Learn step by step how to export and import Okta SIEM logs in to your open source Graylog!
After many failed attempts to import Okta SIEM logs in to Graylog (using Okta Documentation and some PowerShell scripts I found online) I decided to take a different approach. Here is what my final Dashboard and view ended up looking like:
Prerequisites
To ingest Okta logs in to Graylog you will need the following:
**You don’t need to have a Sumo Logic instances or subscription to use SumoJanus. We will just use it to download the Okta logs*
Installation
I am using Centos 7.x but this should work with other Linux distributions.
This installation assumes the following:
# Logs stored here for okta
/opt/okta-logs
# SumoJanus installation directory
/opt/sumojanus-okta
Create path to store Okta logs
mkdir -p /opt/okta-logs
Install Java
cd /tmp
curl -L -O https://corretto.aws/downloads/latest/amazon-corretto-8-x64-linux-jdk.rpm
yum localinstall amazon-corretto-8-x64-linux-jdk.rpm
rm amazon-corretto-8-x64-linux-jdk.rpm
SumoJanus Install
mkdir /opt && cd /opt
curl -O https://script-collection.s3.amazonaws.com/okta/r1.0.1/sumojanus-okta-dist.1.0.1.tar.gz
tar xzvf sumojanus-okta-dist.1.0.1.tar.gz
rm tar xzvf sumojanus-okta-dist.1.0.1.tar.gz
Modify the sumologic.properties file to your Okta enviornment
# /opt/sumojanus-okta/conf/sumologic.properties
# replace REPLACE_WITH_YOUR_API_KEY and COMPANY_PREFIX
[generic]
path = .
[oktacollector]
api_token = REPLACE_WITH_YOUR_API_KEY
okta_org_url = https://COMPANY_PREFIX.okta.com
stream_pos_path = /opt/sumojanus-okta/conf/okta_checkpoint.dat
pagination_limit = 1000
Modify /opt/sumojanus-okta/bin/SumoJanus_Okta.bash to look like this:
#!/bin/bash
# If you run this script manually to test, call it right under the main sumojanus folder, for example go to \"sumojanus\", then call "bin\\SumoJanus_Okta.bash"
if [ "$1" = "-s" ]; then
echo "Setup mode"
runMode="-s"
else
runMode="-r"
fi
JAVA_HOME=/usr/lib/jvm/java-1.8.0-amazon-corretto/jre
# Make sure JAVAPATH below is set to the JRE folder under the SumoCollector directory, default is set to the environment variable JAVA_HOME
export JAVAPATH="${JAVA_HOME}"
SUMOJANUS_JAR_FILE=`cd /opt/sumojanus-okta && ls januscore*.jar`
echo "Found SumoJanus core jar file: ${SUMOJANUS_JAR_FILE}, current path: ${PWD}, whoami: $(whoami), javapath: ${JAVAPATH}, runmode: ${runMode}"
cd /opt/sumojanus-okta && ${JAVAPATH}/bin/java -jar ${SUMOJANUS_JAR_FILE} ${runMode} OktaCollector-1.0.1.jar -e 1800
Create a script to run SumoJanus at /opt/okta-logs/getOktaLogs.sh
#!/bin/bash
# Runs the SumoJanus ingestion script
if pgrep -f "januscore-1.0.1.jar" ; then
echo "SumoJanus is already running"
exit 0
else
echo "SumoJanus was not running.. attempting to start"
cd /opt/sumojanus-okta && nohup ./bin/SumoJanus_Okta.bash >> /opt/okta-logs/okta.log 2> /opt/okta-logs/okta.error
Modify Crontab to keep SumoJanus Always Running
Make sure you update the path in the crontab and add /opt/sumojanus-okta
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/opt/sumojanus-okta
* * * * * /usr/bin/flock -n /tmp/getOktaLogs.lockfile /opt/okta-logs/getOktaLogs.sh
Graylog Setup
I will partially cover how to setup a Graylog Sidecar on the machine
Configure a Beats Listener
Follow instructions here to create a beats listener
Install Sidecar on your Linux box
Install sidecar on the same machine that you installed SumoJanus
mkdir -p /tmp/sidecar && cd /tmp/sidecar
curl -L -O https://github.com/Graylog2/collector-sidecar/releases/download/1.0.2/graylog-sidecar-1.0.2-1.x86_64.rpm
rpm -i graylog-sidecar-1.0.2-1.x86_64.rpm
Modify the sidecar config file to point to your environment
/etc/graylog/sidecar/sidecar.yml
Set Sidecar to Start at Boot
sudo graylog-sidecar -service install
sudo systemctl start graylog-sidecar
Install File Beats on the same machine that you installed SumoJanus
# setup yum repo
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
sudo cat <<'EOF' > /etc/yum.repos.d/elastic.repo
[elastic-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
# install
yum install filebeat
# run at boot
systemctl enable filebeat
Step by Step Guide to Creating First Sidecar
Follow this guide to complete your sidecar setup
Your collector will look something like this:
Setup your extractors in Graylog
I am using the following for my extractors
{
"extractors": [
{
"title": "Okta",
"extractor_type": "json",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"list_separator": ", ",
"kv_separator": "=",
"key_prefix": "",
"key_separator": "_",
"replace_key_whitespace": false,
"key_whitespace_replacement": "_"
},
"condition_type": "string",
"condition_value": "{\"actor\":{\"id\""
},
{
"title": "Okta2",
"extractor_type": "json",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"list_separator": ", ",
"kv_separator": "=",
"key_prefix": "",
"key_separator": "_",
"replace_key_whitespace": false,
"key_whitespace_replacement": "_"
},
"condition_type": "string",
"condition_value": "{\"actor\":{\"id\""
},
{
"title": "Okta - VPN Parse",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "target",
"target_field": "",
"extractor_config": {
"grok_pattern": "id=%{DATA:actor_id2}, type=%{DATA:transaction_type2}, alternateId=%{DATA:actor_alternateId}, displayName=%{DATA:actor_displayName}, detailEntry=%{DATA:detail_entry}, \\{id=%{DATA:actor_id3}, type=%{DATA:transaction_type3}, alternateId=%{DATA:transaction_type}, displayName=%{DATA:transaction_type4}, detailEntry=%{GREEDYDATA:detail_entry2}\\}"
},
"condition_type": "string",
"condition_value": "displayName=Cisco ASA VPN (RADIUS)"
}
],
"version": "3.1.4"
}
I followed this guide, and almost every link is sending me to a “PAGE NO FOUND ERROR 404” of Graylog. I tried to finish everything and eventually I did not receive any messages from the input.
Graylog must have changed their website, you could try the wayback machine to load the old page.