Collect logs from Salesforce with Elastic Agent.
Beta feature
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
The Salesforce integration allows users to monitor a Salesforce instance. Salesforce is a customer relationship management (CRM) platform. It provides an ecosystem for businesses to manage marketing, sales, commerce, service, and IT teams from anywhere with one integrated CRM platform.
Use the Salesforce integration to:
As an example, users can use the data from this integration to understand the activity patterns of users based on region or the distribution of users by license type.
The Salesforce integration collects log events using the REST API of Salesforce.
Logs help users to keep a record of events happening in Salesforce. Log data streams collected by the Salesforce integration include Login, Logout, Apex and SetupAuditTrail.
Data streams:
login_rest: Tracks login activity of users who log in to Salesforce.logout_rest: Tracks logout activity of users who logout from Salesforce.apex: Represents information about various Apex events like Callout, Execution, REST API, SOAP API, Trigger, etc.setupaudittrail: Represents changes users made in the user's organization's Setup area for at least the last 180 days.This integration has been tested against Salesforce Spring '22 (v54.0) release.
In order to find out the Salesforce version of the user's instance, see below:
On the Home tab in Salesforce Classic, in the top right corner of the screen is a link to releases like Summer '22. This indicates the release version of the salesforce instance.
An alternative way to find out the version of Salesforce is by hitting the following URL:
https://na9.salesforce.com/services/dataExample response:
<Versions>
<Version>
<label>Winter '22</label>
<url>/services/data/v53.0</url>
<version>53.0</version>
</Version>
<Version>
<label>Spring '22</label>
<url>/services/data/v54.0</url>
<version>54.0</version>
</Version>
<Version>
<label>Summer '22</label>
<url>/services/data/v55.0</url>
<version>55.0</version>
</Version>
</Versions>The last one on the list is the release of the user's salesforce instance. In the example above, the version is Summer '22 i.e. v55.0.
Users need Elasticsearch for storing and searching their data and Kibana for visualizing and managing it. Users can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on their own hardware.
In the user's Salesforce instance, ensure that API Enabled permission is selected for the user profile. Follow the below steps to enable the same:
Setup > Quick Find > Users, and Click on Users.User Account used for data collection.API Enabled permission on the same page. In case it’s not present, search it under System Permissions and check if API Enabled privilege is selected. If not, enable it for data collection.For step-by-step instructions on how to set up an integration, see the Getting started guide.
Users need the following information from the user's Salesforce instance to configure this integration in Elastic:
The instance the user's Salesforce Organization uses is indicated in the URL of the address bar in Salesforce Classic. The value before 'salesforce.com' is the user's Salesforce Instance.
Example URL: https://na9.salesforce.com/home/home.jsp
In the above example, the value before 'salesforce.com' is the user's Salesforce Instance. In this example, the Salesforce Organization is located on NA9.
The Salesforce Instance URL is: https://na9.salesforce.com
In Salesforce Lightning, it is available under the user name in the “View Profile” tab.
In order to use this integration, users need to create a new Salesforce Application using OAuth. Follow the steps below to create a connected application in Salesforce:
App Manager in the Search Setup search box at the top of the page, then select App Manager.Salesforce Instance URL)Consumer Key and Consumer Secret from the Consumer Details section, which should be populated as value to Client ID and Client Secret respectively in the configuration.For more details on how to Create a Connected App refer to the salesforce documentation here.
User Id of the registered user in Salesforce.
Password used for authenticating the above user.
Follow the steps below, in case the user needs to find the API version:
Setup > Quick Find > Apex Classes.New button.Version Settings tab.Version dropdown for the API Version number.After the integration is successfully configured, clicking on the Assets tab of the Salesforce Integration should display a list of available dashboards. Click on the dashboard available for the user's configured datastream. It should be populated with the required data.
