The Okta add-on can be used to pull events from Okta using their REST API. Events will be passed to NXLog in Syslog format with the JSON event in the message field.
To set up the add-on, follow these steps.
Install the add-on.
Edit the configuration entries in the
/opt/nxlog-okta/conf/) as necessary.
Configure NXLog to collect events with the im_exec module.
The script saves the current timestamp to a state file in order to properly
resume when it is terminated. If the state file does not exist, the script
will collect logs beginning with the current time. To manually specify a
starting timestamp, pass it as an argument:
This configuration uses the im_exec module to run the script, which connects to Okta and returns Syslog-encapsulated JSON. The xm_syslog parse_syslog() and xm_json parse_json() procedures are used to parse each event into internal NXLog fields. Additional modification to the fieldset can be added, as required, in the Input instance Exec block.
For the sake of demonstration, all internal fields are then converted back to JSON and written to file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <Extension _json> Module xm_json </Extension> <Extension _syslog> Module xm_syslog </Extension> <Input okta> Module im_exec Command /opt/nxlog-okta/bin/okta-pull.pl <Exec> parse_syslog(); parse_json($Message); </Exec> </Input> <Output file> Module om_file File '/tmp/output' Exec to_json(); </Output>