A syslog event is logged any time a user has an administrator role assigned to or revoked from them. This article includes the system log filters that can be used to see those events.

• System Logs
• Users
• Administrators

To view all administrator role assignments, the following syslog filter can be used:

eventType eq "user.account.privilege.grant"

To view all administrator role revocations, the following syslog filter can be used:

eventType eq "user.account.privilege.revoke"

NOTE: Okta has an Automatic Purging of Customer Data process in place.

• Service Backup Data
  • Complete database snapshots are taken hourly and automatically purged after six months.
• System Log
  • Application-generated system data (as presented in Okta’s System Log) and reporting based on log data older than 90 days are automatically removed. 

If it is desired to retain data for longer than 90 days, it is recommended to download the data from the System Log user interface, API, or integrate it with an external event management system (like SIEM). Please refer to Exporting Okta Log Data for more information.

Related References

• How To Assign Admin Roles To a User
• Workforce Identity Cloud Customer Data Retention Policy
• How to Export Okta Log Data