Analyze Okta events for better security and observability
Prabhat Sharma
June 21, 2024
4 min read
Don’t forget to share!
Introduction
Okta is a popular identity and access management service that provides secure access to applications and APIs. It offers a wide range of features, including single sign-on, multi-factor authentication, and user provisioning. Okta generates logs for various events, such as user logins, password changes, and application access, which can be used for monitoring, auditing, and troubleshooting purposes.
We will collect Okta logs and send them to OpenObserve for analysis. OpenObserve is a cloud-native observability platform that helps you monitor, analyze, and troubleshoot your applications and infrastructure. By sending Okta logs to OpenObserve, you can gain insights into user activities, security events, and system performance, enabling you to make informed decisions and improve your security posture.
Sending Okta Logs to OpenObserve using Amazon Eventbridge
Monitoring and analyzing logs is crucial for maintaining security, ensuring compliance, and troubleshooting issues. Okta, a leading identity and access management service, offers streaming logs that can be sent to various destinations for further analysis. This blog will guide you through the process of sending Okta logs to Amazon EventBridge, which will then send them to Kinesis Firehose, ultimately forwarding them to OpenObserve.
Prerequisites
Before we start, ensure you have the following:
- An Okta account with administrative privileges.
- An AWS account with appropriate permissions to create and manage EventBridge, Kinesis Firehose, and other related services.
- An OpenObserve instance or cloud account ready to receive logs.
Step 1: Configure Kinesis Firehose
1.1 Create a Kinesis Firehose Delivery Stream
- Open the AWS Management Console and navigate to Kinesis Firehose.
- Click Create delivery stream.
- Choose Direct PUT or other sources as the source and click Next.
- Name your delivery stream (e.g.,
OktaLogsFirehose). - In the Destination section, select your desired destination. For this, we will use HTTP.
- Configure the HTTP endpoint to forward logs to OpenObserve by getting values from OpenObserve ingestion page.
- Click Next.
Step 2: Configure Okta Streaming Logs
2.1 Enable System Log Streaming in Okta
- Log in to your Okta admin console.
- Navigate to Reports > Log Streaming.
- Click on Settings (gear icon) in the top right corner.
- In the Log Streaming section, click Add Log Stream.
- Select Amazon EventBridge as the destination and click Next.
2.2 Configure Amazon EventBridge in Okta
- Name
- AWS Event source name
- Enter your AWS account ID and region.
- Click Create IAM Role. This will take you to the AWS Management Console to create an IAM role with the necessary permissions.
- Once the role is created, go back to the Okta admin console and click Save.
Step 3: Set Up Amazon EventBridge
At this point you should have an entry in your Eventbridge that you must accept.
At this point you will have a custom event bus created in your AWS account.
You can now create a rule to capture Okta events.
3.1 Create a Rule to Capture Okta Events
- In the EventBridge console, click on Rules in the left navigation pane.
- Click Create rule.
- Enter a name for your rule (e.g.,
CaptureOktaLogs) and select your event bus. - In the Define pattern section, choose Event source and enter the source as
aws.partner/okta.com. - Click Next.
If all the configurations are correct, you should start seeing logs in OpenObserve in a few minutes.
3.2 Set Up Amazon EventBridge to Forward Logs to Kinesis Firehose
- In the EventBridge console, click on Targets in the left navigation pane.
- Click Create target.
- Select Kinesis Firehose as the target type.
- Choose the Kinesis Firehose delivery stream you created earlier.
- Click Create.
If all the configurations are correct, you should start seeing logs in OpenObserve in a few minutes.
Conclusion
By following these steps, you have successfully set up a pipeline to send Okta logs to Amazon EventBridge, which then sends them to Kinesis Firehose, and finally forwards them to OpenObserve. This setup ensures that your logs are captured, processed, and available for analysis in a centralized location, helping you maintain security and compliance in your organization.
Feel free to adjust the configuration based on your specific requirements and use cases. Happy logging!
