Skip to main content
Sumo Logic

Collect Logs for the Salesforce App

Steps to collect logs for the Salesforce app.

This page has instructions for collecting logs for the Salesforce app.  

Prerequisites

The Salesforce Event Monitoring add-on is required to obtain all of the data presented in the app dashboards.  The add-on enables access all event types in the Salesforce EventLogFile, the LoginEvent object, Transaction Security, and the Event Monitoring Analytics App. For more information, see Get Started with Event Monitoring and Enable Event Monitoring.

Step 1. Set Salesforce user permissions

To create a permission set and assign it to a user

  1. In Salesforce, go to Setup > Administer > Manage Users > Permission Sets.  
  2. Create a permission set with the API Enabled permission and either the View Event Log Files or the View All Data permission. For more information, see Create Permission Sets in Salesforce help.
  3. On the Permission Set Overview > System Permissions page, select API Enabled and View Event Log Files.
    elfPermissions.png
  4. Click the Manage Assignments button in the permission set you just created, and click Add Assignments.
  5. Find your user and assign that user to the permission set you just created.
  6. Save your changes.

Step 2. Download the SumoJanus packages

The following SumoJanus files are required to collect logs from Salesforce. SumoJanus is a proprietary library used for script-based collection from applications such as Okta, Box, and Salesforce.

The SumoJanus package file:

The Salesforce bundle package for SumoJanus:

Step 3. Deploy the SumoJanus packages

The deployment steps vary, depending on whether or not you have set up the SumoJanus package previously. 

If you have never set up SumoJanus 

If you have not previously set up the SumoJanus package, follow these steps.

  1. Copy the two package files you downloaded to the same folder, then unzip them there.

    • On Linux, run the following commands:

      tar xzvf sumojanus-dist.3.0.1.tar.gz
      tar xzvf sumojanus-salesforce-3.1.0.tar.gz

    • On Windows, use Windows Explorer to open the packages.

After you unzip the package files, there should be a folder called sumojanus, with all of the files from both packages.

If you have set up SumoJanus previously

If you have previously set up the SumoJanus package, follow these steps.

  1. Backup the file conf/sumologic.properties.
  2. Copy the sumojanus-3.1.0-salesforce.tar.gz file into the parent folder where SumoJanus is currently installed. (So this folder should contain the folder sumojanus.)
  3. Unzip the file sumojanus-3.1.0-salesforce.tar.gz. This will copy the files from the SFDC bundle package to the folder sumojanus.

Step 4. Configure the SFDC Bundle

  1. Go to the unzipped sumojanus folder.
  2. Open the file conf/sumologic.properties and edit it to add the following section to the end of the file:

    [salesforce]
    url = <Salesforce Instance URL>
    token_file_path = ${path}/data/salesforce.token
    record_file_path = ${path}/data/sf_readfiles.dat
    # if you are using a SFDC sandbox environment, set the following to true
    sandbox = false
    interval = daily

     
  3. Set the following properties:
    1.  urlPoint to your Salesforce URL. For example:
      https://na25.salesforce.com
    2. sandboxIf you are is using a sandbox environment, set the property to true. It is set to false by default.
    3. start_timeIf you don’t specify start_time, logs will be collected from two days in the past.
    4. interval—Controls whether you collect daily or hourly logs. Note that later in this procedure, in  Step 7: Configure a script source, the setting you specify for Frequency, should correspond to the interval setting.

For information about other supported properties, see Property definitions, below.

Property definitions

In the file conf/sumologic.properties, the following properties are supported.

Property Required or Default Description
url Required Instance URL (for example,

https://na31.salesforce.com/
token_file_path Required Path to access token file to authenticate with SFDC API.
convert_csv_to_json Not required, default: true Set to true if output should be in JSON. This is because raw event logs from SF are in CSV format.
record_file_path Not required, default: ${path}/sf_readfiles.dat Path to store list of log event files read successfully.
sandbox Not required, default: false Set to true if the URL points to a sandbox instance.
start_time Not required, default: 2 days ago Milliseconds since the epoch to begin collecting (for example, 1450137600000).
end_time Not required, default: now Milliseconds since the epoch to stop collecting.
interval Not required, default: daily Set to daily or hourly for corresponding log files.

Step 5: Authenticate with Salesforce

  1. Log out of Salesforce. >
  2. Run the following command under the unzipped sumojanus folder:
    • On Unix-like systems: bin/SumoJanus_SF.bash -s
    • On Windows: bin\SumoJanus_SF.bat -s
  3. A browser will open (if it doesn't, see If your browser does not open, below):
    • If your browser has already authenticated with Salesforce, a message will display saying that access has been granted.
    • Otherwise, you will see the Salesforce login. Supply your credentials (with the required permissions) to grant access.
  4. You will then see the following message, which says that the token file has been created:
  5. Don't close the session where you ran bin/SumoJanus_SF.bash -s.

