API - Okta Event
Okta is an integrated identity management and mobility management service that securely connects people to their applications from any device, anywhere, at any time. The System Monitor Agent can import Okta logs into LogRhythm for analysis. This document explains how to configure the collection of Okta logs via the LogRhythm System Monitor Agent.
Prerequisites
Before attempting these instructions, have the following available:
- Access to the LogRhythm System Monitor Agent collecting Okta log files.
- A security token attained from Okta. Tokens are generated to grant access to the API via the Security > API section of the admin application.
Configure the okta.ini File
The Okta configuration file must be located on the host of the Agent collecting logs. A sample file is installed in the LogRhythm System Monitor's config directory, typically C:\Program Files\LogRhythm\LogRhythm System Monitor\config. Use this file to create the okta.ini file to be used on the Agent host that will be collecting logs.
The table below contains the contents of the okta.ini file. The okta.ini file is used to create a secure connection between the LogRhythm System Monitor and the Okta log collection device.
| Setting | Default Value | Description |
|---|---|---|
| OktaEndpoint | https://dev-123.oktapreview.com | The Okta Uniform Resource Identifier. The URI should always follow this format: https://[companyname].okta.com.
Ensure this line includes
https://
|
| SecurityToken | CHANGE_THIS | This is the API security token obtained from Okta. The security token must be encrypted using the lrcrypt command line utility. Usage: lrcrypt [-e passwordtoencrypt] You must manually paste the encrypted value into the configuration file. See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. |
| Timeout | 300 | The timeout (in seconds) to use when requesting data from the Okta server. The valid range for this value is 0-300 (0=infinite). |
| RateLimitThreshold | 16 | Throttling. Number of requests left for the current rate-limit window. Range 1-50 (Default: 16). |
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Okta Event. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
File Path. <path to log file, including the file name and extension>
For multiple users, you can create multiple configuration files and multiple Okta log sources.