NXLog Legacy Documentation

Okta

This add-on is available for purchase. For more information, please contact us.

The NXLog Okta add-on can be used to collect logs from Okta using their REST API. Events will be passed to NXLog in Syslog format with the JSON event in the message field.

To set up the add-on, follow these steps.

  1. Install the Okta add-on.

  2. Edit the configuration entries in the nxlog-okta.cfg file (in /opt/nxlog-okta/conf/) as necessary.

  3. Configure NXLog to collect events with the im_exec module.

The script saves the current timestamp to a state file in order to properly resume when it is terminated. If the state file does not exist, the script will collect logs beginning with the current time. To manually specify a starting timestamp, pass it as an argument: ./okta-pull.pl --startdate="2014-10-29T17:13:24.000Z".

Example 1. Collecting Okta logs

This configuration uses the im_exec module to run the script, which connects to Okta and returns Syslog-encapsulated JSON. The xm_syslog parse_syslog() and xm_json parse_json() procedures are used to parse each event into internal NXLog fields. Additional modification to the fieldset can be added, as required, in the Input instance Exec block.

For the purpose of demonstration, all internal fields are then converted back to JSON and written to file.

nxlog.conf
<Extension _json>
    Module  xm_json
</Extension>

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input okta>
    Module  im_exec
    Command /opt/nxlog-okta/bin/okta-pull.pl
    <Exec>
        parse_syslog();
        parse_json($Message);
    </Exec>
</Input>

<Output file>
    Module  om_file
    File    '/tmp/output'
    Exec    to_json();
</Output>