SystemLogs
System log events.
View Specific Information
Required Scopes
To query this view, Scope must include okta.logs.read.
Select
The add-in uses the Okta API to process WHERE clause conditions built with the following columns and operators.Note that the LIKE operator is case-sensitive.
- Uuid supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- Version supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- Severity supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- EventType supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- LegacyEventType supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- DisplayMessage supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- ActorId supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- ActorType supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- ActorAlternateId supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- ClientId supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- ClientDevice supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- ClientIpAddress supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- ClientZone supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- OutcomeResult supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- TransactionId supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- TransactionType supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- AuthenticationProvider supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- AuthenticationStep supports the '>', '>=', '=', '<=', '<', and '!=' operators
- AuthCredentialProvider supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- AuthCredentialType supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- AuthExternalSessionId supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- AuthInterface supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- DebugRequestUri supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- SecurityAsNumber supports the '>', '>=', '=', '<=', '<', and '!=' operators
- SecurityAsOrg supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- SecurityISP supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- SecurityDomain supports the '>', '>=', '=', '<=', '<', '!=', and 'LIKE' operators
- SecurityIsProxy supports the '>', '>=', '=', '<=', '<', and '!=' operators
- Since supports the '=' operator
- Until supports the '=' operator
All other filters are processed client-side within the add-in.
For example, the following query is processed server-side:
SELECT * FROM SystemLogs WHERE Since='08-05-2024' AND Until = '08-06-2024' AND ClientId='0oaip3enwg675lSno5d7'
Columns
| Name | Type | Description |
| Uuid [KEY] | String | Identifier for an individual event |
| Version | String | Versioning indicator |
| Severity | String | How severe the event is |
| Published | Datetime | When the event was published. |
| EventType | String | Type of event |
| LegacyEventType | String | Associated Events action object type |
| DisplayMessage | String | Display message of an event |
| ActorId | String | Id of the entity that performs an action |
| ActorType | String | Type of actor |
| ActorName | String | Display name of the actor |
| ActorAlternateId | String | Alternate Id of the actor |
| ClientId | String | Id of the request that initiates an action |
| ClientDevice | String | Type of device from which the client operates. For example, Computer. |
| ClientIpAddress | String | IP address from which the client makes a request. |
| ClientZone | String | The name of the zone to which the client's location is mapped. |
| OutcomeResult | String | Outcome of an action |
| TransactionId | String | Id of the transaction of an action |
| TransactionType | String | Type of transaction |
| AuthenticationProvider | String | System that proves the identity of an actor using the credentials provided to it |
| AuthenticationStep | Integer | Zero-based step number in the authentication pipeline. Currently unused and always 0. |
| AuthCredentialProvider | String | Software service that manages identities and their associated credentials. |
| AuthCredentialType | String | The underlying technology or scheme used in the credential. |
| AuthExternalSessionId | String | Proxy for the actor's session id. |
| AuthInterface | String | The third-party user interface through which the actor authenticates. |
| DebugRequestUri | String | Request Uri of the debug context. |
| SecurityAsNumber | Integer | Autonomous system number associated with the system the event request was sourced to. |
| SecurityAsOrg | String | Organization associated with the system the event request was sourced to. |
| SecurityISP | String | Internet service provider used to send the event's request. |
| SecurityDomain | String | The domain name associated with the IP address of the inbound event request. |
| SecurityIsProxy | Boolean | Whether the event's request is from a known proxy. |
Pseudo-Columns
Pseudo column fields are used in the WHERE clause of SELECT statements, and offer a more granular control over the tuples that are returned from the data source.
| Name | Type | Description |
| Since | Datetime | Lower limit for the published date. Defaults to 7 days before the until parameter. |
| Until | Datetime | Upper limit for the published date. Defaults to the current time. |