{
"log.level": "error",
"@timestamp": "2022-11-24T12:59:36.835+0530",
"log.logger": "input.httpjson-cursor",
"log.origin": {
"[file.name](http://file.name/)": "compat/compat.go",
"file.line": 124
},
"message": "Input 'httpjson-cursor' failed with: input.go:130: input 8A049E17A5CA661D failed (id=8A049E17A5CA661D)\n\toauth2 client: error loading credentials using user and password: oauth2: cannot fetch token: 400 Bad Request\n\tResponse: {\"error\":\"invalid_grant\",\"error_description\":\"authentication failure\"}",
"[service.name](http://service.name/)": "filebeat",
"id": "8A049E17A5CA661D",
"ecs.version": "1.6.0"
}Please check if the API Enabled permission is provided to the profile associated with the username used as part of the integration.
Please refer to the Prerequisites section above for more information.
If the error continues follow these steps:
Setup > Quick Find > Manage Connected Apps.Relax IP restrictions from the dropdown for IP Relaxation.This is the apex data stream. Apex enables developers to access the Salesforce platform back-end database and client-server interfaces to create third-party SaaS applications.
An example event for apex looks as following:
{
"@timestamp": "2022-11-22T04:46:15.591Z",
"agent": {
"ephemeral_id": "c50ecba0-45f3-4a29-bd66-d5bd6317345e",
"id": "6e72b9f7-fadd-4789-a6ea-e17925d36c7e",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.4.1"
},
"data_stream": {
"dataset": "salesforce.apex",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.5.0"
},
"elastic_agent": {
"id": "6e72b9f7-fadd-4789-a6ea-e17925d36c7e",
"snapshot": false,
"version": "8.4.1"
},
"event": {
"action": "apex-callout",
"agent_id_status": "verified",
"category": [
"network"
],
"created": "2023-01-04T05:20:36.070Z",
"dataset": "salesforce.apex",
"duration": 1293,
"ingested": "2023-01-04T05:20:38Z",
"kind": "event",
"module": "salesforce",
"original": "{\"CLIENT_IP\":\"81.2.69.142\",\"CPU_TIME\":\"10\",\"EVENT_TYPE\":\"ApexCallout\",\"LOGIN_KEY\":\"Obv9123BzbaxqCo1\",\"METHOD\":\"GET\",\"ORGANIZATION_ID\":\"00D5j000000001V\",\"REQUEST_ID\":\"4exLFFQZ1234xFl1cJNwOV\",\"REQUEST_SIZE\":\"10\",\"RESPONSE_SIZE\":\"256\",\"RUN_TIME\":\"1305\",\"SESSION_KEY\":\"WvtsJ1235oW24EbH\",\"SUCCESS\":\"1\",\"TIME\":\"1293\",\"TIMESTAMP\":\"20221122044615.591\",\"TIMESTAMP_DERIVED\":\"2022-11-22T04:46:15.591Z\",\"TYPE\":\"OData\",\"URI\":\"CALLOUT-LOG\",\"URI_ID_DERIVED\":\"0055j000000utlPAQZB\",\"URL\":\"https://temp.sh/odata/Accounts\",\"USER_ID\":\"0055j0000000001\",\"USER_ID_DERIVED\":\"0055j012345utlPAAQ\"}",
"outcome": "success",
"type": [
"connection"
],
"url": "https://temp.sh/odata/Accounts"
},
"http": {
"request": {
"bytes": 10,
"method": "GET"
},
"response": {
"bytes": 256
}
},
"input": {
"type": "httpjson"
},
"related": {
"ip": [
"81.2.69.142"
]
},
"salesforce": {
"apex": {
"access_mode": "REST",
"cpu_time": 10,
"event_type": "ApexCallout",
"login_key": "Obv9123BzbaxqCo1",
"organization_id": "00D5j000000001V",
"request_id": "4exLFFQZ1234xFl1cJNwOV",
"run_time": 1305,
"type": "OData",
"uri": "CALLOUT-LOG",
"uri_derived_id": "0055j000000utlPAQZB",
"user_id_derived": "0055j012345utlPAAQ"
},
"instance_url": "http://elastic-package-service_salesforce_1:8010"
},
"source": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.142"
},
"tags": [
"preserve_original_event",
"salesforce-apex",
"forwarded"
],
"user": {
"id": "0055j0000000001"
}
}Exported fields
| Field | Description | Type | Unit | Metric Type |
|---|---|---|---|---|
@timestamp | Event timestamp. | date | ||
data_stream.dataset | Data stream dataset. | constant_keyword | ||
data_stream.namespace | Data stream namespace. | constant_keyword | ||
data_stream.type | Data stream type. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
error.message | Error message. | match_only_text | ||
event.action | The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer. | keyword | ||
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | ||
event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | ||
event.duration | Duration of the event in milliseconds. If event.start and event.end are known this value should be the difference between the end and start time | long | ms | |
