Administer log forwarding - Frequently asked questions and best practices
Okta recommends using a port number greater then 2048. Many operating systems have access restrictions on ports with values less then 2048. While port numbers lower then 2048 may work, the should be avoided when possible.
Frequently Asked Questions
Question: What is the frequency of log events?
Answer: Frequency of log events is dependent on activity in the Access Gateway in one of the covered areas.
For example, AUDIT events occur only when an application is accessed. If there are no current application accesses, then no events will occur. Similarly, MONITOR events occur when a change is made to an Access Gateway configration. For example application updates, configuration of data stores, or similar changes. . If no changes are being made, then no monitor events will occur.
Question: Does Access Gateway need to be restarted after configuring log forwarders?
Answer: No, once configured Access Gateway immediately begins to send out events, as the occur.
Question: I'm running GrayLog and my instance when down. Are events during that period lost?
Answer: From a log forwarding perspective, yes, Access Gateway does not cache events. When there is no recipient for the event stream, in this case Gray Log, the events are dropped. However, you can still download the logs for the time period where events were missing. See Download logs for complete details.