OneLogin Logs
OneLogin is a cloud-based identity and access management (IAM) provider that offers unified access management to enterprise businesses. You can push your OneLogin logs to Site24x7 AppLogs to holistically monitor them under a unified console, track errors, and receive alerts and reports.
Prerequisite: You need a OneLogin enterprise or unlimited plan subscription.
Create a log type in Site24x7 AppLogs
- Log in to your Site24x7 account > Admin > AppLogs > Add Log Type.
- Enter a Display Name.
- Choose OneLogin Logs from the Log Type drop-down.
- Enter the retention period and maximum upload limit.
- By default, this is the log pattern identified for OneLogin logs by Site24x7 AppLogs.
- Log Pattern:
json $event.imported_user_id as imported_user_id$ $event.privilege_id as privilege_id$ $event.notes as notes$ $event.note_title as note_title$ $event.proxy_agent_name as proxy_agent_name$ $event.directory_sync_run_id as directory_sync_run_id$ $event.authentication_factor_id as authentication_factor_id$ $event.solved as solved$ $event.mapping_name as mapping_name$ $event.uuid as uuid$ $event.resolution as resolution$ $event.client_id as client_id$ $event.proxy_agent_id as proxy_agent_id$ $event.otp_device_id as otp_device_id$ $event.event_type_id as event_type_id:number$ $event.resource_type_id as resource_type_id$ $event.role_id as role_id$ $event.actor_user_name as actor_user_name$ $event.error_description as error_description$ $event.create._id as create__id$ $event.directory_id as directory_id$ $event.ipaddr as ipaddr$ $event.app_id as app_id$ $event.assuming_acting_user_id as assuming_acting_user_id$ $event.authentication_factor_type as authentication_factor_type$ $event.login_id as login_id$ $event.imported_user_name as imported_user_name$ $event.group_name as group_name$ $event.certificate_name as certificate_name$ $event.otp_device_name as otp_device_name$ $event.directory_name as directory_name$ $event.object_id as object_id$ $event.adc_id as adc_id$ $event.trusted_idp_name as trusted_idp_name$ $event.role_name as role_name$ $event.policy_type as policy_type$ $event.resolved_by_user_id as resolved_by_user_id$ $event.custom_message as custom_message$ $event.user_id as user_id:number$ $event.resolved_at as resolved_at$ $event.actor_system as actor_system$ $event.privilege_name as privilege_name$ $event.task_name as task_name$ $event.radius_config_name as radius_config_name$ $event.service_directory_id as service_directory_id$ $event.policy_id as policy_id$ $event.user_name as user_name$ $event.event_timestamp as event_timestamp:date:yyyy-MM-dd HH:mm:ss$ $event.api_credential_name as api_credential_name$ $event.certificate_id as certificate_id$ $event.actor_user_id as actor_user_id:number$ $event.param as param$ $event.adc_name as adc_name$ $event.user_field_name as user_field_name$ $event.user_field_id as user_field_id$ $event.proxy_ip as proxy_ip$ $event.note_id as note_id$ $event.policy_name as policy_name$ $event.app_name as app_name$ $event.login_name as login_name$ $event.account_id as account_id:number$ $event.group_id as group_id$ $event.authentication_factor_description as authentication_factor_description$ $event.mapping_id as mapping_id$ $event.radius_config_id as radius_config_id$ $event.trusted_idp_id as trusted_idp_id$ $event.entity as entity$
- Sample Logs:
{"event":{"create":{"_id":"c451ec08-5e1a-4d7c-b4ff-0d61e7fa83a6"},"directory_name":null,"event_type_id":11,"role_id":null,"privilege_id":null,"group_name":null,"adc_id":null,"group_id":null,"service_directory_id":null,"radius_config_name":null,"policy_id":null,"privilege_name":null,"custom_message":null,"param":null,"client_id":null,"job_id":null,"app_id":null,"risk_cookie_id":null,"self_registration_profile_name":null,"report_id":null,"resource_type_id":null,"service_job_id":null,"login_name":null,"browser_fingerprint":null,"user_field_name":null,"uuid":"c451ec08-5e1a-4d7c-b4ff-0d61e7fa83a6","user_agent":"OneLogin Faraday Client v0.2.1","actor_system":"","ipaddr":"103.26.110.197","event_location_id":null,"directory_id":null,"authentication_factor_description":null,"proxy_agent_name":null,"directory_sync_run_id":null,"safe_to_unescape":null,"event_timestamp":"2021-08-18 05:18:29 UTC","user_name":"Dev User","role_name":null,"app_name":null,"policy_name":null,"mapping_name":null,"resolution":null,"entity":null,"authentication_factor_type":null,"authentication_factor_id":null,"service_job_name":null,"user_agent_id":null,"actor_user_id":146414317,"proxy_ip":null,"note_title":null,"certificate_id":null,"note_id":null,"account_id":195258,"actor_user_name":"Dev User","solved":null,"task_id":null,"otp_device_id":null,"resolved_by_user_id":null,"assumed_by_superadmin_or_reseller":null,"report_name":null,"user_field_id":null,"risk_score":null,"object_id":null,"self_registration_profile_id":null,"user_id":146414317,"imported_user_name":null,"mapping_id":null,"login_id":null,"radius_config_id":null,"otp_device_name":null,"adc_name":null,"task_name":null,"certificate_name":null,"proxy_agent_id":null,"notes":null,"api_credential_name":null,"assuming_acting_user_id":null,"risk_reasons":null,"policy_type":null,"job_name":null,"trusted_idp_name":null,"imported_user_id":null,"error_description":null,"resolved_at":null,"trusted_idp_id":null}}
- Log Pattern:
- Copy the API endpoint URL given below as shown in the screenshot.
- Click Save.
Create a webhook in OneLogin
- Log in to your OneLogin account as an administrator and navigate to Developers > Webhook > NewWebhook.
- Choose Event Webhook for Log Management.
- Enter the Name in the New Broadcaster pop-up. Choose SIEM as the format.
- Paste the API copied from the Site24x7 console in the Listener URL field.
- Provide Custom Headers, if any.
- Click Save.
- You can also refer this link to create webhooks.
View Data
- Log in to your Site24x7 account > AppLogs.
- Enter OneLogin as the log type in the search bar and hit enter.
- You can see the following metrics in the dashboard:
- Unauthorized API
- Login Failures
- App User Limit Reached
- Failed to Authenticate App
- Top 10 Events
- Events By App
- Password Changes
- Events Over Time
- Successful Logins Over Time
- Failed Logins Over Time
- Top Active Users
- Logins By App
- Users Created in App
- Top 10 Errors
- Top 10 Users By Events