Table of Contents | ||||
---|---|---|---|---|
|
Introduction
The tags beginning with gateway.okta
identify events generated by Okta Access Gateway logs.
Valid tags and data tables
The full tag must have four levels. The first three are fixed asgateway.okta.oag
. The fourth level indicates the event subtype.
...
Technology
...
Brand
...
Type
...
Subtype
...
gateway
...
okta
...
oag
...
access
...
audit
...
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service |
---|
Tags | Data |
---|
tables | ||
---|---|---|
Okta Access Gateway |
|
|
|
| |
|
|
How is the data sent to Devo?
Logs generated by okta must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
...
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
...
Relay rule 1 - OAG05 Access log
...
Source Port → Any, excluding the reserved ports.
...
Source Message → ^(\S+\s+\S+\s+\w+\s+\S+\s+\S+\s+-\s+-\s+.*)
...
Target Message → \m0
...
Select the Stop Processing checkbox.
...
Anchor | ||||
---|---|---|---|---|
|
...
Relay rule 1 - OAG02 Check Host Check Connection
Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(CHECK_HOST|CHECK_CONNECTION)\s+(\S+)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 \m3 - \m4 \m5
Select the Stop Processing checkbox.
...
Relay rule 2- OAG02 Check Host Check Connection
Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(CHECK_HOST|CHECK_CONNECTION)\s+(\S+)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 \m3 - \m4 \m5
Select the Stop Processing checkbox.
...
Relay rule 3- OAG03 Log Download Status/ Log Prepare Operation admin console
Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(LOG_DOWNLOAD_STATUS|LOG_PREPARE_OPERATION|ADMIN_CONSOLE)\s+(\S+)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 \m3 \m4 \m5
Select the Stop Processing checkbox.
...
Relay rule 4- OAG04 Script
Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+)\s+(SCRIPT)\s+(\S+)\s+(.*)
Target Tag → gateway.okta.oag.audit
Target Message → \m1 ACCESS_GATEWAY \m2 - - \m3 \m4
Select the Stop Processing checkbox.
...
Rw tab | ||
---|---|---|
|
Relay rule 1 - OAG00 OAG Monitor
Source Port → Any, excluding the reserved ports.
Source Message → ^(\S+\s+\S+\s+OAG_MONITOR\s+MONITOR\s+.*)
Target Tag → gateway.okta.oag.monitor
Target Message → \m0
Select the Stop Processing checkbox.
...
access
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
rawHostName |
| ✓ | |
rawHostIp |
| ✓ | |
rawMessage |
| ✓ | message |
hostchain |
| ✓ | |
tag |
| ✓ | |
TIMESTAMP |
| ✓ | |
HOSTNAME |
| ✓ | |
label |
| ✓ | |
App_Hostname |
| ✓ | |
Client_IP |
| ✓ | |
Request |
| ✓ | |
URL |
| ✓ | |
HTTP_Status_Code |
| ✓ | |
Request_size |
| ✓ | |
HTTP_Referrer |
| ✓ | |
User_Agent |
| ✓ | |
X_Forwarded_For |
| ✓ | |
Request_Time |
| ✓ | |
Response_Time |
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
rawHostName |
| ✓ | |
rawHostIp |
| ✓ | |
rawMessage |
| ✓ | message |
hostchain |
| ✓ | |
tag |
| ✓ | |
TIMESTAMP |
| ✓ | |
HOSTNAME |
| ✓ | |
APPLICATION |
| ✓ | |
SUB_PROCESS |
| ✓ | |
COMPONENT |
| ✓ | |
SUB_COMPONENT |
| ✓ | |
LOG_LEVEL |
| ✓ | |
EVENT |
| ✓ | |
STRUCTURED_DATA |
| ✓ | |
NAME |
| ✓ | |
DOMAIN |
| ✓ | |
TYPE |
| ✓ | |
RESULT |
| ✓ | |
REASON |
| ✓ | |
SESSION_ID |
| ✓ | |
RESOURCE |
| ✓ | |
METHOD |
| ✓ | |
POLICY |
| ✓ | |
POLICY_TYPE |
| ✓ | |
DURATION |
| ✓ | |
APP |
| ✓ | |
APP_TYPE |
| ✓ | |
APP_DOMAIN |
| ✓ | |
REMOTE_IP |
| ✓ | |
USER_AGENT |
| ✓ | |
USERNAME |
| ✓ | |
USER |
| ✓ | |
SOURCE |
| ✓ | |
ACTION |
| ✓ | |
REALM |
| ✓ | |
SUBJECT |
| ✓ | |
STATUS |
| ✓ | |
MESSAGE |
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
rawHostName |
| ✓ | |
rawHostIp |
| ✓ | |
rawMessage |
| ✓ | message |
hostchain |
| ✓ | |
tag |
| ✓ | |
TIMESTAMP |
| ✓ | |
HOSTNAME |
| ✓ | |
APPLICATION |
| ✓ | |
SUB_PROCESS |
| ✓ | |
COMPONENT |
| ✓ | |
LOG_LEVEL |
| ✓ | |
EVENT |
| ✓ | |
STRUCTURED_DATA |
| ✓ | |
STATUS |
| ✓ | |
DU_HOSTNAME |
| ✓ | |
FILESYSTEM |
| ✓ | |
MOUNT |
| ✓ | |
USAGE |
| ✓ | |
CACHE_SIZE |
| ✓ | |
CURRENT_USAGE |
| ✓ | |
USAGE_PERCENT |
| ✓ | |
USER |
| ✓ | |
EXPIRY |
| ✓ | |
SERVICE |
| ✓ | |
NAME |
| ✓ | |
UUID |
| ✓ | |
MESSAGE |
| ✓ |