Configure log forwarders

Before you begin

You must configure a syslog server recipient to receive log events, including:

  • A syslog server which can receive syslog events is configured and available.
  • Connection information for the remote logging consumer. For example:
    ParameterExample
    Fully qualified IP Address or DNS resolvable name of logger192.168.1.1
    my.graylog.server.

    Logger protocol

    TCP or UDP

    Logger listen port

    Appropriate port such as 5514.

    Important Note

    Important

    Note that the port being used to communicate between Access Gateway and the logging server must be open.
    Access Gateway will validate the logging server connection.

Creating a log forwarder receiver

Important Note

Important

This example uses graylog. It is purely instructional. For configuration of systems designed to receive the logging input, see their appropriate documentation.

To create a log forwarder in Graylog:

  1. Sign in to the Graylog console as admin.
  2. Select System > Inputs.
  3. In the Select Input drop down search for Syslog UDP.
  4. Click Launch new input.
  5. In the Launch New Syslog UDP Input dialog enter the following:

    Field

    Value

    Global

    checked.

    Title

    An appropriate title.

    Port

    Enter an appropriate port.
    Reminder, this port must be accessible from the Access Gateway Admin instance.
    When configuring syslog input receivers, to avoid operating system restrictions, Okta recommends using port numbers of 2048 or higher.

    Leave all other fields unchanged.
  6. Click Save.
  7. Return to the Access Gateway Admin UI console

Add a log forwarder

To add a remote logger:

  1. Navigate to your Access Gateway Instance.
  2. Select the Logs and Backups tab.
  3. Select the Log Forwarder pane .
  4. Select (+) > Syslog remote.
  5. In the Add Forwarder: Syslog pane enter the following.

    Field

    Value

    Name

    The name of the forwarder.

    Feed

    One of:

    • AUDIT
    • ACCESS
    • MONITOR

    See Feed Examples for details of each feed.

    Protocol

    Select either UDP or TCP.  Ensure this protocol matches the log listener.

    Host

    Enter the DNS resolvable or IP address of the remote syslog listener.

    Port

    Enter the port of the remote syslog listener.

  6. Click Validate Forwarder.
    Access Gateway will then attempt to validate the remote logger connection information.
    If required correct any input errors.
    On success the Validate Forwarder button will become green and change to Forwarder Validated.
  7. Click Okay.
  8. The log forwarder definition will then appear in the list of log forwarders.
    Info

    Note

    The syslog definition will briefly be shown as testing and then will move to valid on success.

Test log forwarders

To test log forwarding you must have:

  • A configured log receiver. Follow the steps outlines in section Creating a log forwarder receiver.
  • A log forwarder defined in your Access Gateway node. Access loggers are simplest to test, as then generate events based on sign in to the Access Gateway Admin UI console
  • Be able to generate one or more events.
  1. Configure a system logger in your log server.
  2. Configure a log forwarder in Access Gateway, preferably an ACCESS logger.
  3. Ensure your system logger is started and ready to receive events
  4. Sign out and and then back into the Access Gateway Admin Console.
  5. Examine the log server. Multiple events should be generated resembling:

Feed Examples

For examples of Log file formats see: About Access Gateway logs.
Including:

Type Description
AUDIT Audit log events include log entries representing user authentication.
For details and examples of audit events see Access Gateway Audit log

Sample Events:
2020-06-24T10:05:56.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.

2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="MyIDP" DOMAIN="someorg.oktapreview.com" TYPE="IDP_OKTA" RESULT="PASS" REASON="VALID"] Success confirming IDP status with: someorg.oktapreview.com.


ACCESS Access log events includes log entries representing user authorization and application accesses. For example, a particular user, accessed a particular application from a given IP address.
For details and examples of access events see Access Gateway Access log

Sample event:
2020-06-24T09:41:08.000-05:00 example.myaccessgateway.com auth header.myexample.com 10.0.0.110 - - "GET /assets/images/image.png HTTP/2.0" 200 1229 "https://gw-admin.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" "-" 0.029 0.028 .
MONITOR Monitor log events include log entries representing application configuration (add, delete, modify), Certificate configuration and Auth Module Configuration.
For details and examples of audit events see Access Gateway Monitor log

Sample event:
2020-06-25T07:00:02.119-05:00 example.myaccessgateway.com OAG_MONITOR MONITOR DISK_USAGE INFO DISK_USAGE [FILESYSTEM="/dev/mapper/centos-root" MOUNT="/" USAGE="12%"] Mount / is 12% full