event.id | Unique ID to describe the event. | keyword | ||
event.ingested | Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It's also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested. | date | ||
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword | ||
event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense. | keyword | ||
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | ||
event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert, are a common use case for this field. | keyword | ||
http.request.bytes | Total size in bytes of the request (body and headers). | long | ||
http.request.method | HTTP request method. The value should retain its casing from the original event. For example, GET, get, and GeT are all considered valid values for this field. | keyword | ||
http.response.bytes | Total size in bytes of the response (body and headers). | long | ||
http.response.status_code | HTTP response status code. | long | ||
input.type | Input type. | keyword | ||
related.ip | All of the IPs seen on your event. | ip | ||
salesforce.apex.access_mode | The mode of collecting logs from Salesforce - "REST" or "Stream". | keyword | ||
salesforce.apex.action | Action performed by the callout. | keyword | ||
salesforce.apex.callout_time | Time spent waiting on webservice callouts, in milliseconds. | float | ms | gauge |
salesforce.apex.class_name | The Apex class name. If the class is part of a managed package, this string includes the package namespace. | keyword | ||
salesforce.apex.client_name | The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didnt specify a client in the CallOptions header. | keyword | ||
salesforce.apex.cpu_time | The CPU time in milliseconds used to complete the request. | float | ms | gauge |
salesforce.apex.db_blocks | Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance. | long | gauge | |
salesforce.apex.db_cpu_time | The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request. | float | ms | gauge |
salesforce.apex.db_time.total | Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. | float | ms | gauge |
salesforce.apex.entity | Name of the external object being accessed. | keyword | ||
salesforce.apex.entity_name | The name of the object affected by the trigger. | keyword | ||
salesforce.apex.entry_point | The entry point for this Apex execution. | keyword | ||
salesforce.apex.event_type | The type of event. | keyword | ||
salesforce.apex.execute.ms | How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later. | float | ms | gauge |
salesforce.apex.fetch.ms | How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later. | float | ms | gauge |
salesforce.apex.fields.count | The number of fields or columns, where applicable. | long | ||
salesforce.apex.filter | Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries. | keyword | ||
salesforce.apex.is_long_running_request | Indicates whether the request is counted against your org's concurrent long-running Apex request limit (true) or not (false). | keyword | ||
salesforce.apex.limit | Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries. | long | ||
salesforce.apex.limit_usage.pct | The percentage of Apex SOAP calls that were made against the organization's limit. | float | percent | gauge |
salesforce.apex.login_key | The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. | keyword | ||
salesforce.apex.media_type | The media type of the response. | keyword | ||
salesforce.apex.message | Error or warning message associated with the failed call. | keyword | ||
salesforce.apex.method_name | The name of the calling Apex method. | keyword | ||
salesforce.apex.offset | Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries. | long | ||
salesforce.apex.organization_id | The 15-character ID of the organization. | keyword | ||
salesforce.apex.query | The SOQL query, if one was performed. | keyword | ||
salesforce.apex.quiddity | The type of outer execution associated with this event. | keyword | ||
salesforce.apex.request_id | The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. | keyword | ||
