<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Getting Started with the Okta System Log
May 1, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview

The Okta System Log contains details of all logged events for an organization, including user authentication, password resets, rate limit errors, user lifecycle information, and other activity. Use the System Log as the primary tool for troubleshooting Okta issues or reviewing environment activity.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Monitoring and Reports
  • System Log
Solution

Review the following topics covered in this guide.

 

 

How is the Okta System Log accessed?

Navigate to the System Log within the Okta Admin Console by following these steps.

  1. Navigate to the Okta Admin Console.
  2. Go to Reports > System Log.

Reports > System Log

 

What are the basic functions of the Okta System Log?

Review the following primary methods for viewing and monitoring events in an organization.

Graphs

Events table

The events table lists all events and includes information about time, actor, target, and more. The events table can be used to perform the following actions:

    • View more data about an event by clicking the right arrow on the corresponding row.
    • Filter events by time, event info, actor, or targets in the table by clicking the column header.
    • Download the entire table by clicking the Download CSV file link.
    • Toggle between the table view and a geolocation view, which displays events on a map.

Clicking the map pin displays events on the map and tracks whether a specific event occurred from a blocked geographic location. 

MAP

Events can be filtered in the System Log using various parameters and operators. By default, the filters display all events for the last seven days.

Clicking Show event trends by category will sort all events matching the System Log search query into the following categories:

    • Count of events per target.
    • Count of events per actor.
    • Count of events per event type.

System Log

Hovering the mouse pointer over a chart column to display the events and the corresponding counts triggered by the search query (for example, IP address eq <value>). 

The default limit for the Okta System Log is 20 events. To display more than 20 events and avoid repeatedly clicking Show more, follow the steps below:

    1. Navigate to the URL and locate limit=20 after the timezone.
    2. Increase this number up to 1000.
      • For example, changing the limit from 20 to 100 displays 100 events for the System Log search query when clicking Show more.

URL

 

How is a basic search performed?

Specify a time range and enter a search string to perform a basic search in the System Log.

  1. Specify a time range using the From, To, and Time Zone fields.
    NOTE: Okta retains events for 90 days. Specifying a longer range results in an error.
  2. Enter a string to search all events.
  3. Press the Enter key or click the Search icon.

Review the following table for a list of commonly used custom queries.

Use caseQuery
Password resets for userseventType eq "user.account.reset_password"
Find Rate Limit errorsdisplayMessage eq "Rate limit violation"
Application Assignmentapplication.user_membership.add
Application AccesseventType eq "user.authentication.sso"
User Creationuser.lifecycle.create
User Locked Outuser.account.lock
Self Service Unlockself_service.account_unlock

Sign-in Success

user.authentication.sso

Suspicious Activity

outcome.reason eq "Authentication failed: bad username or password"

How is an advanced search performed?

Apply advanced filters and selection criteria to perform an advanced search.

  1. Click Advanced Filters.
  2. Enter the selection criteria.

Advanced Filters

  1. Click Apply Filter.

Review the Operators documentation for more details.

 

How are events filtered by a specific IP address?

Filter the System Log to view all events associated with a specific IP address by following these steps.

  1. In the Events table, click the right arrow for the event to view the Actor, Client, Event, Request, and Target info about that event.
  2. Expand Client or Request > IPChain.
  3. Hover over the IP address to display the Filter icon.
  4. Click the Filter icon to sort the event list.
  5. Click Reset Filters to clear any custom filters and return to the default filters.

Click hyperlinked values in other fields in the System Log to filter by them.

 

How are searches saved?

Save searches to reuse, modify, or delete them later by following these steps.

  1. After performing a System Log search, click Save.
  2. Enter a name for the customized search.
  3. Click Save as new. The customized search appears on the Reports page.

 

Related References

Recommended content

Still looking for help?
Loading
Getting Started with the Okta System Log