Add an AWS EventBridge log stream
To send Okta System Log events to Amazon EventBridge, you must add an AWS EventBridge log stream in Okta and configure it in the AWS console.
Prerequisites
-
You’re signed in to Okta as a super admin.
-
Optional (recommended). You know the AWS region of your Okta org’s deployment. You can contact Okta Support to find out your AWS region.
-
You have the AWS account ID and region information for your EventBridge target.
-
You have appropriate permissions to configure EventBridge to receive SaaS partner events as described in the AWS documentation.
Add an AWS EventBridge log stream
-
In the Admin Console, go to . This page shows all log stream targets available in your org.
-
Click Add Log Stream to start the log stream wizard.
-
Select AWS EventBridge from the catalog. Click Next.
-
Fill in the configuration details for your AWS EventBridge log stream:
-
Name: Provide a unique name for this log stream in Okta.
-
AWS Event Source Name: Provide a unique name without any special characters or spaces to identify this event source in Amazon EventBridge.
-
AWS account ID: The 12-digit account identifier provided by AWS.
-
AWS region: Select the AWS region closest to your EventBridge target. Closer geographic regions mean faster stream connection. To send the same events to multiple regions, you must create multiple log stream targets.
-
-
Click Save. You receive a confirmation message.
The log stream that you just added appears on the Log Streaming page with its status as Active.
Configure the Amazon EventBridge log stream in the AWS console
Configure your Amazon EventBridge log stream to accept partner events from Okta.
-
In the AWS console, go to Amazon EventBridge.
-
Select Partner event sources from the Integration section of the navigation panel.
-
If you successfully activated an AWS EventBridge log stream in Okta, you should see a partner event source in the Pending status with a name following the format:
aws.partner/okta.com/yourOktaSubdomain/yourAWSEventSourceName -
Select the log stream and click Associate with an event bus.
-
Select the required permissions for the log stream on the Associate with event bus page. Click Associate. Your partner event source is active and events are available in the corresponding event bus.
-
Select Rules from the Events section of the navigation panel.
-
Follow the instructions in the AWS documentation to create a rule to match Okta events, including the following settings:
-
For Event source, select AWS events or EventBridge partner events.
-
For Creation method, select User pattern form.
You'll then be able to select Okta from the list of EventBridge partners.
-
-
Perform an action in Okta to generate an event, such as signing in or out of the Admin Console. Refer to your AWS documentation to find the log containing the corresponding events within the event bus.
Example event
The Okta System Log event is contained within the detail object. Okta doesn't control the EventBridge event structure. For more information, see Amazon EventBridge events.
{
"version": "0",
"id": "4ab6d852-09e9-1036-fc04-2e22004b3c3f",
"detail-type": "SystemLog",
"source": "aws.partner/okta.com/evership/evershipsecuritylake",
"account": "999999999999",
"time": "2023-05-30T14:17:58Z",
"region": "us-east-1",
"resources": [],
"detail": {
"actor": {
"id": "00uttidj04jqI21bA1d6",
"type": "User",
"alternateId": "user@evership.biz",
"displayName": "A User",
"detailEntry": null
},
"client": {
"userAgent": {
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"os": "Mac OS X",
"browser": "CHROME"
},
"zone": "null",
"device": "Computer",
"id": null,
"ipAddress": "127.0.0.1",
"geographicalContext": {
"city": "Fictionville",
"state": "Pennsylvania",
"country": "United States",
"postalCode": "19513",
"geolocation": {
"lat": 41.1286,
"lon": -73.4835
}
}
},
"device": null,
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"interface": null,
"authenticationStep": 0,
"externalSessionId": "102BoThue9qT2uRBdaO_Z9msg"
},
"displayMessage": "User accessing Okta admin app",
"eventType": "user.session.access_admin_app",
"outcome": {
"result": "SUCCESS",
"reason": null
},
"published": "2023-05-30T14:17:58.126Z",
"securityContext": {
"asNumber": 6167,
"asOrg": "verizon",
"isp": "verizon",
"domain": "myvzw.com",
"isProxy": false
},
"severity": "INFO",
"debugContext": {
"debugData": {
"requestId": "ZHYFlX6QY0rHqq1oihP7CwAACSI",
"dtHash": "e463841eed07369aeb7ace43a41fcef75ccefa573ced0420039c16b0e3d7cc99",
"requestUri": "/admin/sso/callback",
"url": "/admin/sso/callback?code=******&state=vdC6CnQXeZqyxBJKBVmtej9wMnF4nM1r"
}
},
"legacyEventType": "app.admin.sso.login.success",
"transaction": {
"type": "WEB",
"id": "ZHYFlX6QY0rHqq1oihP7CwAACSI",
"detail": {}
},
"uuid": "c6ed294a-fef4-11ed-a5b1-bbb7c1de1a4b",
"version": "0",
"request": {
"ipChain": [
{
"ip": "127.0.0.1",
"geographicalContext": {
"city": "Fictionville",
"state": "Pennsylvania",
"country": "United States",
"postalCode": "19513",
"geolocation": {
"lat": 41.1286,
"lon": -73.4835
}
},
"version": "V4",
"source": null
}
]
},
"target": [
{
"id": "00uttidj04jqI21bA1d6",
"type": "AppUser",
"alternateId": "user@evership.biz",
"displayName": "A User",
"detailEntry": null
}
]
}
}