The Salesforce EventLogFile Collection feature enables you to collect and organize your Salesforce organization's operational events. You can then analyze this data to learn about your user behavior and usage trends. The System Monitor Agent can import EventLogFile logs into LogRhythm for analysis. This document contains instructions on how to configure a System Monitor Agent to collect EventLogFile log files and feed them to the LogRhythm Client Console.

Prerequisites

The HTTPS collection mechanism used by the Agent references a Salesforce EventLogFile configuration file (salesforce.ini) and retains the last report read from Salesforce EventLogFile with state tracking. Ensure that the LogRhythm System Monitor Agent used to collect Salesforce EventLogFile log data has internet access.

Configure Salesforce

Enable the Salesforce EventLogFile API

The Salesforce data comes from the Salesforce EventLogFile API. Then, the LogRhythm Agent relies on the Salesforce EventLogFile API to access that Salesforce data. This API needs to be enabled on your instance, as it is NOT enabled by default. Common use cases of this API include tracking user activity, user feature adoption, troubleshooting issues that may arise in your Salesforce environment, and many others. For more information, please contact your Salesforce admin or representative to get access to the EventLogFile API.

Salesforce Service Account Requirements

To collect log data from Salesforce, the LogRhythm Agent requires a Salesforce user to be created with the following permissions:

  • The user must have View Event Log Files and API Enabled user permissions. Users with View All Data permissions can view event log files.
  • READ access permissions must be enabled for the following Salesforce objects: 
    • Event Log File
    • Report, Dashboard
    • User
    • Opportunity
    • Account
    • LoginHistory
  • To connect over the REST API, the Salesforce user needs to have a security token associated with it. If you do not have a security token, follow the instructions at the following link: Reset Security Token.

Validate Salesforce Access

  1. Log in to the Salesforce Workbench by accessing the following URL: https://workbench.developerforce.com/login.php.
  2. For Jump to, select SOQL Query from the drop-down list. 
  3. For Object, select Account from the drop-down list.
  4. Click Select.
  5. On the next screen, make sure you have access to the following Objects under the Object drop-down list:
    • Account
    • User
    • Report
    • Dashboard
    • EventLogFile
    • LoginHistory
    • Opportunity

Salesforce Event Collection Information

When collecting Salesforce events, keep the following in mind:

  • Salesforce tracks usage activity for a 24-hour period, from 12:00 a.m. to 11:59 p.m. Coordinated Universal Time (UTC). Salesforce parses data before making data available through its API.
    • If set to daily, Salesforce will take 24 hours to report an event, to make an event available through their API.

    • If set to hourly, Salesforce will take 1 hour to report an event, to make an event available through their API.

  • The SysMon Agent connects every few seconds to Salesforce to collect data. These data are immediately parsed and sent to LogRhythm’s Data Processor/Mediator component. This happens in the same manner whether Salesforce data collection is set to occur daily or hourly. The daily or hourly configuration setting is a Salesforce setting, not a SysMon collection setting.
  • Salesforce Event Log Files are available for the previous 30 days when organizations purchase User Event Monitoring, or for one day when organizations use the Developer Edition.
  • Hourly event logs are not enabled by default. They must be enabled for the Agent to collect correctly. For more information, see the Salesforce documentation and Configure Salesforce EventLog File.

Configure the salesforce.ini File

You must ensure that the LogRhythm System Monitor has access to the Salesforce EventLogFile service so it can collect the log files. To grant access to the Salesforce EventLogFile service, you must edit the salesforce.ini file.

  1. Open Windows Explorer.
  2. Go to the following directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config.
  3. Open the salesforce.ini file with a text editor.

  4. Edit all settings that have a default value of CHANGE_THIS, as well as any other defaults that don't work for your needs.

    SettingDefault ValueDescription
    SFDCEndpointlogin.salesforce.comThe salesforce.com (SFDC) endpoint name. This value should be login.salesforce.com or test.salesforce.com.
    ConsumerKeyCHANGE_THIS

    The SFDC consumer key, which must be encrypted using the lrcrypt command line utility. See LogRhythm Password Encryption for more information.

    Usage: lrcrypt [-e passwordtoencrypt]

    You must manually paste the encrypted value into the configuration file.

    ConsumerSecretKeyCHANGE_THIS

    The SFDC consumer secret key, which must be encrypted using the lrcrypt command line utility. See LogRhythm Password Encryption for more information.

    Usage: lrcrypt [-e passwordtoencrypt]

    You must manually paste the encrypted value into the configuration file.

    SecurityTokenCHANGE_THIS

    The SFDC username security token, which must be encrypted using the lrcrypt command line utility. See LogRhythm Password Encryption for more information.

    Usage: lrcrypt [-e passwordtoencrypt]

    You must manually paste the encrypted value into the configuration file.

    UserNameCHANGE_THISUser name for SFDC.
    PasswordCHANGE_THIS

    Password for SFDC user name, which must be encrypted using the lrcrypt command line utility. See LogRhythm Password Encryption for more information.

    The encrypted password can be written to the file when specifying the path to salesforce.ini when using lrcrypt.

    Timeout300The timeout (in seconds) to use when requesting data from the Salesforce server.
    FetchHourlyFALSEThe interval at which Event Log files are collected. Provides hourly collection if set to TRUE.
    ApiVersion37The version of the API you are using. The Interval and Sequence fields are available only in version 37.0 and later. FetchHourly is available only in version 37.0 and later.
    ErrorRetryTimeSpan60The amount of time (in minutes) that must expire before the Agent retries data collection.
    ErrorRetryCount3The number of collection retries as Agent can attempt during log collection.
    EventLogFileTypesALLComma-separated list of the file types to collect including: ApexCallout, ApexExecution, ApexSOAP, ApexTrigger, API, AsyncReport, BulkAPI, ChangeSetOperation, ContentDistribution, ContentDocumentLink, ContentTransfer, Dashboard, DocumentAttachmentDownloads, Login, LoginAs, Logout, MDAPIOperation, MultiblockReport, PackageInstall, QueuedExecution, Report, ReportExport, RESTAPI, UITracking, Sandbox, Sites, TimeBasedWorkflow, URI, Visualforce.
  5. Save and close the file.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide.

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is API - Salesforce EventLogFile. In addition, when configuring this log source:

  • For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
  • On the Flat File Settings tab, enter the following:
    • File Path. <path to log file, including the file name and extension>

      For multiple users, you can create multiple salesforce.ini files and multiple Salesforce EventLogFile Log Sources.