Description: Step-by-step instructions on creating a Windows event log for Okta agent logs to receive hourly event logs for SEIM usage.
I recently embarked on a journey to find a solution for creating custom logging for Okta’s agents that typically run on a Windows Server platform. This serves as a way to provide businesses with hourly, or real-time notification of their Okta processes. I will show you in this post how to use Powershell to create the log and send this data to the Windows event log viewer.
Overview:
Step 1: Create Windows Event Log
Before we can start creating log events for our services we need to create the Log within Event Viewer. We will use Powershell’s New-EventLog cmdlet. The LogName is the name of the location where the logs will be located while the Source is used to define which app or script generated the log. We can create different sources if we were going to create different scripts for checking our Okta Agent Service.
New-EventLog -source OktaAgent -LogName OktaAgentLog -MessageResourceFile C:\Windows\System32\winevt\Logs\OktaAgentLog.dll
Step 2: Create a Conditional IF Statement to detect if the Okta agent is running
To start off we will be using a simple IF statement to tell the script to write a log event if the process is running and a separate message if the process is not running. In this example, I will be using the OktaAgentService which is the AD agent service name. The radius agent for Okta is called okta-radius. This script can be written to look up any process that is running on the system you will just need to use the correct -Name attribute for the corresponding service you are wanting to log.
if (Get-Process -Name OktaAgentService -ErrorAction SilentlyContinue) {
#Step 2
}
else{
#Step 3
}
Step 3: Create an Event ID Message for when the process is running
Within the IF True condition, we will be declaring the successful Windows log ID to be 101 and the $message will be comprised of the results given when calling on the get-process Cmdlet. The attributes we are assigning to the $message object are: Total Time Running, Total Memory, and Total Threads. I did try to gather the CPU utilization for the Okta agents however the utilization always stayed too low to be detected I decided to stick to Total Thread count as the metric to determine CPU utilization.
Next, we will use the ConvertTo-Json to convert the newly created object to a format SEIMs such as Splunk can easily read.
Finally, we will use the Write-Eventlog to write the information log to the system’s event viewer.
$eventID = 101
$message = Get-Process -Name OktaAgentService | Select-Object ProcessName, @{Label="TotalRunningTime"; Expression={(Get-Date) - $_.StartTime}}, @{Label="TotalMemory"; Expression={($_.WS - $_.PM)}}, @{Label="TotalThreads"; Expression={($_.Threads.Count)}}
$messageJson = $message | ConvertTo-Json
Write-EventLog -LogName "OktaAgentLog" -Source "OktaAgent" -EventID $eventID -EntryType Information -Message $messageJson -Category 1 -RawData 10,20
Step 4: Create an Event ID Message for when the process is not running
For the Else condition, we will be declaring the unsuccessful Windows log event to be 100. The message will be “OktaAgentService is not running” with the -EntryType set as “Error”
$eventID = 100
$message = "OktaAgentService is not running"
Write-EventLog -LogName "OktaAgentLog" -Source "OktaAgent" -EventID $eventID -EntryType Error -Message $message -Category 1 -RawData 10,20
Conclusion
You have now created your own Windows event log event for your Okta service(s). To take this project a step further you may ingest this data into your SEIM. From there you may build out alerts and notifications for when different scenarios occur. Such as increased CPU or memory utilization. The possibilities are endless here.
#Programming
#Step 1: Only Run this once on the host.
New-EventLog -source OktaAgent -LogName OktaAgentLog -MessageResourceFile C:\Windows\System32\winevt\Logs\OktaAgentLog.dll
#Step 2 From Above
if (Get-Process -Name OktaAgentService -ErrorAction SilentlyContinue) {
#Step 3 From Above
$eventID = 101
$message = Get-Process -Name OktaAgentService | Select-Object ProcessName, @{Label="TotalRunningTime"; Expression={(Get-Date) - $_.StartTime}}, @{Label="TotalMemory"; Expression={($_.WS - $_.PM)}}, @{Label="TotalThreads"; Expression={($_.Threads.Count)}}
$messageJson = $message | ConvertTo-Json
Write-EventLog -LogName "OktaAgentLog" -Source "OktaAgent" -EventID $eventID -EntryType Information -Message $messageJson -Category 1 -RawData 10,20
}
else{
#Step 4 From Above
$eventID = 100
$message = "OktaAgentService is not running"
Write-EventLog -LogName "OktaAgentLog" -Source "OktaAgent" -EventID $eventID -EntryType Error -Message $message -Category 1 -RawData 10,20
}