salesforce.apex.request_status | The status of the request for a page view or user interface action. | keyword | ||
salesforce.apex.rows.fetched | Number of rows fetched by the callout. Available in API version 42.0 and later. | long | ||
salesforce.apex.rows.processed | The number of rows that were processed in the request. | long | ||
salesforce.apex.rows.total | Total number of records in the result set. The value is always -1 if the custom adapter's DataSource.Provider class doesn't declare the QUERY_TOTAL_SIZE capability. | long | ||
salesforce.apex.run_time | The amount of time that the request took in milliseconds. | float | ms | gauge |
salesforce.apex.select | Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries. | keyword | ||
salesforce.apex.soql_queries.count | The number of SOQL queries that were executed during the event. | long | ||
salesforce.apex.subqueries | Reserved for future use. | keyword | ||
salesforce.apex.throughput | Number of records retrieved in one second. | float | gauge | |
salesforce.apex.trigger.id | The 15-character ID of the trigger that was fired. | keyword | ||
salesforce.apex.trigger.name | For triggers coming from managed packages, TRIGGER_NAME includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger. | keyword | ||
salesforce.apex.trigger.type | The type of this trigger. | keyword | ||
salesforce.apex.type | The type of Apex callout. | keyword | ||
salesforce.apex.uri | The URI of the page that's receiving the request. | keyword | ||
salesforce.apex.uri_derived_id | The 18-character case-safe ID of the URI of the page that's receiving the request. | keyword | ||
salesforce.apex.user_agent | The numeric code for the type of client used to make the request (for example, the browser, application, or API). | keyword | ||
salesforce.apex.user_id_derived | The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. | keyword | ||
salesforce.instance_url | The Instance URL of the Salesforce instance. | keyword | ||
source.geo.city_name | City name. | keyword | ||
source.geo.continent_name | Name of the continent. | keyword | ||
source.geo.country_iso_code | Country ISO code. | keyword | ||
source.geo.country_name | Country name. | keyword | ||
source.geo.location | Longitude and latitude. | geo_point | ||
source.geo.region_iso_code | Region ISO code. | keyword | ||
source.geo.region_name | Region name. | keyword | ||
source.ip | IP address of the source (IPv4 or IPv6). | ip | ||
tags | List of keywords used to tag each event. | keyword | ||
user.id | Unique identifier of the user. | keyword | ||
user.name | Short name or login of the user. | keyword | ||
user.name.text | Multi-field of user.name. | match_only_text | ||
user.roles | Array of user roles at the time of the event. | keyword |
This is the login_rest data stream. It represents events containing details about the user's organization's login history.
An example event for login_rest looks as following:
{
"@timestamp": "2022-11-22T04:46:15.591Z",
"agent": {
"ephemeral_id": "7091b66c-e647-42f9-9c3e-d0753552a291",
"id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.4.1"
},
"data_stream": {
"dataset": "salesforce.login_rest",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.5.0"
},
"elastic_agent": {
"id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97",
"snapshot": false,
"version": "8.4.1"
},
"event": {
"action": "login-attempt",
"agent_id_status": "verified",
"category": [
"authentication"
],
"created": "2022-12-15T10:29:06.958Z",
"dataset": "salesforce.login_rest",
"ingested": "2022-12-15T10:29:10Z",
"kind": "event",
"module": "salesforce",
"original": "{\"API_TYPE\":\"f\",\"API_VERSION\":\"9998.0\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36\",\"CIPHER_SUITE\":\"ECDHE-RSA-AES256-GCM-SHA384\",\"CLIENT_IP\":\"81.2.69.142\",\"CPU_TIME\":\"30\",\"DB_TOTAL_TIME\":\"52435102\",\"EVENT_TYPE\":\"Login\",\"LOGIN_KEY\":\"QfNecrLXSII6fsBq\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"ORGANIZATION_ID\":\"00D5j000000VI3n\",\"REQUEST_ID\":\"4ehU_U-nbQyAPFl1cJILm-\",\"REQUEST_STATUS\":\"Success\",\"RUN_TIME\":\"83\",\"SESSION_KEY\":\"\",\"SOURCE_IP\":\"81.2.69.142\",\"TIMESTAMP\":\"20221122044615.591\",\"TIMESTAMP_DERIVED\":\"2022-11-22T04:46:15.591Z\",\"TLS_PROTOCOL\":\"TLSv1.2\",\"URI\":\"/index.jsp\",\"URI_ID_DERIVED\":\"s4heK3WbH-lcJIL3-n\",\"USER_ID\":\"0055j000000utlP\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"USER_NAME\":\"user@elastic.co\",\"USER_TYPE\":\"Standard\"}",
