Collect Logs for the Salesforce App

Prerequisites

The Salesforce Event Monitoring add-on is required to obtain all of the data presented in the app dashboards. The add-on enables access all event types in the Salesforce EventLogFile, the LoginEvent object, Transaction Security, and the Event Monitoring Analytics App. For more information, see Get Started with Event Monitoring and Enable Event Monitoring.

Step 1. Set Salesforce user permissions

To create a permission set and assign it to a user

In Salesforce, go to Setup > Administer > Manage Users > Permission Sets.
Create a permission set with the API Enabled permission and either the View Event Log Files or the View All Data permission. For more information, see Create Permission Sets in Salesforce help.
On the Permission Set Overview > System Permissions page, select API Enabled and View Event Log Files.
Click the Manage Assignments button in the permission set you just created, and click Add Assignments.
Find your user and assign that user to the permission set you just created.
Save your changes.

Step 2. Download the SumoJanus packages

The following SumoJanus files are required to collect logs from Salesforce. SumoJanus is a proprietary library used for script-based collection from applications such as Okta, Box, and Salesforce.

The SumoJanus package file:

For Linux, sumojanus-dist.3.0.1.tar.gz, which you can download from: https://s3.amazonaws.com/script-collection/sumojanus/r3.0.1/sumojanus-dist.3.0.1.tar.gz.
For Windows, sumojanus-dist.3.0.1.zip, which you can download from https://s3.amazonaws.com/script-collection/sumojanus/r3.0.1/sumojanus-dist.3.0.1.zip.

If you are using SumoJanus v2.0 (for Box or Salesforce collection), you should deploy SumoJanus v3.x and later versions in a separate location. If the sumojanus folder name is sumojanus-2.0, you are using 2.0, otherwise, the version of sumojanus is indicated inside VERSION.md under the sumojanus folder.

The Salesforce bundle package for SumoJanus:

For Linux, sumojanus-salesforce-3.1.0.tar.gz, which you can download from: https://s3.amazonaws.com/script-collection/sfdc/r3.1.0/sumojanus-salesforce-3.1.0.tar.gz.
For Windows, sumojanus-salesforce-3.1.0.zip, which you can download from https://s3.amazonaws.com/script-collection/sfdc/r3.1.0/sumojanus-salesforce-3.1.0.zip.

Step 3. Deploy the SumoJanus packages

The deployment steps vary, depending on whether or not you have set up the SumoJanus package previously.

If you have never set up SumoJanus

If you have not previously set up the SumoJanus package, follow these steps.

Copy the two package files you downloaded to the same folder, then unzip them there.
- On Linux, run the following commands:
  
  tar xzvf sumojanus-dist.3.0.1.tar.gz tar xzvf sumojanus-salesforce-3.1.0.tar.gz
- On Windows, use Windows Explorer to open the packages.
  
  You must unzip the archives in the order they are listed above: first sumojanus-dist.3.0.1.tar.gz (or sumojanus-dist.3.0.1.zip on Windows) and then sumojanus-salesforce-3.1.0.tar.gz (or sumojanus-salesforceç.zip on Windows). They must also be decompressed to the same folder (i.e., sumojanus).

After you unzip the package files, there should be a folder called sumojanus, with all of the files from both packages.

If you have set up SumoJanus previously

If you have previously set up the SumoJanus package, follow these steps.

Backup the file conf/sumologic.properties.
Copy the sumojanus-3.1.0-salesforce.tar.gz file into the parent folder where SumoJanus is currently installed. (So this folder should contain the folder sumojanus.)
Unzip the file sumojanus-3.1.0-salesforce.tar.gz. This will copy the files from the SFDC bundle package to the folder sumojanus.

Step 4. Configure the SFDC Bundle

Go to the unzipped sumojanus folder.
Open the file conf/sumologic.properties and edit it to add the following section to the end of the file:

[salesforce] url = <Salesforce Instance URL> token_file_path = ${path}/data/salesforce.token record_file_path = ${path}/data/sf_readfiles.dat # if you are using a SFDC sandbox environment, set the following to true sandbox = false interval = daily
Set the following properties:
1. url—Point to your Salesforce URL. For example:
  https://na25.salesforce.com
2. sandbox—If you are is using a sandbox environment, set the property to true. It is set to false by default.
3. start_time—If you don’t specify start_time, logs will be collected from two days in the past.
4. interval—Controls whether you collect daily or hourly logs. Note that later in this procedure, in Step 7: Configure a script source, the setting you specify for Frequency, should correspond to the interval setting.

For information about other supported properties, see Property definitions, below.

Property definitions

In the file conf/sumologic.properties, the following properties are supported.

Property	Required or Default	Description
url	Required	Instance URL (for example, `https://na31.salesforce.com/`
token_file_path	Required	Path to access token file to authenticate with SFDC API.
convert_csv_to_json	Not required, default: true	Set to true if output should be in JSON. This is because raw event logs from SF are in CSV format.
record_file_path	Not required, default: ${path}/sf_readfiles.dat	Path to store list of log event files read successfully.
sandbox	Not required, default: false	Set to true if the URL points to a sandbox instance.
start_time	Not required, default: 2 days ago	Milliseconds since the epoch to begin collecting (for example, 1450137600000).
end_time	Not required, default: now	Milliseconds since the epoch to stop collecting.
`interval`	Not required, default: `daily`	Set to `daily` or `hourly` for corresponding log files.

