On This Page

Monitor Okta

Okta offers monitoring and alerting capabilities through Okta's APIs, SDKs, and Admin Console. All supported eventful activities within your Okta organization (org) are captured and available through system logs and allow you to:

  • determine connectivity status from global internet locations to your Okta org
  • identify trends related to Users, Apps, Policies, and other Okta entities
  • detect tasks that require action, such as unlocking a User or restarting an agent
  • detect suspicious activities
  • review user-reported suspicious activities
  • detect and augment certain events
  • avoid exceeding API usage limits
  • view and block IP addresses identified by the greater Okta community as threatening
  • determine the risk of an anomalous sign-in event
  • confirm that validation is working

The Admin Console contains predefined reports, system log filters, and notification tools to achieve most of these tasks. If you have external commercial or custom monitoring tools, you can integrate them with your Okta org. Okta sends the integrated tools a continuous flow of event logs or alerts for specific configured events.

NOTE: Your Okta org maintains a 90-day sliding window of system logs. If you need to retain earlier logs, you can download system logs for external processing or archiving before they pass the 90-day window.

Use the Admin Console to monitor events

The Okta Admin Console provides a rich set of visuals and tools for you to monitor your Okta org.

Integrate with external monitoring tools

You can integrate commercial log monitoring tools, such as Splunk, Sumo Logic, or Datadog, with your Okta org to monitor and analyze all your applications and web traffic. The commercial monitoring tools are typically integrated with Okta using the Okta System Log API. At a high level, the API integration process includes:

  1. Obtaining an API token from your Okta org
  2. Creating an Okta API service account for external integration (not required for all tools)
  3. In the external monitoring tool, configuring your integration properties to Okta, along with the following information:
    • Okta org domain
    • Okta API token
    • Okta API service account username and credentials (not required for all integrated tools)

These configuration properties allow the external tool to request system logs from the Okta System Log API. See Exporting Okta Log Data (opens new window) for details.

For external integration examples, refer to:

NOTE: During the integration setup, use the Admin Console for verification or troubleshooting purposes. Compare the system logs from the Admin Console with the system logs received in your external monitoring tool.

Send alerts to an external service

Your organization may have an external web service that performs extra processing for specific Okta events, such as creating or deactivating a user lifecycle event. Okta provides a webhook feature called Event Hooks, where you can set up triggers at specific events in Okta to send event payloads to an external web service. Event Hooks are asynchronous and do not affect existing Okta workflows.

For a working example of an end-to-end Event Hook setup, see the Event Hooks guide. For a list of events that support Event Hooks, see Event Hooks eligible event types.

Monitor Okta with your custom tool

You can build custom applications to monitor and analyze events in Okta using Okta SDKs and APIs.

Refer to the supported Event Types catalog for the list of events you can use to filter for the system logs you are interested in.

See Useful System Log Queries (opens new window) for common system log query use cases.

NOTE: When you test your custom monitoring tool, use the Admin Console for verification or troubleshooting purposes. Compare the system logs from the Admin Console with the system logs received in your custom tool.

Download system logs for analysis

You can use the Admin Console to manually download CSV files of system log query results for analysis or to be sent to a data warehouse or lake. See System Logs (opens new window).

Enable and configure Okta ThreatInsight

The Okta ThreatInsight (opens new window) feature aggregates data across Okta customers to detect malicious IP addresses that attempt credential-based attacks. You can enable ThreatInsight through the Okta ThreatInsight Settings (opens new window) in the Admin Console, or through the ThreatInsight configuration API.

After ThreadInsight is enabled, Okta captures access attempts from malicious IPs in the system logs. You can also configure it to block access from the malicious IPs to your Okta org.

Monitor rate limit warnings and violations

To mitigate denial-of-service attacks and abusive actions, Okta enforces rate limits on API requests as well as other end-user inbound and outbound operations. See Rate limit overview for details.

Monitor and review the system log events for rate limits to detect rate limit warnings or violations. Use the information in these event logs to investigate access spikes, abusive actions, or traffic trends. You can set up rate limit notification emails or rate limit notifications displayed in the Admin Console banner for admins. See Set up rate limit notifications (opens new window) for details.

Review Okta system status

Okta provides real-time performance updates and service availability of all Okta service features at status.okta.com (opens new window). Sign in as an administrator at this site to review system status reports specific to your Okta org. Subscribe to the Okta Status RSS (opens new window) feed to receive the latest updates on service degradation and disruptions.