Page Comparison

Table of Contents

maxLevel	2
type	flat

Introduction

The tags beginning with gateway.okta identify events generated by Okta Access Gateway logs.

Valid tags and data tables

The full tag must have four levels. The first three are fixed asgateway.okta.oag. The fourth level indicates the event subtype.

...

Technology

...

Brand

...

Type

...

Subtype

...

gateway

...

okta

...

oag

...

access

...

audit

...

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tag
Tags
Data
table
tables
Okta Access Gateway
gateway.okta.oag.access
gateway.okta.oag.access
gateway.okta.oag.audit
gateway.okta.oag.audit
gateway.okta.oag.monitor
gateway.okta.oag.monitor

How is the data sent to Devo?

Logs generated by okta must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

...

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

...

gateway.okta.oag.access

Relay rule 1 - OAG05 Access log

...

Source Port → Any, excluding the reserved ports.

...

Source Message → ^(\S+\s+\S+\s+\w+\s+\S+\s+\S+\s+-\s+-\s+.*)

gateway.okta.oag.audit
gateway.okta.oag.

...

Target Message → \m0

...

Select the Stop Processing checkbox.

...

monitor

Anchor
tag1
tag1
gateway.okta.oag.

...

Relay rule 1 - OAG02 Check Host Check Connection

Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(CHECK_HOST|CHECK_CONNECTION)\s+(\S+)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 \m3 - \m4 \m5
Select the Stop Processing checkbox.

...

Relay rule 2- OAG02 Check Host Check Connection

Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(CHECK_HOST|CHECK_CONNECTION)\s+(\S+)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 \m3 - \m4 \m5
Select the Stop Processing checkbox.

...

Relay rule 3- OAG03 Log Download Status/ Log Prepare Operation admin console

Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(LOG_DOWNLOAD_STATUS|LOG_PREPARE_OPERATION|ADMIN_CONSOLE)\s+(\S+)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 \m3 \m4 \m5
Select the Stop Processing checkbox.

...

Relay rule 4- OAG04 Script

Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(SCRIPT)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 - - \m3 \m4
Select the Stop Processing checkbox.

...

Rw tab

title	gateway.okta.oag.audit

Relay rule 1 - OAG00 OAG Monitor

Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+\s+OAG_MONITOR\s+MONITOR\s+.*)
Target Tag → gateway.okta.oag.monitor
Target Message → \m0
Select the Stop Processing checkbox.

...

access

Field	Type	Extra field	Source field name
eventdate	`timestamp`
rawHostName	`str`	✓
rawHostIp	`str`	✓
rawMessage	`str`	✓	message
hostchain	`str`	✓
tag	`str`	✓
TIMESTAMP	`timestamp`	✓
HOSTNAME	`str`	✓
label	`str`	✓
App_Hostname	`str`	✓
Client_IP	`ip4`	✓
Request	`str`	✓
URL	`str`	✓
HTTP_Status_Code	`int8`	✓
Request_size	`int8`	✓
HTTP_Referrer	`str`	✓
User_Agent	`str`	✓
X_Forwarded_For	`str`	✓
Request_Time	`float8`	✓
Response_Time	`float8`	✓

Anchor
tag2
tag2
gateway.okta.oag.audit

Field	Type	Extra field	Source field name
eventdate	`timestamp`
rawHostName	`str`	✓
rawHostIp	`str`	✓
rawMessage	`str`	✓	message
hostchain	`str`	✓
tag	`str`	✓
TIMESTAMP	`timestamp`	✓
HOSTNAME	`str`	✓
APPLICATION	`str`	✓
SUB_PROCESS	`str`	✓
COMPONENT	`str`	✓
SUB_COMPONENT	`str`	✓
LOG_LEVEL	`str`	✓
EVENT	`str`	✓
STRUCTURED_DATA	`str`	✓
NAME	`str`	✓
DOMAIN	`str`	✓
TYPE	`str`	✓
RESULT	`str`	✓
REASON	`str`	✓
SESSION_ID	`str`	✓
RESOURCE	`str`	✓
METHOD	`str`	✓
POLICY	`str`	✓
POLICY_TYPE	`str`	✓
DURATION	`str`	✓
APP	`str`	✓
APP_TYPE	`str`	✓
APP_DOMAIN	`str`	✓
REMOTE_IP	`str`	✓
USER_AGENT	`str`	✓
USERNAME	`str`	✓
USER	`str`	✓
SOURCE	`str`	✓
ACTION	`str`	✓
REALM	`str`	✓
SUBJECT	`str`	✓
STATUS	`str`	✓
MESSAGE	`str`	✓

Anchor
tag3
tag3
gateway.okta.oag.monitor

Field	Type	Extra field	Source field name
eventdate	`timestamp`
rawHostName	`str`	✓
rawHostIp	`str`	✓
rawMessage	`str`	✓	message
hostchain	`str`	✓
tag	`str`	✓
TIMESTAMP	`timestamp`	✓
HOSTNAME	`str`	✓
APPLICATION	`str`	✓
SUB_PROCESS	`str`	✓
COMPONENT	`str`	✓
LOG_LEVEL	`str`	✓
EVENT	`str`	✓
STRUCTURED_DATA	`str`	✓
STATUS	`str`	✓
DU_HOSTNAME	`str`	✓
FILESYSTEM	`str`	✓
MOUNT	`str`	✓
USAGE	`str`	✓
CACHE_SIZE	`int8`	✓
CURRENT_USAGE	`int8`	✓
USAGE_PERCENT	`str`	✓
USER	`str`	✓
EXPIRY	`str`	✓
SERVICE	`str`	✓
NAME	`str`	✓
UUID	`str`	✓
MESSAGE	`str`	✓

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Valid tags and data tables

How is the data sent to Devo?

Table structure

Relay rule 1 - OAG05 Access log

Anchor
tag1
tag1
gateway.okta.oag.

Relay rule 1 - OAG02 Check Host Check Connection

Relay rule 2- OAG02 Check Host Check Connection

Relay rule 3- OAG03 Log Download Status/ Log Prepare Operation admin console

Relay rule 4- OAG04 Script

Relay rule 1 - OAG00 OAG Monitor

access

Anchor
tag2
tag2
gateway.okta.oag.audit

Anchor
tag3
tag3
gateway.okta.oag.monitor

tables
Okta Access Gateway	`gateway.okta.oag.access`	`gateway.okta.oag.access`
	`gateway.okta.oag.audit`	`gateway.okta.oag.audit`
	`gateway.okta.oag.monitor`	`gateway.okta.oag.monitor`

Page Comparison

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Valid tags and data tables

How is the data sent to Devo?

Table structure

Relay rule 1 - OAG05 Access log

Anchortag1tag1gateway.okta.oag.

Relay rule 1 - OAG02 Check Host Check Connection

Relay rule 2- OAG02 Check Host Check Connection

Relay rule 3- OAG03 Log Download Status/ Log Prepare Operation admin console

Relay rule 4- OAG04 Script

Relay rule 1 - OAG00 OAG Monitor

access

Anchortag2tag2gateway.okta.oag.audit

Anchortag3tag3gateway.okta.oag.monitor

Anchor
tag1
tag1
gateway.okta.oag.

Anchor
tag2
tag2
gateway.okta.oag.audit

Anchor
tag3
tag3
gateway.okta.oag.monitor