Step 5: Authenticate with Salesforce

Log out of Salesforce. >
Run the following command under the unzipped sumojanus folder:
- On Unix-like systems: bin/SumoJanus_SF.bash -s
- On Windows: bin\SumoJanus_SF.bat -s
A browser will open (if it doesn't, see If your browser does not open, below):
- If your browser has already authenticated with Salesforce, a message will display saying that access has been granted.
- Otherwise, you will see the Salesforce login. Supply your credentials (with the required permissions) to grant access.
You will then see the following message, which says that the token file has been created:

If you do not see the login screen and just see the token file message, check to make sure that the token file actually exists under the package folder. If it doesn't exist, sign out and retry the process.
Don't close the session where you ran bin/SumoJanus_SF.bash -s.

If your browser does not open

If the target environment does not have a GUI, for example if you are remoting into the environment, SumoJanus won't be able to open a browser and will print out a link to the CLI instead. Copy that link and paste into a browser. Then follow the authentication and approval process with Salesforce, until you get a URL back that looks like this :

http://localhost:8080/?code=<some_value>&state=<some_value>

Your browser will display error messages like those shown below. You can ignore them.

Then open another session to the SumoJanus host, and run this:

curl -X POST '<the_above_url>'

You should see a confirmation that the token file has been created, similar to the one shown in Step 4 above.

If the curl command returns the message Empty reply from server, it is likely that the single quotes around the_above_url are missing.

Test your configuration

To make sure that the settings are correct, run the following command from the sumojanus folder:
- On Unix-like systems: bin/SumoJanus_SF.bash
- On Windows: bin\SumoJanus_SF.bat
(run the command without the -s flag).
You should see something like this (which may go on for a while):
Remove the sf_readfiles.dat file that was just created. This file should be located under the data folder.

Step 6: Install a Sumo collector on your production system

In Sumo Logic, install a Collector (version i19.115 or later) on the system where you want to collect Salesforce Event Monitoring Logs

For instructions, see Installed Collectors.

Step 7. Deploy the configuration to your production system

The steps for deploying the configuration to production vary, depending on whether or not SuperJanus 3.0 is already deployed to production.

If you do not have SumoJanus 3.0 on the production system

Copy the whole sumojanus folder to the production system where a Sumo installed collector is configured and running. We recommend putting this folder under the Collector folder.

If you already have SumoJanus 3.0 on the production system

If you are currently using SumoJanus 3.0 on the production system (for example, as part of script collection for another Sumo Logic App, such as Box), this means you already have the sumojanus folder.

In this case, do the following:

Backup your current version of the conf/sumologic.properties file.
From the conf/sumologic.properties file you configured for Salesforce, copy the new configuration section to the production system.
Unzip only the SFDC bundle, (the sumojanus-salesforce-3.1.0.tar.gz file, or on Windows, sumojanus-salesforce-3.1.0.zip ) to the sumojanus folder on your production system.
Copy the token file (salesforce.token) you generated in the Authenticate with Salesforce step into the sumojanus-3.0/data folder.

Step 8. Configure a script source

In Sumo Logic, configure a Script Source using the instructions in Script Source.

For the Sumo Logic App for Salesforce, use the following configuration settings:

Frequency.
- For daily log files, set frequency to every 6 hours.
- For hourly log files, set frequency to 1 hour.
Specify a timeout for your command:
- For daily log files, set timeout to every 3 hours.
- For hourly log files, set timeout to 1 hour.
Command: /bin/bash
- On Unix-like systems: /bin/bash
- On Windows: Windows Script
Type a path to the script to execute:
- On Unix-like systems: /opt/SumoCollector/sumojanus/bin/SumoJanus_SF.bash
- On Windows: c:\Program Files\SumoCollector\sumojanus\bin\SumoJanus_SF.bash

Working Directory:
- On Unix-like systems: /opt/SumoCollector/sumojanus
- On Windows: c:\Program Files\SumoCollector\sumojanus
Advanced Options for Logs
- Timezone: Select "UTC".
- Timestamp Format: yyyy-MM-dd’T’HH:mm:ss.SSS
- Timestamp Locator: TIMESTAMP_DERIVED\":\"([^\"]+)\"

Sample log message

{
   "EVENT_TYPE":"Report",
   "TIMESTAMP":"20171002172229.677",
   "REQUEST_ID":"423LBHidMGMvdMH5Tie2a-",
   "ORGANIZATION_ID":"00XT0000000ABmu",
   "USER_ID":"006X0000006TZhh",
   "RUN_TIME":"606",
   "CPU_TIME":"90",
   "CLIENT_IP":"38.99.50.98",
   "URI":"/00OE0000003MThb",
   "REQUEST_STATUS":"S",
   "DB_TOTAL_TIME":"475884875",
   "ENTITY_NAME":"",
   "DISPLAY_TYPE":"S",
   "RENDERING_TYPE":"W",
   "REPORT_ID":"00OE0000003MThb",
   "NUMBER_EXCEPTION_FILTERS":"0",
   "NUMBER_COLUMNS":"3",
   "SORT":"",
   "DB_BLOCKS":"65351",
   "DB_CPU_TIME":"430",
   "NUMBER_BUCKETS":"2",
   "TIMESTAMP_DERIVED":"2016-02-08T21:55:55.667Z",
   "USER_ID_DERIVED":"006X0000006TZhhIAG",
   "USER_ID_DERIVED_LOOKUP":"saad@acme.com",
   "URI_ID_DERIVED":"00OE0000003MThbMAG",
   "REPORT_ID_DERIVED":"00OE0000003MThbMAG",
   "REPORT_ID_DERIVED_LOOKUP":"g Current Q MQL(C) by LC"
}

Query sample

Most Accessed Reports