Skip to main content
Sumo Logic

Collect Okta Logs

This page provides instructions for setting up log collection from Okta. Click a link to jump to a topic:

Requirements and process overview

Before you begin setting up log collection, review the required prerequisites and process overview described in the following sections.


  • The integration between Sumo and Okta relies upon SumoJanus, a proprietary library used for script-based collection from applications such as Okta, Box, and Salesforce. 
  • The system where you deploy SumoJanus and configure your installed collector and script source must have Java.

Process Overview

Setting up log collection from Okta for analysis in Sumo Logic includes the following tasks, which must be performed in the order in which they are presented.

  1. Generate an Authentication Token in Okta.
  2. Download the SumoJanus package necessary for authentication.
  3. Deploy the SumoJanus package on a local server running the Sumo Logic Collector.
  4. Edit the local properties file with the Okta token created in step 1. The Properties file will be generated in step 2 when you download and deploy the SumoJanus package.
  5. Configure an Installed Collector and
  6. Configure a Script Source in Sumo Logic to send the data from Okta to Sumo Logic.

Configuring Okta log collection

This section walks you through the process of setting up log collection from Okta for analysis in Sumo Logic. Click a link to jump to a topic.

Step 1: Generate the Okta API token

Create an Okta API token, following instructions on the Create an API token page in Okta help. You will add the token to the SumoJanus properties file, later in this procedure

Step 2: Download the SumoJanus packages

The following SumoJanus files are required to collect logs from Okta.

  Linux Windows
SumoJanus v3.0.1 package file sumojanus-dist.3.0.1.tar.gz
Okta bundle package for SumoJanus sumojanus-Okta-r1.0.1.tar.gz

Step 3: Deploy the SumoJanus packages

If you have not previously set up SumoJanus, follow the steps in New SumoJanus installation. If you have previously set up SumoJanus, follow the instructions in SumoJanus installation update.

New SumoJanus installation
  1. Copy the two package files you downloaded to the same folder, then unzip them there.
    • On Linux, run the following commands:
      tar xzvf sumojanus-dist.3.0.1.tar.gz 
      tar xzvf sumojanus-Okta-1.0.1.tar.gz
    • On Windows, use Windows Explorer to open the packages.

      Unzip the archives in the order they are listed above:  first sumojanus-dist.3.0.1.tar.gz and then sumojanus-Okta-1.0.1.tar.gz. If your unzip utility prompts you with a merge option, use it to merge the two unzipped files into the directory structure shown in Required SumoJanus installation directory structure below.
Required SumoJanus installation directory structure

Regardless of your operating system, the contents of the archives you unzipped above should have the following merged directory structure within a sumojanus directory.

The bundle, conf, sumo-bundle, and data directories come from the sumojanus-dist.3.0.1 archive. 

The sumojanus-dist.3.0.1 archive provides the bin directory, and one file (OctaCollector-1.0.1.jar) that should be unpacked into the sumo-bundle  directory. 


SumoJanus installation update

If you have previously set up  SumoJanus, be aware that you can’t mix SumoJanus v2.0 and v3.x, and we recommend that you deploy v3.x  in a separate folder. If you already have a v3.x SumoJanus folder, follow these steps:

  1. Back up conf/ and the data folder.
  2. Copy the file sumojanus-Okta-1.0.1.tar.gz to the parent folder where SumoJanus is currently installed.
  3. From there, unzip the file sumojanus-Okta-1.0.1.tar.gz using the following command: tar xzvf sumojanus-Okta-1.0.1.tar.gz 
    This will copy the files from the Okta package to the sumojanus folder.

Step 4: Edit the Properties file

  1. Open the file <sumojanus_foldername>/conf/ in a text editor and add the following lines. You will replace the <variables> with information  you enter in the following steps.
path = .

# provide the parameters for a bundle via a unique section after this 
# required, your Okta API token 
api_token = <generated_Okta_api_token>
# required, your okta account URL, e.g: 
okta_org_url = https://<>
# required, file to keep track of the okta event stream 
stream_pos_path = <${path}/data/okta_checkpoint.dat>
# optional, maximum pagination limit is 100 
# pagination_limit = 100
# optional, start time window to query, in epoch milliseconds. Default is 7 days ago. 
# start_time = 1435709058000 
# optional, end time window to query, in epoch milliseconds. Default is 1 minute ago 
# end_time = 1436377600000

  1. api_token. Enter the Okta API token that you created in the Generate the Okta API token step.
  2. okta_org_url. Enter your Okta URL. Note that the URL starts with https, and not http.
  3. stream_pos_path. Replace the ${path}variable with the actual path on the server where SumoJanus is installed. For example: "/home/sumojanus"
  4. Save your changes. Your sumojanus/conf/ file should look similar to this example:

    Okta Properties File

Step 5: Configure a Collector

Configure an Installed Collector on a Linux or Windows machine. By default the Collector will come with a Java Runtime Environment. To ensure that SumoJanus can locate Java, you may need to update the .bat or .bash file, as described below.

