This article presents how to get started with the Okta System Log. The System Log contains details of all logged events for an organization, including user authentication, password resets, rate limit errors, user lifecycle information, and any other activity that takes place within the Okta Organization.
The System Log should be the first stop for troubleshooting any Okta issue or learning more about an environment.
- Monitoring and Reports
- System Log
This knowledge article covers the following topics:
- How to Find the Okta System Log
- Basic functions of the System Log
- Basic Search
- Advanced Search
- Tips & Tricks
- Save Searches
Follow the steps or video below.
Finding the Okta System Log
- Navigate to the Okta Admin Console.
- In the Admin Console, go to Reports > System Log.
Basic functions of the System Log
There are three ways that Admins can view and monitor various events in an organization:
The events table lists all events and includes information about time, actor, target, and more.
Using the events table, Admins can:
-
- View more data about an event by clicking the right arrow on the corresponding row.
- Filter events by time, event info, actor, or targets in the table by clicking the column header.
- Download the entire table by clicking the Download CSV file link.
- Toggle between the table view and a geolocation view, which displays events on a map.
Admins can filter events by various parameters and operators in the System Log. By default, the filters display all events for the last seven days.
Basic Search
-
Specify a time range using the From, To, and Time Zone fields.
- NOTE: Events are retained by Okta for 90 days. Specifying a longer range will result in an error.
-
Enter a string to search all events.
-
Press the Enter key or click the Search icon.
The following table lists some commonly used custom queries:
| Use case | Query |
|---|---|
| Password resets for users | eventType eq "user.account.reset_password" |
| Find Rate Limit errors | displayMessage eq "Rate limit violation" |
| Application Assignment | application.user_membership.add |
| Application Access | eventType eq "user.authentication.sso" |
| User Creation | user.lifecycle.create |
| User Locked Out | user.account.lock |
| Self Service Unlock | self_service.account_unlock |
|
Sign-in Success |
user.authentication.sso |
|
Suspicious Activity |
outcome.reason eq "Authentication failed: bad username or password" |
Advanced Search
-
Click Advanced Filters.
-
Enter the selection criteria.
-
Click Apply Filter.
See Operators for more details about the operators.
Tips & Tricks
While viewing System Log events, Super Admins or Org Admins may want to view all events by a specific IP address.
- In the Events table, click the right arrow for the event to view the actor, client, event, request, and target info about that event.
- Expand one of the following:
- Client
- Request > IPChain
- Hover over the IP address to display the Filter icon.
- Click the Filter icon to sort the event list.
- To clear any custom filters and return to the default filters, click Reset Filters.
Admins can also click on hyperlinked values in other fields in the System log to filter by those values.
Save Searches
With saved searches, Admins can reuse them, modify them, or delete them.
- After performing a System Log search, click Save.
- Enter a name for the customized search.
- Click Save as new. The customized search appears on the Reports page.
