6e3yb (6e3yb) asked a question.
Does the Syslog API publish events from the past? Making sure logs are not missed on a data export stream
We currently leverage the /syslog endpoint for collecting the syslog from the API. We are worried that Okta may publish logs with an older "published" date. Is this possible? If we are looking at a rolling "since_time" feed, will the API ever publish an event that happened before our timebound query? For example: I am looking at logs "since" 08/29/22T00:00:00Z. Our logger is configured to look at all the new logs since that time. Okta API returns all logs published since that time successfully. Will there ever be the possibility that logs are "published" on 08/27/22T08:33:15Z and we may miss that?
Hi @6e3yb (6e3yb),
Thank you for posting on the Okta Community page!
I have done some research and logs are being recorded in the Okta System logs as soon as the events occur therefore if an authentication action occurs on the 27th, it will be recorded on that date, at that same hour when the event happened and it will not be published in the system logs two days later.
Additionally, the API will only return the logs that are recorded during the time frame mentioned by you. If you are looking at the logs "since" a certain date, only events from that time will be returned, therefore as per your example, you will not be able to see results from the 27th if your API is configured to pull logs from the 29th.
I hope that I have understood your inquiry and that the above information is useful!
Thanks for the information Flaviu. My concern is that an event will be published in the past, after the fact. For example, does the API ever need to catch up (due to its distributed nature) and publish a log that had happened in the past with a past Publish date? If it's currently 08/30/22T13:29:00Z, would the system ever publish a log with a "Published" time property before the current time (e.g. could a new log show up with a published time of 07:15:00Z)?