On Windows, update SumoJanus_Okta.bat

Navigate to the folder where you installed SumoJanus, and open SumoJanus_Okta.bat  in a text editor. Line 3 of the script sets JAVAPATH to C:\Program Files\Sumo Logic Collector\jre\bin as shown below:

set JAVAPATH="C:\Program Files\Sumo Logic Collector\jre\bin"

If your collector JRE is in a different location, update Line 3 accordingly.  

On Linux, update SumoJanus_Okta.bash

Navigate to the folder where you installed SumoJanus, and open SumoJanus_Okta.bash  in a text editor. Update the script as follows:

  1. Add a line that sets JAVA_HOME to point to the location of your JRE,  just before the last line of the script. For example, if your collector's JRE is in /opt/SumoCollector/jre/bin, insert this line:

  2. The last line of the script is:

    java -jar ${SUMOJANUS_JAR_FILE} ${runMode} OktaCollector-1.0.1.jar -e 1800

    Prefix the line with $JAVA_HOME/, like this:

    $JAVA_HOME/java -jar ${SUMOJANUS_JAR_FILE} ${runMode} OktaCollector-1.0.1.jar -e 1800

Step 6: Configure a Source

For guidance creating your Source Category naming convention, see Best Practices: Good Source Category, Bad Source Category.

To configure a script source, do the following:
  1. Configure a Script Source.





  2. Configure the Source fields:
    1. Name. OktaCollector.
    2. (Optional) Description.
    3. Source Category. okta
    4. Frequency. Every 5 Minutes
    5. Specify a timeout for your command. Activate the checkbox and select 60 Minutes
    6. Command. For Linux, use/bin/bash. For windows, use Windows Script. (Specify the correct path on your system).
    7. Script. Use the absolute path to sumojanus that you created in the Deploy the Packages step, such as /home/ubuntu/sumojanus/bin/SumoJanus_Okta.bash.(Do not select "Type the script to execute.")
    8. Working Directory. $path/sumojanus,where $path is the absolute path of SumoJanus that you created in the Deploy the Packages step.
  3. Click Save.

Sample log message

      "displayName":"Kyle Diedrich",
         "city":"San Francisco",
         "country":"United States",
   "displayMessage":"Delete application",
      "detail":{ }
               "city":"San Francisco",
               "country":"United States",
               "country":"United States",
         "alternateId":"Cisco AnyConnect VPN (2)",
         "displayName":"Cisco AnyConnect VPN",

Query samples

Details of Applications Deleted

_sourceCategory = "okta" "application.lifecycle.delete"
| json field=_raw "eventType" as event_type
| where event_type = "application.lifecycle.delete"
| json field=_raw "outcome.result" as outcome_result
| json field=_raw "displayMessage" as display_message
| json field=_raw "published"as published_time
| json field=_raw "actor.displayName" as okta_user_name
| json field=_raw "actor.alternateId" as okta_user_id
| json field=_raw "actor.type" 
| json field=_raw "severity" as severity 
| json field=_raw "target[0].displayName" as app_name
| json field=_raw "target[0].type" as app_type
| json field=_raw "client.ipAddress" as client_ip
| json field=_raw "" as city 
| json field=_raw "client.geographicalContext.state" as state
| json field=_raw "" as country
| json field=_raw "client.geographicalContext.postalCode" as postal_code
| count by app_name, okta_user_id, outcome_result, display_message

Details of MFA Deactivate Event

_sourceCategory = "okta" "user.mfa.factor.deactivate"
| json field=_raw "eventType" as event_type
| where event_type = "user.mfa.factor.deactivate"
| json field=_raw "outcome.result" as outcome_result
| json field=_raw "published" as published_time
| json field=_raw "actor.displayName" as actor
| json field=_raw "actor.alternateId" as actor_id
| json field=_raw "actor.type"
| json field=_raw "severity" as severity
| json field=_raw "client.userAgent.os" as OS
| json field=_raw "client.userAgent.browser" as browser
| json field=_raw "client.device" as device
| json field=_raw "client.ipAddress" as client_ip
| json field=_raw "" as country 
| json field=_raw "client.geographicalContext.state" as state
| json field=_raw "" as city 
| json field=_raw "target[0].displayName" as okta_user_name
| json field=_raw "target[0].alternateId" as okta_user_id
| count by okta_user_id, actor, outcome_result, country, state