Log Streaming

This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features.

Use Log Streaming to easily export Okta System Log events to supported external platforms, either Amazon EventBridge or Splunk Cloud, in near real-time. You can use these platforms to:

  • Monitor Okta for suspicious activity.

  • Automate actions to mitigate risks in response to specific event types.

  • Raise alerts, troubleshoot issues, and perform root cause analysis.

  • Retain events for extended periods of time to meet compliance requirements.

Log streaming events, such as stream activation or deletion, are eligible for event hooks. For a list of those events, see the events catalog.

Limitations and known issues

  • The only available integrations are created and maintained by Okta. ISV submissions are not currently accepted.

  • Okta sends all System Log events to a configured log stream target. No event filtering is supported.

  • Replay functionality (resend events during a specific point in time) is not currently supported.

  • If the log stream target stops acknowledging a log stream, Okta deactivates the log stream and no events are sent to the log stream target. When the target is healthy again, you must activate the log stream from the Log Streaming page in the Okta Admin Console.

  • Event delivery: Delivery of events is best effort. Events are delivered at least once to an active log stream. In some cases events may arrive out of order and an event may be sent multiple times. To establish ordering, you can use the time stamp contained in the data.events.published property of each event. To detect duplicate event delivery, compare the eventId value of incoming events with the values of previously received events.

    If the log stream responds to a delivery event with an error or if it times out, the delivery attempt will fail. Okta will retry delivery as soon as either happens. Only two delivery attempts will be made without any additional wait time between retries before deactivating the log stream. You can view the system.log_stream.lifecycle.deactivate event in the System Log user interface or using the System Log API. The stream state indicates that it is deactivated in the Log Stream configuration.

  • Event latency: Okta does not guarantee a maximum duration between the occurrence of an event and the delivery to a log stream. In addition, where a third-party service is specified as the log stream, the third-party service may insert a delay which is outside of Okta’s control. If Okta hasn't reported an issue but events associated with an active stream don't appear in the specified third-party service, contact that service's support organization.

Stream targets that receive logs are Non-Okta Applications. Non-Okta Applications include web-based, offline, mobile, or other software application functionality that are provided by you or a third party and interoperate with the Okta Service. You should only send logs to Non-Okta Applications if you are authorized on behalf of your organization to do so. Okta cannot guarantee continued partnerships or functionality with any Non-Okta Applications.

Related topics

Add an AWS EventBridge log stream

Add a Splunk Cloud log stream

Edit the status of your log stream