Help Docs

OneLogin Logs

OneLogin is a cloud-based identity and access management (IAM) provider that offers unified access management to enterprise businesses. You can push your OneLogin logs to Site24x7 AppLogs to holistically monitor them under a unified console, track errors, and receive alerts and reports.

Prerequisite: You need a OneLogin enterprise or unlimited plan subscription.

Table of contents

Create a log type in Site24x7 AppLogs

  1. Log in to your Site24x7 account > Admin > AppLogs > Add Log Type.
  2. Enter a Display Name.
  3. Choose OneLogin Logs from the Log Type drop-down.
  4. Enter the retention period and maximum upload limit.
  5. By default, this is the log pattern identified for OneLogin logs by Site24x7 AppLogs.
    • Log Pattern:
      json $event.imported_user_id as imported_user_id$ $event.privilege_id as privilege_id$ $event.notes as notes$ $event.note_title as note_title$ $event.proxy_agent_name as proxy_agent_name$ $event.directory_sync_run_id as directory_sync_run_id$ $event.authentication_factor_id as authentication_factor_id$ $event.solved as solved$ $event.mapping_name as mapping_name$ $event.uuid as uuid$ $event.resolution as resolution$ $event.client_id as client_id$ $event.proxy_agent_id as proxy_agent_id$ $event.otp_device_id as otp_device_id$ $event.event_type_id as event_type_id:number$ $event.resource_type_id as resource_type_id$ $event.role_id as role_id$ $event.actor_user_name as actor_user_name$ $event.error_description as error_description$ $event.create._id as create__id$ $event.directory_id as directory_id$ $event.ipaddr as ipaddr$ $event.app_id as app_id$ $event.assuming_acting_user_id as assuming_acting_user_id$ $event.authentication_factor_type as authentication_factor_type$ $event.login_id as login_id$ $event.imported_user_name as imported_user_name$ $event.group_name as group_name$ $event.certificate_name as certificate_name$ $event.otp_device_name as otp_device_name$ $event.directory_name as directory_name$ $event.object_id as object_id$ $event.adc_id as adc_id$ $event.trusted_idp_name as trusted_idp_name$ $event.role_name as role_name$ $event.policy_type as policy_type$ $event.resolved_by_user_id as resolved_by_user_id$ $event.custom_message as custom_message$ $event.user_id as user_id:number$ $event.resolved_at as resolved_at$ $event.actor_system as actor_system$ $event.privilege_name as privilege_name$ $event.task_name as task_name$ $event.radius_config_name as radius_config_name$ $event.service_directory_id as service_directory_id$ $event.policy_id as policy_id$ $event.user_name as user_name$ $event.event_timestamp as event_timestamp:date:yyyy-MM-dd HH:mm:ss$ $event.api_credential_name as api_credential_name$ $event.certificate_id as certificate_id$ $event.actor_user_id as actor_user_id:number$ $event.param as param$ $event.adc_name as adc_name$ $event.user_field_name as user_field_name$ $event.user_field_id as user_field_id$ $event.proxy_ip as proxy_ip$ $event.note_id as note_id$ $event.policy_name as policy_name$ $event.app_name as app_name$ $event.login_name as login_name$ $event.account_id as account_id:number$ $event.group_id as group_id$ $event.authentication_factor_description as authentication_factor_description$ $event.mapping_id as mapping_id$ $event.radius_config_id as radius_config_id$ $event.trusted_idp_id as trusted_idp_id$ $event.entity as entity$
    • Sample Logs:
      {"event":{"create":{"_id":"c451ec08-5e1a-4d7c-b4ff-0d61e7fa83a6"},"directory_name":null,"event_type_id":11,"role_id":null,"privilege_id":null,"group_name":null,"adc_id":null,"group_id":null,"service_directory_id":null,"radius_config_name":null,"policy_id":null,"privilege_name":null,"custom_message":null,"param":null,"client_id":null,"job_id":null,"app_id":null,"risk_cookie_id":null,"self_registration_profile_name":null,"report_id":null,"resource_type_id":null,"service_job_id":null,"login_name":null,"browser_fingerprint":null,"user_field_name":null,"uuid":"c451ec08-5e1a-4d7c-b4ff-0d61e7fa83a6","user_agent":"OneLogin Faraday Client v0.2.1","actor_system":"","ipaddr":"103.26.110.197","event_location_id":null,"directory_id":null,"authentication_factor_description":null,"proxy_agent_name":null,"directory_sync_run_id":null,"safe_to_unescape":null,"event_timestamp":"2021-08-18 05:18:29 UTC","user_name":"Dev User","role_name":null,"app_name":null,"policy_name":null,"mapping_name":null,"resolution":null,"entity":null,"authentication_factor_type":null,"authentication_factor_id":null,"service_job_name":null,"user_agent_id":null,"actor_user_id":146414317,"proxy_ip":null,"note_title":null,"certificate_id":null,"note_id":null,"account_id":195258,"actor_user_name":"Dev User","solved":null,"task_id":null,"otp_device_id":null,"resolved_by_user_id":null,"assumed_by_superadmin_or_reseller":null,"report_name":null,"user_field_id":null,"risk_score":null,"object_id":null,"self_registration_profile_id":null,"user_id":146414317,"imported_user_name":null,"mapping_id":null,"login_id":null,"radius_config_id":null,"otp_device_name":null,"adc_name":null,"task_name":null,"certificate_name":null,"proxy_agent_id":null,"notes":null,"api_credential_name":null,"assuming_acting_user_id":null,"risk_reasons":null,"policy_type":null,"job_name":null,"trusted_idp_name":null,"imported_user_id":null,"error_description":null,"resolved_at":null,"trusted_idp_id":null}}
  6. Copy the API endpoint URL given below as shown in the screenshot.
  7. Click Save.

Create a webhook in OneLogin

  1. Log in to your OneLogin account as an administrator and navigate to Developers > Webhook > NewWebhook.
  2. Choose Event Webhook for Log Management.
  3. Enter the Name in the New Broadcaster pop-up. Choose SIEM as the format.
  4. Paste the API copied from the Site24x7 console in the Listener URL field.
  5. Provide Custom Headers, if any.
  6. Click Save.
  7. You can also refer this link to create webhooks. 

View Data

  1. Log in to your Site24x7 account > AppLogs.
  2. Enter OneLogin as the log type in the search bar and hit enter.
  3. You can see the following metrics in the dashboard:
    • Unauthorized API
    • Login Failures
    • App User Limit Reached
    • Failed to Authenticate App
    • Top 10 Events
    • Events By App
    • Password Changes
    • Events Over Time
    • Successful Logins Over Time
    • Failed Logins Over Time
    • Top Active Users
    • Logins By App
    • Users Created in App
    • Top 10 Errors
    • Top 10 Users By Events  

Was this document helpful?

Shortlink has been copied!