.
System Log events are retained in Okta for a period of 90 days. For more information about Okta’s data retention policy, refer to our Customer Data Retention Policy.
For information about how to access and export System Log in the Okta admin console, check out this video:
- System Log
Access the System Log in the Okta Admin Console
The System Log is found in the navigation sidebar of the admin console at the path Reports > System Log. The System Log interface in the Admin Console provides a detailed view of events as well as:
- Controls to modify the time and date range
- A search input that can be used to manually construct a System Log query, and an Advanced Filters dialog to assist in building a query
- A summary of event counts for the range selected
- A capability to download the results of a query as a CSV
In order to export System Log events, use the Download CSV option, which is found at the top of the table of events. The CSV file contains the events that match the query provided up to the limit specified in What is the Maximum Number of Rows Allowed for a CSV Export of Okta System Logs.
NOTE: System Log events are retained for 90 days per Okta’s Customer Data Retention Policy. If events need to be retained for a longer period, refer to subsequent sections of this document, which explain the automated interfaces for exporting System Log events.
System Log API
Okta provides System Log events through an API. The API is a powerful way to automate access to System Log events for application development, automation, and continuous export.
Choose to either develop a custom integration or automation to interact with the System Log API or to utilize a third-party provider that has developed such connectors. More information about third-party connectors is available in this document's later section.
Log Streaming
Okta Log Streaming provides a way to configure Okta to automatically send System Log events to supported third-party platforms, such as a Splunk Cloud instance or an Amazon AWS Account. Log Streaming is a good choice to obtain all System Log events for the org at low latency. Configure Log Streaming in the Admin Console or using a configuration API. See the documentation below to learn more:
Integrations
Many customers wish to ingest System Log events into third-party platforms for use cases such as:
- Security and incident detection, and response with a platform like Splunk
- Application monitoring with a platform like SumoLogic or DataDog
- Custom application logic with a platform like Amazon Web Services
Many third-party providers have developed connectors to ingest Okta System Log events into their platforms, which can be configured and authorized. The connectors utilize the System Log API section and are typically implemented as polling requests that request new System Log events to be ingested into the target platform on a regular basis.
Okta supports the System Log API but does not support third-party System Log integrations or connectors. Firstly, contact the third-party provider if planning to utilize one of these connectors and experience issues or have questions.
Refer to the following links for information about commonly used third-party System log connectors:
- Splunk
- AWS EventBridge
- NOTE: AWS EventBridge utilizes Log Streaming to obtain System Log Events from Okta. However, some third-party providers, such as Oort, utilize EventBridge to collect System Log events, which is why EventBridge is included in this section. See Okta AWS EventBridge Streaming Integration for more details.
- Google Chronicle
- SumoLogic
- Elasticsearch / ELK Stack
- DataDog
- Rapid7
- LogRhythm Okta Beat
Okta Workflows
Okta Workflows is a powerful platform for identity process automation and integration. While Workflows is not a recommended option for ongoing export of all System Log events, it may be useful for more selective automation or integrations.
