Okta module

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

The Okta module collects events from the Okta API. Specifically this supports reading from the Okta System Log API.

Variable settings

edit

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the okta module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, okta.system.var.paths instead of system.var.paths.

system fileset settings

edit

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta.

This module does not persist the timestamp of the last read event in order to facilitate resuming on restart. This feature will be coming in a future version. When you restart the module will read events from the beginning of the log. To minimize duplicates documents the module uses the event’s Okta UUID value as the Elasticsearch _id.

This is an example configuration for the module.

- module okta
  system:
    var.url: https://yourOktaDomain/api/v1/logs
    var.api_key: '00QCjAl4MlV-WPXM...0HmjFx-vbGua'
Configuration options
edit
var.url

Specifies the URL to the Okta System Log API. Required.

    var.url: https://mycompany.okta.com/api/v1/logs
var.api_key

Specifies the Okta API token to use in requests to the API. Required. The token is used in an HTTP Authorization header with the SSWS scheme. See Create an API token for information on how to obtain a token.

    var.api_key: '00QCjAl4MlV-WPXM...0HmjFx-vbGua'
var.http_client_timeout
Duration of the time limit on HTTP requests made by the module. Defaults to 60s.
var.interval
Duration between requests to the API. Defaults to 60s.
var.keep_original_message
Boolean flag indicating if the original JSON event string should be included in the event.original field. Defaults to true.
var.ssl

Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the ssl section is missing, the host CAs are used for HTTPS connections to Okta. See SSL for more information.

    var.ssl:
      supported_protocols: [TLSv1.2]

Example dashboard

edit

This module comes with a sample dashboard:

filebeat okta dashboard

Fields

edit

For a description of each field in the module, see the exported fields section.