Setting up Okta System Log Streaming in Splunk

Configure Splunk Cloud to collect data via Okta Log Streaming

To stream Okta System Log events in Splunk Cloud, Configure Splunk's HTTP Event Collector (HEC) endpoint to accept HTTPS connections and collect data. For more information, see Set up and use HTTP Event Collector in Splunk Web in the Splunk documentation.

When you create the HTTP Event Collector, make sure to set the sourcetype as OktaIM2:log so that the extractions of the sourcetype work in the events collected via Log Streaming

Steps to configure Okta Log Streaming to send data via Splunk HEC

1. Sign in to your okta org as a super admin.
2. In the Admin Console, navigate to Reports > Log Streaming.
3. Click Add Log Stream to start the log stream wizard.
4. Select "Splunk Cloud" from the catalog and click Next.
5. Fill in the configuration details of your Splunk Cloud Log Stream:.
• * Name: Unique name of the log stream in Okta.
• * Splunk Edition: Select the edition.
• * Host: Enter the domain for your Splunk Cloud Instance. For example:- abc.splunkcloud.com.
• * HEC Token: The Token from your Splunk Cloud HTTP Event Collector(HEC).
6. Click Save. You will receive a confirmation message.

For more details regarding Okta Log Streaming, see "Add a Splunk Cloud Log Stream"

Important points to consider when using Okta System Log Streaming

• Okta Log Streaming is supported only on Splunk Cloud instances
• Okta Log Streaming is able to collect the live data streaming into the Okta Identity Cloud. To collect historical data, the user must configure and utilize the modular inputs provided by the add-on
• In any case if the Okta System Log Streaming faces an error such that it stops sending the data into Splunk, then that data is lost and the same data cannot be retrieved using Log Streaming.

For limitations and other known issue of Okta Log Streaming, please refer to "Limitations and known issues" in Okta Identity Cloud Help Center