"outcome": "success",
"type": [
"info"
],
"url": "/index.jsp"
},
"input": {
"type": "httpjson"
},
"related": {
"ip": [
"81.2.69.142"
]
},
"salesforce": {
"instance_url": "http://elastic-package-service_salesforce_1:8010",
"login": {
"access_mode": "REST",
"api": {
"type": "Feed",
"version": "9998.0"
},
"client_ip": "81.2.69.142",
"cpu_time": 30,
"db_time": {
"total": 52.435104
},
"event_type": "Login",
"key": "QfNecrLXSII6fsBq",
"organization_id": "00D5j000000VI3n",
"request_id": "4ehU_U-nbQyAPFl1cJILm-",
"request_status": "Success",
"run_time": 83,
"uri_derived_id": "s4heK3WbH-lcJIL3-n",
"user_id": "0055j000000utlP"
}
},
"source": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.142"
},
"tags": [
"preserve_original_event",
"salesforce-login_rest",
"forwarded"
],
"tls": {
"cipher": "ECDHE-RSA-AES256-GCM-SHA384",
"version": "1.2",
"version_protocol": "TLS"
},
"user": {
"email": "user@elastic.co",
"id": "0055j000000utlPAAQ",
"roles": "Standard"
},
"user_agent": {
"name": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36"
}
}Exported fields
| Field | Description | Type | Unit | Metric Type |
|---|---|---|---|---|
@timestamp | Event timestamp. | date | ||
data_stream.dataset | Data stream dataset. | constant_keyword | ||
data_stream.namespace | Data stream namespace. | constant_keyword | ||
data_stream.type | Data stream type. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
event.action | The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer. | keyword | ||
event.agent_id_status | Agents are normally responsible for populating the agent.id field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the agent.id value in events can be checked against the certificate. If the values match then event.agent_id_status: verified is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: verified - The agent.id field value matches expected value obtained from auth metadata. mismatch - The agent.id field value does not match the expected value obtained from auth metadata. missing - There was no agent.id field in the event to validate. auth_metadata_missing - There was no auth metadata or it was missing information about the agent ID. | keyword | ||
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | ||
event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | ||
event.ingested | Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It's also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested. | date | ||
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword | ||
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference. | keyword | ||
event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense. | keyword | ||
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | ||
event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert, are a common use case for this field. | keyword | ||
input.type | Input type. | keyword | ||
related.ip | All of the IPs seen on your event. | ip | ||
salesforce.instance_url | The Instance URL of the Salesforce instance. | keyword | ||
salesforce.login.access_mode | Mode of API from which the event is collected. | keyword | ||
salesforce.login.api.type | The type of API request. | keyword | ||
salesforce.login.api.version | The version of the API that's being used. | keyword | ||
salesforce.login.auth.service_id | The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. | keyword | ||
salesforce.login.client_ip | The IP address of the client that's using Salesforce services. | keyword | ||
salesforce.login.cpu_time | The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. | float | ms | gauge |
salesforce.login.db_time.total | The time in milliseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and db_time.total. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code. | float | ms | gauge |
