Logging - elastic/dorothy GitHub Wiki
Dorothy writes its logs to the location, ~/dorothy/logs/dorothy.log. You can use this log file to review the actions taken using Dorothy and any verbose informational or error messages that are logged.
Once Dorothy has loaded a configuration profile, you're prompted whether you'd like to index Dorothy's logs in Elasticsearch. This can be useful for a couple of reasons:
- You'll have an audit trail of what actions were executed using Dorothy against your Okta organization
- You can compare the actions taken (or modules executed) using Dorothy versus your security team's alerts fired to assess your detection coverage
- Indexing Dorothy's Logs in Elasticsearch
- Creating an Index Pattern in Kibana
- Reviewing Dorothy's Logs in Kibana
Indexing Dorothy's Logs in Elasticsearch
If you don't have an Elastic Cloud deployment already, you can sign up for a free trial (no credit card required).
Answer yes (y) when you're prompted to index Dorothy's logs in Elasticsearch.
Enter your Elasticsearch URL, username, and password.
[*] Using configuration profile "My Company" (https://my-company.okta.com/api/v1)
[*] Do you want to index Dorothy's logs in Elasticsearch? [y/N]: y
[*] Enter your Elasticsearch URL: https://d8782e756bbd47268463b1a254a6ccc3.europe-west1.gcp.cloud.es.io:9243
[*] Enter your Elasticsearch username: dorothy
[*] Enter your Elasticsearch password:
[*] Create an index pattern named, 'dorothy' to review log events in Kibana. For more information, visit https://www.elastic.co/guide/en/kibana/current/index-patterns.html
Creating an Index Pattern in Kibana
To review Dorothy's log events in Kibana, you need to create a dorothy index pattern. Note, Dorothy must have successfully indexed at least one event before you can create the index pattern.
For more information on creating an index pattern in Kibana, refer to Elastic's official documentation.
Reviewing Dorothy's Logs in Kibana
The screenshot below shows some of Dorothy's log events in Kibana's Discover app. Note that the module that logged the event is included in each event.
