Log Streaming

This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features.

Use Log Streaming to easily and efficiently manage System Log events and data.

You can:

  • Send System Log events to various targets, such as Amazon EventBridge, Splunk Cloud and more, in near real-time.

  • Monitor System Log events for suspicious activity.

  • Automate actions to mitigate risks.

  • Receive real time alerts about issues, troubleshoot, and perform root cause analysis.

  • Extract the System Log and store it for long periods of time.

Note

Currently, only Amazon EventBridge log streams are supported.

Limitations and known issues

  • The only available integrations are created and maintained by Okta. ISV submissions are not currently accepted.

  • Okta sends all System Log events to a configured log stream target. No event filtering is supported.

  • Replay functionality (resend events during a specific point in time) is not currently supported.

  • If the log stream target stops acknowledging a log stream, Okta deactivates the log stream and no events are sent to the log stream target. You must activate the target again from the Log streams page in the Okta Admin Console.

  • Event delivery: Delivery of events is best effort. Events are delivered at least once to an active log stream. In some cases events may arrive out of order and an event may be sent multiple times. To establish ordering, you can use the time stamp contained in the data.events.published property of each event. To detect duplicate event delivery, compare the eventId value of incoming events with the values of previously received events.

    If the log stream responds to a delivery event with an error or if it times out, the delivery attempt will fail. Okta will retry delivery as soon as either happens. Only two delivery attempts will be made without any additional wait time between retries before deactivating the log stream. You can view the system.log_stream.lifecycle.deactivate event in the System Log user interface or using the System Log API. The stream state indicates that it is deactivated in the Log Stream configuration.

  • Event latency: Okta does not guarantee a maximum duration between the occurrence of an event and the delivery to a log stream. In addition, where a third-party service is specified as the log stream, the third-party service may insert a delay which is outside of Okta’s control. If Okta hasn't reported an issue but events associated with an active stream don't appear in the specified third-party service, contact that service's support organization.

Note

Stream targets that receive logs are Non-Okta Applications. Non-Okta Applications include web-based, offline, mobile, or other software application functionality that are provided by you or a third party and interoperate with the Okta Service. You should only send logs to Non-Okta Applications if you are authorized on behalf of your organization to do so. Okta cannot guarantee continued partnerships or functionality with any Non-Okta Applications.

Related topics

Add an AWS EventBridge log stream