Okta Log Collection with AWS
Last updated on 24 June, 2025You can integrate AWS with LM Logs to collect, process, and forward Okta logs for centralized log analysis and monitoring. This integration uses an AWS CloudFormation stack that includes a Lambda function written in Python. For more information, see Managing AWS resources as a single unit with AWS CloudFormation stacks in the AWS documentation. You can view the integration components in the LogicMonitor GitHub repository. For more information, see LogicMonitor GitHub repository.
You can use the integration between LM Logs and AWS to give you a unified view of identity and activity across your environment. Combining the data and capabilities of Okta and AWS enables streamlined alerting, correlation between authentication events and infrastructure performance, and stronger security and compliance visibility.
Parameters for Okta Log Collection with AWS
The following table describes the parameters required to configure the AWS CloudFormation stack.
| Parameter | Description | Default |
| FunctionMemorySize | The memory size for the OKTA Log Collector Lambda function in MBs | 2048 |
| FunctionName | The name for Lambda function. | LM-Okta-Log-Collector |
| FunctionTimeoutInSeconds | The timeout for the OKTA Log Collector lambda function in seconds | 110 |
| IncludeMetadataKeys | Comma separated keys to add as event metadata in a lm-log event. for nested json specify the ‘.’ (For example, actor.displayname,actor.type) | ‘severity,actor.displayname,actor.type,actor.alternateId,client.geographicalContext.city,displayMessage,eventType’ |
| LMAccessId | The LM API tokens access ID | |
| LMAccessKey | The LM API tokens access key | |
| LMBearerToken | LogicMonitor API bearer token. Used if LMAccessId and LMAccessKey are not provided | |
| LMCompanyName | The LogicMonitor account name. Note: By default, it is set to “logicmonitor.com”. The supported domains for this variable are as follows: | |
| LMDomainName | The LogicMonitor domain name. | |
| LMLogsServiceName | Service name used in LM Logs for anomaly detection | okta-system-logs |
| LMResourceId | Ignored when LMLogsServiceName is specified. Is a json for resource mapping. if specified as {“system.hostname” : “prod-node-us-west-1”} all logs will be mapped against the device with property system.hostname = prod-node-us-west-1 | |
| OktaAPIKey | Okta API key to fetch logs from Okta | |
| OktaDomain | Okta domain (for example, “company.okta.com“) | |
| ScheduleExpression | Cron expression for this Lambda function. For example, “rate(2 minutes)” means that the function will be triggered every two minutes. For more information, see Creating a rule that runs on a schedule in Amazon Eventbridge from Amazon. | “rate(2 minutes)” |
Requirements for Okta Log Collection with AWS
- LogicMonitor API token — Used to authenticate all requests to the log ingestion API. For more information, see API Tokens.
- Okta API access key — Used to connect to your Okta account and access its data. To generate an Okta API access key, see Create the Token in the Okta documentation.
- An AWS account – Used to create and deploy the CloudFormation stack that includes a Lambda function. You must have IAM permissions.
Collecting Okta Logs with AWS
- Navigate to the Okta Log Collector for LM Logs GitHub repository.
- In the repository README, select Launch Stack to initiate the stack creation.
- Log into AWS. To create and deploy the CloudFormation stack, see Create a stack from the CloudFormation console in the AWS documentation.
Once you have created the CloudFormation stack, Okta logs are collected and forwarded based on the configured time range.