This is a Graylog Operations feature and is only available since Graylog v3.3+. A valid Graylog Operations license is required.

Okta System Log records events related to your organization and provides an audit trail of platform activity. This input will pull the following Okta Log Event object into Graylog, so you can perform further data analysis on the activity occurring in your organization.

For this input plugin to function as expected, the following items must be supplied in the input configuration:

  1. Domain name
    Your Okta Domain (also known as Okta URL). Copy your domain from the Okta Developer Console. For information on finding your domain, see: https://developer.okta.com/docs/guides/find-your-domain/overview/

  2. API key
    The token used to authenticate Graylog’s requests to Okta. Create an API token on the Okta Developer Console. For information on creating an Okta API token, see: https://developer.okta.com/docs/guides/create-an-api-token/overview/

  3. Pull log events since
    The lower time bound of the Okta log events. Determines how much historical data Graylog pulls from Okta when the Input starts. If not provided, 1 polling interval of historical data is pulled. The timestamp must be in ISO-8601 format.”

  4. Polling interval
    Determines how often Graylog will poll for new data stored in Okta. Cannot be smaller than 5 seconds.

  5. Keyword filter (optional)
    The keyword filter is optional and filters log event results. Keyword filters cannot have more than 10 keywords (space-separated) and keywords cannot have more than 40 characters.

Hint: Okta System Log records are related to your organization, so run input on one designated node. Select global to run input on the master node.