Configure log forwarders

Access Gateway enables you to use log forwarders to store your log files in third-party log products.

Before you begin

  • Verify that a third-party log product has already been set up and can receive events from Access Gateway.
  • Use this connection information for the third-party log product:

    Parameter

    Example

    A fully qualified IP address or DNS-resolvable name of the third-party log product

    192.168.1.1

    my.logproduct.server

    ProtocolTCP or UDP

    Listen port

    Access Gateway validates the logging server connection. Verify that this port is open before you forward logs from Access Gateway to the third-party log product.

    		5514
  • In high availability clusters, when you add a log forwarder definition to the main admin node, the definition propagates to all worker nodes. Worker nodes then send log events directly to the third-party log product server.

Create a log forwarder receiver

You must create a location that receives log data from Access Gateway. This might be called a receiver, an input, a listener, a remote listener, or a log forwarder receiver in your third-party log product.

See that product's documentation for instructions.

Add a log forwarder in Access Gateway

  1. In your Access Gateway instance, select Backups and Logs and Backups.
  2. Select Log Forwarder.
  3. Click (+)Syslog remote.
  4. Configure the following options:
    • Name: Enter a name for the forwarder.
    • Feed: Select one of these options:
      • AUDIT: Log entries representing user authentication.
      • ACCESS: Log entries for user authorization and application accesses.
      • MONITOR: Log entries for application configuration (add, delete, modify), certificate configuration, and Auth Module configuration.
    • Protocol: Select UDP or TCP. This protocol must be the same as the protocol you selected for communication with your third-party logging product.
    • Host: The DNS-resolvable hostname or IP address of the of the third-party log product.
    • Port: The port that you're using to communicate with the third-party log product.
  5. Click Validate Forwarder. Access Gateway attempts to validate the remote third-party log product connection information. Correct any input errors if they appear. When the connection has been validated, the Validate Forwarder button changes to Forwarder Validated.
  6. Click Okay.
  7. The log forwarder definition appears in the list of log forwarders. Its initial status is Testing, which changes to Valid when it passes testing.

Test log forwarders

After you've configured a receiver for your log events and created a log forwarder in Access Gateway, you can test that everything works as expected.

  1. Configure a system logger in your log server.
  2. Configure a log forwarder in Access Gateway. For testing purposes, Okta recommends that you use ACCESS mode. This mode records sign-in events to the Access Gateway Admin UI console.
  3. Verify that your third-party log product is started and is ready to receive events.
  4. Sign out of and then back into the Access Gateway Admin Console.
  5. Verify that these events appear in the third-party log product feed. See the Feed examples section for examples.

Feed examples

Type Description
AUDIT Audit log events include log entries representing user authentication.

See Access Gateway audit log for details and examples of audit events.

Sample events:

2020-06-24T10:05:56.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="MyIDP" DOMAIN="someorg.oktapreview.com" TYPE="IDP_OKTA" RESULT="PASS" REASON="VALID"] Success confirming IDP status with: someorg.oktapreview.com.
ACCESS Access log events include log entries representing user authorization and application accesses. For example, a particular user accessed a particular application from a given IP address. See Access Gateway access log for details and examples of access events.

Sample event:

2020-06-24T09:41:08.000-05:00 example.myaccessgateway.com auth header.myexample.com 10.0.0.110 - - "GET /assets/images/image.png HTTP/2.0" 200 1229 "https://gw-admin.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" "-" 0.029 0.028 .
MONITOR Monitor log events include log entries representing application configuration (add, delete, modify), certificate configuration and Auth Module configuration. See Access Gateway monitor log

Sample event:

2020-06-25T07:00:02.119-05:00 example.myaccessgateway.com OAG_MONITOR MONITOR DISK_USAGE INFO DISK_USAGE [FILESYSTEM="/dev/mapper/centos-root" MOUNT="/" USAGE="12%"] Mount / is 12% full