system_log_events
Creates, updates, deletes, gets or lists a system_log_events resource.
Overview
| Name | system_log_events |
| Type | Resource |
| Id | okta.logs.system_log_events |
Fields
The following fields are returned by SELECT queries:
- list_log_events
| Name | Datatype | Description |
|---|---|---|
actor | object | Describes the user, app, client, or other entity (actor) who performs an action on a target. The actor is dependent on the action that is performed. All events have actors. |
authenticationContext | object | All authentication relies on validating one or more credentials that prove the authenticity of the actor's identity. Credentials are sometimes provided by the actor, as is the case with passwords, and at other times provided by a third party, and validated by the authentication provider. The authenticationContext contains metadata about how the actor is authenticated. For example, an authenticationContext for an event, where a user authenticates with Integrated Windows Authentication (IWA), looks like the following: { "authenticationProvider": "ACTIVE_DIRECTORY", "authenticationStep": 0, "credentialProvider": null, "credentialType": "IWA", "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ", "interface": null, "issuer": null } In this case, the user enters an IWA credential to authenticate against an Active Directory instance. All of the user's future-generated events in this sign-in session are going to share the same externalSessionId. Among other operations, this response object can be used to scan for suspicious sign-in activity or perform analytics on user authentication habits (for example, how often authentication scheme X is used versus authentication scheme Y). |
client | object | When an event is triggered by an HTTP request, the client object describes the client that issues the HTTP request. For instance, the web browser is the client when a user accesses Okta. When this request is received and processed, a sign-in event is fired. When the event isn't sourced to an HTTP request, such as an automatic update, the client object field is blank. |
debugContext | object | For some kinds of events (for example, OLM provisioning, sign-in request, second factor SMS, and so on), the fields that are provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the debugContext object provides a way to store additional information. For example, an event where a second factor SMS token is sent to a user may have a debugContext that looks like the following: { "debugData": { "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify", "smsProvider": "TELESIGN", "transactionId": "268632458E3C100F5F5F594C6DC689D4" } } By inspecting the debugData field, you can find the URI that is used to trigger the second factor SMS (/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify), the SMS provider (TELESIGN), and the ID used by Telesign to identify this transaction (268632458E3C100F5F5F594C6DC689D4). If for some reason the information that is needed to implement a feature isn't provided in other response objects, you should scan the debugContext.debugData field for potentially useful fields. > Important: The information contained in debugContext.debugData is intended to add context when troubleshooting customer platform issues. Both key names and values may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead. |
displayMessage | string | The display message for an event |
eventType | string | The published event type. Event instances are categorized by action in the event type attribute. This attribute is key to navigating the System Log through expression filters. See Event Types catalog for a complete list of System Log event types. |
legacyEventType | string | Associated Events API Action objectType attribute value |
outcome | object | |
published | string (date-time) | Timestamp when the event is published |
request | object | The Request object describes details that are related to the HTTP request that triggers this event, if available. When the event isn't sourced to an HTTP request, such as an automatic update on the Okta servers, the Request object still exists, but the ipChain field is empty. |
securityContext | object | The securityContext object provides security information that is directly related to the evaluation of the event's IP reputation. IP reputation is a trustworthiness rating that evaluates how likely a sender is to be malicious and is based on the sender's IP address. As the name implies, the securityContext object is useful for security applications-flagging and inspecting suspicious events. |
severity | string | Indicates how severe the event is |
target | array | The entity that an actor performs an action on. Targets can be anything, such as an app user, a sign-in token, or anything else. > Note: When searching the target array, search for a given type rather than the array location. Target types, such as User and AppInstance, for a given eventType are not always in the same array location. |
transaction | object | A transaction object comprises contextual information associated with its respective event. This information is useful for understanding sequences of correlated events. For example, a transaction object such as the following: { "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo", "type": "WEB", "detail": null } indicates that a WEB request with id Wn4f-0RQ8D8lTSLkAmkKdQAADqo has created this event. A transaction object with a requestApiTokenId in the detail object, for example : { "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU", "type": "WEB", "detail": { "requestApiTokenId": "00T94e3cn9kSEO3c51s5" } } indicates that this event was the result of an action performed through an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID is visible in the Admin Console, Security > API. See API token management. For more information on API tokens, see Create an API token. |
uuid | string | Unique identifier for an individual event |
version | string | Versioning indicator |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_log_events | select | subdomain | since, until, after, filter, q, limit, sortOrder | Lists all System Log events See System Log query for further details and examples, and System Log filters and search for common use cases. By default, 100 System Log events are returned. If there are more events, see the header link for the next link,or increase the number of returned objects using the limit parameter.>Note: The value of the clientSecret property in the System Log is secured by a hashing function, and isn't the value used during authentication. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
after | string (Opaque token) | Retrieves the next page of results. Okta returns a link in the HTTP Header (rel=next) that includes the after query parameter |
filter | string (SCIM Filter expression) | Filter expression that filters the results. All operators except [ ] are supported. See Filter and Operators. |
limit | integer (Integer between 0 and 1000) | Sets the number of results that are returned in the response |
q | string (URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding)) | Filters log events results by one or more case insensitive keywords. |
since | string (ISO 8601 compliant timestamp) | Filters the lower time bound of the log events published property for bounded queries or persistence time for polling queries |
sortOrder | string | The order of the returned events that are sorted by the published property |
until | string (ISO 8601 compliant timestamp) | Filters the upper time bound of the log events published property for bounded queries or persistence time for polling queries. |
SELECT examples
- list_log_events
Lists all System Log events
See System Log query for further details and examples, and System Log filters and search for common use cases.
By default, 100 System Log events are returned. If there are more events, see the header link for the next link,
or increase the number of returned objects using the limit parameter.
>Note: The value of the clientSecret property in the System Log is secured by a hashing function, and isn't the value used during authentication.
SELECT
actor,
authenticationContext,
client,
debugContext,
displayMessage,
eventType,
legacyEventType,
outcome,
published,
request,
securityContext,
severity,
target,
transaction,
uuid,
version
FROM okta.logs.system_log_events
WHERE subdomain = '{{ subdomain }}' -- required
AND since = '{{ since }}'
AND until = '{{ until }}'
AND after = '{{ after }}'
AND filter = '{{ filter }}'
AND q = '{{ q }}'
AND limit = '{{ limit }}'
AND sortOrder = '{{ sortOrder }}';