Okta
Step 1: Configure collection
In this step, you configure an HTTP Source to collect Okta log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure an HTTP Source below. Otherwise, create a new collector as described in Configure a Hosted Collector below, and then create the HTTP Source on the collector.
Configure a Hosted Collector
- In the Sumo Logic platform, select Manage Data > Collection > Collection.
- Click Add Collector.
- Click Hosted Collector.
- The Add Hosted Collector popup appears.
- Name. Provide a name for the Collector.
- Description. (Optional)
- Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. - Fields.
- If you are planning that all the sources you add to this collector will forward log messages to CSE, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to CSE. - If all sources in this collector will be Okta sources, add an additional field with key
_parser
and value /Parsers/System/Okta/Okta.
- If you are planning that all the sources you add to this collector will forward log messages to CSE, click the +Add Field link, and add a field whose name is
note
It’s also possible to configure individual sources to forward to CSE, as described in the following section.
Configure an HTTP Source
- In Sumo Logic, select Manage Data > Collection > Collection.
- Navigate to the Hosted Collector where you want to create the source.
- On the Collectors page, click Add Source next to a Hosted Collector.
- Select HTTP Logs & Metrics.
- The page refreshes.
- Name. Enter a name for the source.
- Description. (Optional)
- Source Host. (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called
_sourceHost.
- Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. - SIEM Processing. Click the checkbox to configure the source to forward log messages to CSE.
- Fields. If you are not parsing all sources in the hosted collector with the same parser, click the +Add Field link, and add a field whose name is
_parser
with value /Parsers/System/Okta/Okta. - Advanced Options for Logs. For information about the optional advance options you can configure, see HTTP Logs and Metrics Source.
- Click Save.
- Make a note of the HTTP Source URL that is displayed. You’ll supply it in Step 2 below.
Step 2: Configure Okta
In this step you configure Okta to send log messages to the Sumo Logic platform. For instructions, see Stream Logs to Sumo Logic in Okta help.
Step 3: Verify ingestion
In this step, you verify that your logs are successfully making it into CSE.
- Click the gear icon at the top of the CSE UI, and select Log Mappings under Incoming Data.
- On the Log Mappings page search for Okta and check under Record Volume.
- For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Okta security records.