salesforce.login.event_type | The type of event. The value is always Login. | keyword | ||
salesforce.login.key | The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. | keyword | ||
salesforce.login.organization_id | The 15-character ID of the organization. | keyword | ||
salesforce.login.request_id | The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. | keyword | ||
salesforce.login.request_status | The status of the request for a page view or user interface action. | keyword | ||
salesforce.login.run_time | The amount of time that the request took in milliseconds. | float | ms | gauge |
salesforce.login.uri_derived_id | The 18-character case insensitive ID of the URI of the page that's receiving the request. | keyword | ||
salesforce.login.user_id | The 15-character ID of the user who's using Salesforce services through the UI or the API. | keyword | ||
source.geo.city_name | City name. | keyword | ||
source.geo.continent_name | Name of the continent. | keyword | ||
source.geo.country_iso_code | Country ISO code. | keyword | ||
source.geo.country_name | Country name. | keyword | ||
source.geo.location | Longitude and latitude. | geo_point | ||
source.geo.region_iso_code | Region ISO code. | keyword | ||
source.geo.region_name | Region name. | keyword | ||
source.ip | IP address of the source (IPv4 or IPv6). | ip | ||
tags | List of keywords used to tag each event. | keyword | ||
tls.cipher | String indicating the cipher used during the current connection. | keyword | ||
tls.version | Numeric part of the version parsed from the original string. | keyword | ||
tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | ||
user.email | User email address. | keyword | ||
user.id | Unique identifier of the user. | keyword | ||
user.roles | Array of user roles at the time of the event. | keyword | ||
user_agent.name | Name of the user agent. | keyword |
This is the logout_rest data stream. It represents events containing details about the user's organization's logout history.
An example event for logout_rest looks as following:
{
"@timestamp": "2022-11-22T07:37:25.779Z",
"agent": {
"ephemeral_id": "49171880-184e-4712-bef1-97619368d729",
"id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.4.1"
},
"data_stream": {
"dataset": "salesforce.logout_rest",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.5.0"
},
"elastic_agent": {
"id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97",
"snapshot": false,
"version": "8.4.1"
},
"event": {
"action": "logout",
"agent_id_status": "verified",
"category": [
"authentication"
],
"code": "4exLFFQZ1234xFl1cJNwOV",
"created": "2022-12-15T10:29:49.953Z",
"dataset": "salesforce.logout_rest",
"ingested": "2022-12-15T10:29:53Z",
"kind": "event",
"module": "salesforce",
"original": "{\"API_TYPE\":\"f\",\"API_VERSION\":\"54.0\",\"APP_TYPE\":\"1000\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"CLIENT_IP\":\"81.2.69.142\",\"CLIENT_VERSION\":\"9998\",\"EVENT_TYPE\":\"Logout\",\"LOGIN_KEY\":\"Obv9123BzbaxqCo1\",\"ORGANIZATION_ID\":\"00D5j001234VI3n\",\"PLATFORM_TYPE\":\"1015\",\"REQUEST_ID\":\"4exLFFQZ1234xFl1cJNwOV\",\"RESOLUTION_TYPE\":\"9999\",\"SESSION_KEY\":\"WvtsJ1235oW24EbH\",\"SESSION_LEVEL\":\"1\",\"SESSION_TYPE\":\"O\",\"TIMESTAMP\":\"20221122073725.779\",\"TIMESTAMP_DERIVED\":\"2022-11-22T07:37:25.779Z\",\"USER_ID\":\"0055j000000utlP\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"USER_INITIATED_LOGOUT\":\"0\",\"USER_TYPE\":\"S\"}",
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"related": {
"ip": [
"81.2.69.142"
]
},
"salesforce": {
"instance_url": "http://elastic-package-service_salesforce_1:8010",
"logout": {
"access_mode": "REST",
"api": {
"type": "Feed",
"version": "54.0"
},
"app_type": "Application",
"browser_type": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36",
"client_version": "9998",
"event_type": "Logout",
"login_key": "Obv9123BzbaxqCo1",
"organization_id": "00D5j001234VI3n",
"platform_type": "Windows 10",
"resolution_type": "9999",
"session": {
"level": "Standard Session",
"type": "Oauth2"
},
"user_id": "0055j000000utlP",
"user_initiated_logout": "0"
}
},
"source": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.142"
},
"tags": [
