Sending Okta Logs
Last updated on 27 March, 2023Okta is a commonly used identity management service for adding authentication and authorization functionality to applications. The following describes how to set up the collection and forwarding of Okta system logs to LM Logs for further ingestion and processing.
Requirements
- LogicMonitor API tokens to authenticate all requests to the log ingestion API.
- Okta API access key, see how to generate one in the Okta documentation.
Deploying the AWS CloudFormation Stack
The integration uses an AWS CloudFormation stack including a Lambda function written in Python. The integration components are available in this LogicMonitor GitHub repository.
Do the following to create and deploy the integration components.
- Navigate to the Okta Log Collector for LM Logs GitHub repository.
- In the repository, select Launch Stack to initiate the stack creation.
- Log into AWS and select the create stack option in CloudFormation.
- Enter a name for the stack, for example “lm-okta-log-collector”.
- Enter parameter values as applicable, for parameter descriptions see Configuration Options.
- Select Create Stack to deploy the Lambda function.
When you have created the stack, Okta system logs will be collected and forwarded periodically based on the configured time range.
Configuration Options
| Parameter | Description |
| FunctionName | (Required) The name of the log forwarding Lambda function. Default value: LM-Okta-Log-Collector |
| LMCompanyName | (Required) Your LogicMonitor account (portal) name. |
| LMAccessId | (Required) The LogicMonitor API tokens access ID. |
| LMAccessKey | (Required) The LogicMonitor API tokens access key. |
| OktaDomain | (Required) Your Okta domain, for example “company.okta.com”. |
| OktaAPIKey | (Required) Your Okta API key used to fetch logs from Okta, see Requirements. |
| LMLogsServiceName | Used for anomaly detection if no resource mapping exists. Default value: okta-system-logs |
| LMResourceId | Resource mapping in JSON format, ignored when LMLogsServiceName is specified. For example, if specified as {"system.hostname" : "prod-node-us-west-1"} all logs are mapped against the device with property “system.hostname = prod-node-us-west-1”. |
| IncludeMetadataKeys | Comma-separated keys to add as event metadata fields in an lm-log event. For nested JSON specify ‘.’ Example: actor.displayname,actor.type. Default values: severity,actor.displayName,actor.type,actor.alternateId,client.geographicalContext.city,displayMessage,eventType,target |
| ScheduleExpression | Cron expression for triggering the Lambda function. For example when set to “rate(2 minutes)”, the function runs every 2 minutes. See the AWS documentation. Default value: rate(2 minutes) |
| FunctionMemorySize | Memory size in MBs for the Okta Log Collector Lambda function. Default value: 2048 |
| FunctionTimeoutInSeconds | Timeout in seconds for the Okta Log Collector Lambda function. Default value: 110 |
Troubleshooting
See the following if you are experiencing issues after setting up the collection and forwarding of Okta logs to LM Logs.
No Logs Appear in LM Logs Page
If you don’t see any logs in the LM Logs page, check the following:
- Ensure that the credentials used and parameter configurations are valid.
- Investigate the CloudWatch logs to get more information.
Lambda Function Timeouts
In case of frequent Lambda function timeouts, try the following:
- Increase the memory size (FunctionMemorySize), this results in faster CPU assignment.
- Increase the trigger time rate (ScheduleExpression) to for example 5 minutes.