If your browser does not open

If the target environment does not have a GUI, for example if you are remoting into  the environment, SumoJanus won't be able to open a browser and will print out a link to the CLI instead. Copy that link and paste into a browser. Then follow the authentication and approval process with Salesforce, until you get a URL back that looks like this :

http://localhost:8080/?code=<some_value>&state=<some_value>

Your browser will display error messages like those shown below. You can ignore them.

site-cant-be-reached.png

Then open another session to the SumoJanus host, and run this:

curl -X POST '<the_above_url>'

You should see a confirmation that the token file has been created, similar to the one shown in Step 4 above.

Test your configuration

  1. To make sure that the settings are correct, run the following command from the sumojanus folder:
    • On Unix-like systems: bin/SumoJanus_SF.bash
    • On Windows: bin\SumoJanus_SF.bat
    (run the command without the -s flag).
  2. You should see something like this (which may go on for a while):
     
  3. Remove the sf_readfiles.dat file that was just created. This file should be located under the data folder.

Step 6: Install a Sumo collector on your production system

In Sumo Logic, install a Collector (version i19.115 or later) on the system where you want to collect Salesforce Event Monitoring Logs

For instructions, see Installed Collectors.

Step 7. Deploy the configuration to your production system

The steps for deploying the configuration to production vary, depending on whether or not SuperJanus 3.0 is already deployed to production.

If you do not have SumoJanus 3.0 on the production system

Copy the whole sumojanus folder to the production system where a Sumo installed collector is configured and running. We recommend putting this folder under the Collector folder.

If you already have SumoJanus 3.0 on the production system

If you are currently using SumoJanus 3.0 on the production system (for example, as part of script collection for another Sumo Logic App, such as Box), this means you already have the sumojanus folder.  

In this case, do the following:

  1. Backup your current version of the conf/sumologic.properties file.
  2. From the conf/sumologic.properties file you configured for Salesforce, copy the new configuration section to the production system.
  3. Unzip only the SFDC bundle, (the sumojanus-salesforce-3.1.0.tar.gz file, or on Windows, sumojanus-salesforce-3.1.0.zip ) to the sumojanus folder on your production system.
  4. Copy the token file (salesforce.token) you generated in the Authenticate with Salesforce step into the sumojanus-3.0/data folder.

Step 8. Configure a script source

In Sumo Logic, configure a Script Source using the instructions in Script Source.

For the Sumo Logic App for Salesforce, use the following configuration settings:

  • Frequency. 
    • For daily log files, set frequency to every 6 hours.
    • For hourly log files, set frequency to 1 hour. 
  • Specify a timeout for your command:
    • For daily log files, set timeout to every 3 hours. 
    • For hourly log files, set timeout to 1 hour.
  • Command: /bin/bash
    • On Unix-like systems: /bin/bash
    • On Windows: Windows Script 
  • Type a path to the script to execute:
    • On Unix-like systems: /opt/SumoCollector/sumojanus/bin/SumoJanus_SF.bash
    • On Windows: c:\Program Files\SumoCollector\sumojanus\bin\SumoJanus_SF.bash
  • Working Directory:
    • On Unix-like systems: /opt/SumoCollector/sumojanus
    • On Windows: c:\Program Files\SumoCollector\sumojanus
  • Advanced Options for Logs
    • Timezone: Select "UTC".
    • Timestamp Format: yyyy-MM-dd’T’HH:mm:ss.SSS
    • Timestamp Locator: TIMESTAMP_DERIVED\":\"([^\"]+)\"

Sample log message

{
   "EVENT_TYPE":"Report",
   "TIMESTAMP":"20171002172229.677",
   "REQUEST_ID":"423LBHidMGMvdMH5Tie2a-",
   "ORGANIZATION_ID":"00XT0000000ABmu",
   "USER_ID":"006X0000006TZhh",
   "RUN_TIME":"606",
   "CPU_TIME":"90",
   "CLIENT_IP":"38.99.50.98",
   "URI":"/00OE0000003MThb",
   "REQUEST_STATUS":"S",
   "DB_TOTAL_TIME":"475884875",
   "ENTITY_NAME":"",
   "DISPLAY_TYPE":"S",
   "RENDERING_TYPE":"W",
   "REPORT_ID":"00OE0000003MThb",
   "NUMBER_EXCEPTION_FILTERS":"0",
   "NUMBER_COLUMNS":"3",
   "SORT":"",
   "DB_BLOCKS":"65351",
   "DB_CPU_TIME":"430",
   "NUMBER_BUCKETS":"2",
   "TIMESTAMP_DERIVED":"2016-02-08T21:55:55.667Z",
   "USER_ID_DERIVED":"006X0000006TZhhIAG",
   "USER_ID_DERIVED_LOOKUP":"saad@acme.com",
   "URI_ID_DERIVED":"00OE0000003MThbMAG",
   "REPORT_ID_DERIVED":"00OE0000003MThbMAG",
   "REPORT_ID_DERIVED_LOOKUP":"g Current Q MQL(C) by LC"
}

Query sample

Most Accessed Reports

_sourceCategory=salesforce event type "Report"
| json "REPORT_ID_DERIVED","REPORT_ID_DERIVED_LOOKUP" as report_id, report_name
| count by report_name, report_id
| format("%s : %s",report_name, report_id) as report_id
| count by report_id 
| sort by _count desc | top 20 report_id by _count