"preserve_original_event",
"salesforce-logout_rest",
"forwarded"
],
"user": {
"id": "0055j000000utlPAAQ",
"roles": "Standard"
}
}Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
event.action | The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer. | keyword |
event.agent_id_status | Agents are normally responsible for populating the agent.id field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the agent.id value in events can be checked against the certificate. If the values match then event.agent_id_status: verified is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: verified - The agent.id field value matches expected value obtained from auth metadata. mismatch - The agent.id field value does not match the expected value obtained from auth metadata. missing - There was no agent.id field in the event to validate. auth_metadata_missing - There was no auth metadata or it was missing information about the agent ID. | keyword |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
event.ingested | Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It's also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested. | date |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword |
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference. | keyword |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
input.type | Input type. | keyword |
related.ip | All of the IPs seen on your event. | ip |
salesforce.instance_url | The Instance URL of the Salesforce instance. | keyword |
salesforce.logout.access_mode | Mode of Salesforce API from which the event is collected. | keyword |
salesforce.logout.api.type | The type of Salesforce API request. | keyword |
salesforce.logout.api.version | The version of the Salesforce API that's being used. | keyword |
salesforce.logout.app_type | The application type that was in use upon logging out. | keyword |
salesforce.logout.browser_type | The identifier string returned by the browser used at login. | keyword |
salesforce.logout.client_version | The version of the client that was in use upon logging out. | keyword |
salesforce.logout.event_type | The type of event. The value is always Logout. | keyword |
salesforce.logout.login_key | The string that ties together all events in a given user's logout session. It starts with a login event and ends with either a logout event or the user session expiring. | keyword |
salesforce.logout.organization_id | The 15-character ID of the organization. | keyword |
salesforce.logout.platform_type | The code for the client platform. If a timeout caused the logout, this field is null. | keyword |
salesforce.logout.resolution_type | TThe screen resolution of the client. If a timeout caused the logout, this field is null. | keyword |
salesforce.logout.session.level | The security level of the session that was used when logging out (e.g. Standard Session or High-Assurance Session). | keyword |
salesforce.logout.session.type | The session type that was used when logging out (e.g. API, Oauth2 or UI). | keyword |
salesforce.logout.user_id | The 15-character ID of the user who's using Salesforce services through the UI or the API. | keyword |
salesforce.logout.user_initiated_logout | The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user's session timed out due to inactivity or another implicit logout action, the value is 0. | keyword |
source.geo.city_name | City name. | keyword |
source.geo.continent_name | Name of the continent. | keyword |
source.geo.country_iso_code | Country ISO code. | keyword |
source.geo.country_name | Country name. | keyword |
source.geo.location | Longitude and latitude. | geo_point |
source.geo.region_iso_code | Region ISO code. | keyword |
source.geo.region_name | Region name. | keyword |
source.ip | IP address of the source (IPv4 or IPv6). | ip |
tags | List of keywords used to tag each event. | keyword |
user.id | Unique identifier of the user. | keyword |
user.roles | Array of user roles at the time of the event. | keyword |
This is the setupaudittrail data stream. It represents changes users made in the user's organization's Setup area for at least the last 180 days.
