<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007dEUO7CAOOkta Identity EngineAdvanced Server AccessAnswered2024-04-03T16:09:08.000Z2022-05-09T20:40:18.000Z2022-05-10T19:47:49.000Z

MatthewH.10249 (State of Iowa) asked a question.

May 9, 2022 at 8:40 PM
ASA Audit Logs Push to Sumo

We would like to get our ASA Audit logs into our Sumo Logic dataset. We were told that ASA Audit logs, in Q3, will be part of Okta's System Logs. Okta System Logs are currently being synced with our Sumo Logic instance but until then, what options do we have to get ASA log into Sumo Logic?

 

We did find an ASA API that allowed us to fetch the Audit Logs from ASA and we can then use Okta Workflows to make that call and then push into Sumo Logic on a scheduled basis. However there does not seem to be any query or filtering values where we can limit records by date/time so we only fetch new records since we only want to push an Audit record once to Sumo Logic.

https://developer.okta.com/docs/reference/api/asa/audits/*audit-events-api-operation

 

Looking for ideas. Thanks for your time!

  • 2 answers
  • 410 views

  • flaviu.vrinceanu1.5628408972654734E12 (Customer Success Service Delivery)

    Hi @MatthewH.10249 (State of Iowa)​,

     

    Thank you for posting on the Okta community page!

     

    I have done some research on my end and it seems that your inquiry could be double if Sumo Logic would implement a collector functionality for the ASA logs. (i.e. built into the product).

     

    I hope the above information is helpful

    Expand Post

  • MatthewH.10249 (State of Iowa)

    Thanks for your time and feedback! We have a Sumo collector as an endpoint and can push logs to Sumo with it but the issue is with how to query/filter the Okta ASA logs via the Okta ASA API. Okta's ASA API only allows 100 audit records at a time and while I can add looping/pagination logic to continue getting more and more logs, we need a process that keeps logs pushed to Sumo that avoids audit record duplication and does not miss any. I can evaluate each audit record in the workflow before I pass it to Sumo. However, I'm hoping there is a cleaner approach as I'll have to keep track of the last record processed in a Workflow table and then look it up each time and keep looping ASA API calls until I get back far enough from the previous run to stop. It would be nice if the ASA API had a way to pass a date/time range but I just don't see anything like that in the documentation.

    https://developer.okta.com/docs/reference/api/asa/audits/

     

    I would appreciate it if you have a link to any documentation that might help with how to get and keep ASA audit logs into Sumo Logic. I have a proof of concept Workflow writing ASA logs to Sumo Logic now if you would like to get on an online conference call and take a look. I've not opened a support ticket about this because I don't think there is anything wrong it just does not meet my needs so I'm asking the Okta Community for other suggestions.

    Expand Post
This question is closed.
Loading
ASA Audit Logs Push to Sumo