This section provides instructions to initialize the Okta beat after configuration. It is primarily focused on the system log to be pulled out from Okta cloud.
Prerequisites
-
Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
-
Okta Cloud domain name. You can get this from the Okta Developer Console. Follow the instructions here https://developer.okta.com/docs/guides/find-your-domain/findorg/ for more information.
-
Okta Cloud API Token. If you don't have one, follow the instructions here https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/, and then return to this topic.
-
The following port is open:
Direction
Port
Protocol
Source
Outbound
443
HTTPS
oktabeat
Initialize the Beat via the Web Console (Recommended)
-
Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.
-
Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.
Initialize the Beat via Command Line (Legacy)
-
Start the beat:
./lrctl oktabeat start -
Use the Up and Down Arrow keys to select New oktabeat instance from the list, and then press Enter.
-
Enter the unique identifier for this oktabeat instance, and then press Enter.
-
Enter the Okta Domain that this beat is collecting from, and then press Enter.
For more information on your Okta Domain, go to Find your Okta Domain.
-
Enter the Okta API Key, and then press Enter.
For security purposes, the API Key is stored in encrypted format.
-
Enter the hostname or IP address of the System Monitor Agent that has been Configured for JSON Parsing, and then press Enter.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Enter the port on which the System Monitor Agent is configured to listen for JSON data (the default is 5044), and then press Enter.
The Oktabeat service started message appears. -
Check the status of the service to confirm that it’s running:
./lrctl oktabeat status -
(Optional) Edit the oktabeat configuration to update the values set in Step 2 if needed. Ensure that you have all the needed information for each step above available as you will need to re-enter it:
./lrctl oktabeat config edit
Default Config Values for Okta Beat:
|
S.No |
Field Name |
Default Values |
|---|---|---|
|
1. |
heartbeatinterval |
60s |
|
2. |
heartbeatdisabled |
false |
|
3. |
period |
2s |
|
4. |
throttlingIntervalSecs: |
60 Should always be greater than 0 |
|
5. |
numbackdaysData |
7 Number of back days should be a non-negative number. oktabeat supports only 180 days back log data. Therefore the range for this value is 1-180 days. |
|
6. |
apiKey |
User Provided API token provided by the user |
|
7. |
oktaURL |
User Provided Okta cloud domain provided by the user |
|
8. |
limit |
1000 Supported limit range is 1-1000 |
For commands to inspect or edit a configuration, see the configuration information in Open Collector Installation Tips.