Hello Team,
Wanted to understand if Salesforce integration in Kibana can monitor real time events from salesforce (Not the EventLogFile object). I can see in “Kibana > Integrations > Salesforce > Overview tab” that it is discussed to enable real time monitoring setting in Salesforce. However, I wanted to understand is it the same config file we have to use in elastic-agent.yml to fetch the real time event logs. Or is there a different way altogether to monitor real time events from salesforce
Pasted the sample config that I found in integration’s tab in Kibana:
inputs:
# Collect Salesforce Logs: Collect logs from Salesforce instances using REST API.
- id: salesforce-salesforce
type: salesforce
streams:
# Salesforce Apex logs: Collect Salesforce Apex logs.
- id: salesforce-salesforce.apex
data_stream:
dataset: salesforce.apex
type: logs
version: 56
auth.oauth2:
user_password_flow:
enabled: true
client.id: null
client.secret: null
token_url: 'https://login.salesforce.com'
username: username
password: password
url: 'https://instance-url.salesforce.com'
event_monitoring_method:
event_log_file:
enabled: true
interval: 1h
query:
default: >-
SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE
LogDate > [[ (formatTime (now.Add (parseDuration "-168h"))
"2006-01-02T15:04:05.000Z0700") ]] AND Interval = 'Hourly' AND
(EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR
EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType
= 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout')
ORDER BY LogDate ASC NULLS FIRST
value: >-
SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE
Interval = 'Hourly' AND CreatedDate > [[
.cursor.event_log_file.last_event_time ]] AND (EventType =
'ApexCallout' OR EventType = 'ApexExecution' OR EventType =
'ApexRestApi' OR EventType = 'ApexSoap' OR EventType =
'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER
BY LogDate ASC NULLS FIRST
cursor:
field: CreatedDate
tags:
- preserve_original_event
- salesforce-apex
processors:
- add_fields:
target: salesforce
fields:
instance_url: 'https://instance-url.salesforce.com'
# Salesforce Login logs: Collect Salesforce Login logs.
- id: salesforce-salesforce.login
data_stream:
dataset: salesforce.login
type: logs
version: 56
auth.oauth2:
user_password_flow:
enabled: true
client.id: null
client.secret: null
token_url: 'https://login.salesforce.com'
username: username
password: password
url: 'https://instance-url.salesforce.com'
event_monitoring_method:
event_log_file:
enabled: true
interval: 1h
query:
default: >-
SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE
LogDate > [[ (formatTime (now.Add (parseDuration "-168h"))
"2006-01-02T15:04:05.000Z0700") ]] AND Interval = 'Hourly' AND
EventType = 'Login' ORDER BY LogDate ASC NULLS FIRST
value: >-
SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE
Interval = 'Hourly' AND EventType = 'Login' AND CreatedDate > [[
.cursor.event_log_file.last_event_time ]] ORDER BY LogDate ASC
NULLS FIRST
cursor:
field: CreatedDate
object:
enabled: true
interval: 5m
query:
default: >-
SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[
(formatTime (now.Add (parseDuration "-168h"))
"2006-01-02T15:04:05.000Z0700") ]]
value: >-
SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[
.cursor.object.first_event_time ]]
cursor:
field: EventDate
tags:
- preserve_original_event
- salesforce-login
processors:
- add_fields:
target: salesforce
fields:
instance_url: 'https://instance-url.salesforce.com'
# Salesforce Logout logs: Collect Salesforce Logout logs.
- id: salesforce-salesforce.logout
data_stream:
dataset: salesforce.logout
type: logs
version: 56
auth.oauth2:
user_password_flow:
enabled: true
client.id: null
client.secret: null
token_url: 'https://login.salesforce.com'
username: username
password: password
url: 'https://instance-url.salesforce.com'
event_monitoring_method:
event_log_file:
enabled: true
interval: 1h
query:
default: >-
SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE
LogDate > [[ (formatTime (now.Add (parseDuration "-168h"))
"2006-01-02T15:04:05.000Z0700") ]] AND Interval = 'Hourly' AND
EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST
value: >-
SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE
Interval = 'Hourly' AND EventType = 'Logout' AND CreatedDate >
[[ .cursor.event_log_file.last_event_time ]] ORDER BY LogDate
ASC NULLS FIRST
cursor:
field: CreatedDate
object:
enabled: true
interval: 5m
query:
default: >-
SELECT FIELDS(STANDARD) FROM LogoutEvent WHERE EventDate > [[
(formatTime (now.Add (parseDuration "-168h"))
"2006-01-02T15:04:05.000Z0700") ]]
value: >-
SELECT FIELDS(STANDARD) FROM LogoutEvent WHERE EventDate > [[
.cursor.object.first_event_time ]]
cursor:
field: EventDate
tags:
- preserve_original_event
- salesforce-logout
processors:
- add_fields:
target: salesforce
fields:
instance_url: 'https://instance-url.salesforce.com'
# Salesforce SetupAuditTrail logs: Collect Salesforce SetupAuditTrail logs.
- id: salesforce-salesforce.setupaudittrail
data_stream:
dataset: salesforce.setupaudittrail
type: logs
version: 56
auth.oauth2:
user_password_flow:
enabled: true
client.id: null
client.secret: null
token_url: 'https://login.salesforce.com'
username: username
password: password
url: 'https://instance-url.salesforce.com'
event_monitoring_method:
object:
enabled: true
interval: 1h
query:
default: >-
SELECT FIELDS(STANDARD) FROM SetupAuditTrail WHERE CreatedDate >
[[ (formatTime (now.Add (parseDuration "-168h"))
"2006-01-02T15:04:05.000Z0700") ]] ORDER BY CreatedDate ASC
NULLS FIRST
value: >-
SELECT FIELDS(STANDARD) FROM SetupAuditTrail WHERE CreatedDate >
[[ .cursor.object.last_event_time ]] ORDER BY CreatedDate ASC
NULLS FIRST
cursor:
field: EventDate
tags:
- preserve_original_event
- salesforce-setupaudittrail
processors:
- add_fields:
target: salesforce
fields:
instance_url: 'https://instance-url.salesforce.com'
Thank you in advance