System Log

The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.

The System Log API provides near real-time, read-only access to your organization's System Log and is the programmatic counterpart of the System Log UI.

The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact.

The System Log API supports these primary use cases:

  • Event data export into a security information and event management system (SIEM)
  • System monitoring
  • Development debugging
  • Event introspection and audit

Note: Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods.

For further details and examples, see System Log query.

List all System Log events
CORS
OAuth 2.0: okta.logs.read

Lists all System Log events

See System Log query for further details and examples, and System Log filters and search for common use cases.

By default, 100 System Log events are returned. If there are more events, see the header link for the next link, or increase the number of returned objects using the limit parameter.

Request
query Parameters
since
string <ISO 8601 compliant timestamp>
Default: "7 days prior to until"

Filters the lower time bound of the log events published property for bounded queries or persistence time for polling queries

until
string <ISO 8601 compliant timestamp>
Default: "current time"

Filters the upper time bound of the log events published property for bounded queries or persistence time for polling queries.

after
string <Opaque token>

Retrieves the next page of results. Okta returns a link in the HTTP Header (rel=next) that includes the after query parameter

filter
string <SCIM Filter expression>

Filter expression that filters the results. All operators except [ ] are supported. See Filter and Operators.

q
string <URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding)>

Filters log events results by one or more case insensitive keywords.

limit
integer <Integer between 0 and 1000>
Default: 100

Sets the number of results that are returned in the response

sortOrder
string
Default: "ASCENDING"

The order of the returned events that are sorted by the published property

Enum: "ASCENDING" "DESCENDING"
Responses
200

Success

400

Bad Request

403

Forbidden

429

Too Many Requests

get/api/v1/logs
Request samples 
Response samples 
application/json
[
  • {
    • "actor": {
      },
    • "client": {
      },
    • "device": {
      },
    • "authenticationContext": {
      },
    • "displayMessage": "User login to Okta",
    • "eventType": "user.session.start",
    • "outcome": {
      },
    • "published": "2024-08-13T15:58:20.353Z",
    • "securityContext": {
      },
    • "severity": "INFO",
    • "debugContext": {
      },
    • "legacyEventType": "core.user_auth.login_success",
    • "transaction": {
      },
    • "uuid": "dc9fd3c0-598c-11ef-8478-2b7584bf8d5a",
    • "version": 0,
    • "request": {
      },
    • "target": [
      ]
    }
]