An example event for setupaudittrail looks as following:
{
"@timestamp": "2022-08-16T09:26:38.000Z",
"agent": {
"ephemeral_id": "cf463665-f17d-4155-8434-4f93e0fabd18",
"id": "511d10d2-be41-45d0-9712-40b7ce035864",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.4.1"
},
"data_stream": {
"dataset": "salesforce.setupaudittrail",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.5.0"
},
"elastic_agent": {
"id": "511d10d2-be41-45d0-9712-40b7ce035864",
"snapshot": false,
"version": "8.4.1"
},
"event": {
"action": "insertConnectedApplication",
"agent_id_status": "verified",
"created": "2022-08-16T09:26:38.000Z",
"dataset": "salesforce.setupaudittrail",
"id": "0Ym5j000019nwonCAA",
"ingested": "2023-01-04T15:34:45Z",
"kind": "event",
"module": "salesforce",
"original": "{\"Action\":\"insertConnectedApplication\",\"CreatedByContext\":\"Einstein\",\"CreatedById\":\"0055j000000utlPAAQ\",\"CreatedByIssuer\":null,\"CreatedDate\":\"2022-08-16T09:26:38.000+0000\",\"DelegateUser\":\"user1\",\"Display\":\"For user user@elastic.co, the User Verified Email status changed to verified\",\"Id\":\"0Ym5j000019nwonCAA\",\"Section\":\"Connected Apps\",\"attributes\":{\"type\":\"SetupAuditTrail\",\"url\":\"/services/data/v54.0/sobjects/SetupAuditTrail/0Ym5j000019nwonCAA\"}}",
"type": [
"admin"
],
"url": "/services/data/v54.0/sobjects/SetupAuditTrail/0Ym5j000019nwonCAA"
},
"input": {
"type": "httpjson"
},
"salesforce": {
"instance_url": "http://elastic-package-service_salesforce_1:8010",
"setup_audit_trail": {
"access_mode": "REST",
"created_by_context": "Einstein",
"created_by_id": "0055j000000utlPAAQ",
"delegate_user": "user1",
"display": "For user user@elastic.co, the User Verified Email status changed to verified",
"event_type": "SetupAuditTrail",
"section": "Connected Apps"
}
},
"tags": [
"preserve_original_event",
"salesforce-setupaudittrail",
"forwarded"
],
"user": {
"id": "0055j000000utlPAAQ",
"name": "user@elastic.co"
}
}Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
error.message | Error message. | match_only_text |
event.action | The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer. | keyword |
event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
event.id | Unique ID to describe the event. | keyword |
event.ingested | Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It's also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested. | date |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert, are a common use case for this field. | keyword |
input.type | Input type. | keyword |
salesforce.instance_url | The Instance URL of the Salesforce instance. | keyword |
salesforce.setup_audit_trail.access_mode | Type of API from which the event is collected. | keyword |
salesforce.setup_audit_trail.created_by_context | The context under which the Setup change was made. For example, if Einstein uses cloud-to-cloud services to make a change in Setup, the value of this field is Einstein. | keyword |
salesforce.setup_audit_trail.created_by_id | The id under which the Setup change was made. For example, if Einstein uses cloud-to-cloud services to make a change in Setup, the value of this field is id of Einstein. | keyword |
salesforce.setup_audit_trail.created_by_issuer | Reserved for future use. | keyword |
salesforce.setup_audit_trail.delegate_user | The Login-As user who executed the action in Setup. If a Login-As user didn't perform the action, this field is empty string. This field is available in API version 35.0 and later. | keyword |
salesforce.setup_audit_trail.display | The full description of changes made in Setup. For example, if the event.action field has a value of PermSetCreate, the Display field has a value like "Created permission set MAD: with user license Salesforce." | keyword |
salesforce.setup_audit_trail.event_type | Event type. | keyword |
salesforce.setup_audit_trail.section | The section in the Setup menu where the action occurred. For example, Manage Users or Company Profile. | keyword |
tags | List of keywords used to tag each event. | keyword |
user.id | Unique identifier of the user. | keyword |
user.name | Short name or login of the user. | keyword |
user.name.text | Multi-field of user.name. | match_only_text |
| Version | Details |
|---|---|
0.5.0 | Enhancement View pull request Migrate visualizations to lens. |
0.4.1 | Enhancement View pull request Added categories and/or subcategories. |
0.4.0 | Enhancement View pull request Salesforce integration package with "setupaudittrail" data stream. |
0.3.0 | Enhancement View pull request Salesforce integration package with "apex" data stream. |
0.2.1 | Bug fix View pull request Add pagination support for "login_rest" and "logout_rest". |
0.2.0 | Enhancement View pull request Salesforce integration package with "logout_rest" data stream. |
0.1.0 | Enhancement View pull request Salesforce integration package with "login_rest" data stream. |