Log streaming
Use log streaming to easily export Okta System Log events to supported external platforms, either Amazon EventBridge or Splunk Cloud, in near real time. You can use these platforms to:
-
Monitor Okta for suspicious activity.
-
Automate actions to mitigate risks in response to specific event types.
-
Raise alerts, troubleshoot issues, and perform root cause analysis.
-
Retain events for extended periods of time to meet compliance requirements.
Log streaming events, such as stream activation or deletion, are eligible for event hooks. For a list of those events, see the events catalog.
Limitations and known issues
-
Only Okta creates and maintains available integrations. ISV submissions aren't currently accepted.
-
Okta sends all System Log events to a configured log stream target. No event filtering is supported.
-
Replay functionality (resend events during a specific point in time) isn't currently supported.
-
If the log stream target stops acknowledging a log stream, Okta deactivates the log stream and no events are sent to the log stream target. When the target is healthy again, you must activate the log stream from the log streaming page in the Okta Admin Console.
-
Event delivery: Delivery of events is best effort. Events are delivered at least once to an active log stream. Sometimes events may arrive out of order and an event may be sent multiple times. To establish ordering, you can use the time stamp contained in the data.events.published property of each event. To detect duplicate event delivery, compare the eventId value of incoming events with the values of previously received events.
If the log stream responds to a delivery event with an error or if it times out, the delivery attempt fails. Okta retries delivery when either happens. Only two delivery attempts are made without any additional wait time between retries before deactivating the log stream. You can view the system.log_stream.lifecycle.deactivate event in the System Log user interface or using the System Log API. The stream state indicates that it's deactivated in the log stream configuration.
-
Event latency: Okta doesn't guarantee a maximum duration between the occurrence of an event and the delivery to a log stream. In addition, where a third-party service is specified as the log stream, the third-party service may insert a delay that is outside of Okta's control. If Okta hasn't reported an issue but events associated with an active stream don't appear in the specified third-party service, contact that service's support organization.
-
Stream targets that receive logs are Non- Okta Applications. Non-Okta Applications include web-based, offline, mobile, or other applications that are provided by you or a third party and interoperate with the Okta Service.
Send logs to Non-Okta Applications only if you're authorized on behalf of your organization to do so. Okta can't guarantee continued partnerships or functionality with any Non-Okta Applications.