Skip to main content
Sumo Logic

Collect Logs for the Salesforce App

Steps to collect logs for the Salesforce app.

To collect logs for the Salesforce App you perform the following steps:

  1. Set Salesforce user permissions.
  2. Deploy the SumoJanus package.
  3. Configure the SFDC bundle.
  4. Authenticate with Salesforce.
  5. Install a Sumo collector on your production system.
  6. Deploy the configuration to your production system.
  7. In Sumo, configure a script source.

Set Salesforce user permissions

To create a permission set and assign it to a user

  1. In Salesforce, go to Setup > Administer > Manage Users > Permission Sets.  
  2. Create a permission set with the API Enabled permission and either the View Event Log Files or the View All Data permission. For more information, see Create Permission Sets in Salesforce help.
  3. On the Permission Set Overview > System Permissions page, select API Enabled and View Event Log Files.
    elfPermissions.png
  4. Click the Manage Assignments button in the permission set you just created, and click Add Assignments.
  5. Find your user and assign that user to the permission set you just created.
  6. Save your changes.

Deploy the SumoJanus package

Depending on whether or not you have set up the SumoJanus package previously, the steps are different. 

If you have never set up the SumoJanus package

  1. Download the following files:
  2. Copy both files into the same folder, and unzip them there. For example, on Linux, run the following commands:

tar xzvf sumojanus-2.0.tar.gz

tar xzvf sumojanus-2.0-salesforce.tar.gz

  1. This will create a folder called sumojanus-2.0 with all the files from both packages.

If you have set up the SumoJanus package before

  1. Backup the file conf/sumologic.properties.
  2. Copy the sumojanus-2.0-salesforce.tar.gz file into the parent folder where SumoJanus is currently installed. (So this folder should contain the folder sumojanus-2.0.)
  3. Unzip the file sumojanus-2.0-salesforce.tar.gz. This will copy the files from the SFDC bundle package to the folder sumojanus-2.0.

Configure the SFDC bundle

  1. Go to the unzipped sumojanus-2.0 folder.
  2. Open the file conf/sumologic.properties and edit it to add the following section to the end of the file:
    [salesforce]
    url = <Salesforce Instance URL>
    token_file_path = ${path}/data/salesforce.token
    record_file_path = ${path}/data/sf_readfiles.dat
    # if you are using a SFDC sandbox environment, set the following to true
    sandbox = false
  3. See the following table for all supported properties. Make sure to set the following parameters:
    • Set the url parameter to point to your Salesforce URL. For example:
      https://na25.salesforce.com
    • If you are is using a sandbox environment, set the sandbox property to true. It is set to false by default.
    • If you don’t provide a start time, logs will be collected from two days in the past.

In the file conf/sumologic.properties, the following properties are supported.

Property Required or Default Description
url Required Instance URL (for example,

https://na31.salesforce.com/
token_file_path Required Path to access token file to authenticate with SFDC API.
convert_csv_to_json Not required, default to: true Set to true if output should be in JSON. This is because raw event logs from SF are in CSV format.
record_file_path Not required, default to: ${path}/sf_readfiles.dat Path to store list of log event files read successfully.
sandbox Not required, default to: false Set to true if the URL points to a sandbox instance.
start_time Not required, default to: 2 days ago Milliseconds since the epoch to begin collecting (for example, 1450137600000).
end_time Not required, default to now Milliseconds since the epoch to stop collecting.
version Not required, default to: 29.0 API version, minimum is 29.0

Authenticate with Salesforce

  1. Log out of Salesforce.
  2. Run the following command under the unzipped sumojanus-2.0 folder:  
    bin/SumoJanus_SF.bash -s
  3. A browser will open:
    • If your browser has already authenticated with Salesforce, a message will display saying that access has been granted.
    • Otherwise, you will see the Salesforce login. Supply your credentials (with the required permissions) to grant access.
  4. You will then see the following message, which says that the token file has been created:

Test your configuration

  1. To make sure that the settings are correct, run bin/SumoJanus_SF.bash again (without the -s flag).
  2. You should see something like this (which may go on for a while):
     
  3. Remove the sf_readfiles.dat file that was just created. This file should be located under the data folder.

Install a Sumo collector on your production system

In Sumo Logic, install a Collector (version i19.115 or later) on the system where you want to collect Salesforce Event Monitoring Logs

For instructions, see Installed Collectors.

Deploy the configuration to your production system

If you do not have SumoJanus 2.0 on the production system

Copy the whole sumojanus-2.0 folder to the production system where a Sumo installed collector is configured and running. We recommend putting this folder under the Collector folder.

If you already have SumoJanus 2.0 on the production system

If you are currently using SumoJanus 2.0 on the production system (for example, as part of script collection for another Sumo Logic App, such as Box), this means you already have the sumojanus-2.0 folder.  

In this case, do the following:

  1. Backup your current version of the conf/sumologic.properties file.
  2. From the conf/sumologic.properties file you configured for Salesforce, copy the new configuration section to the production system.
  3. Unzip only the SFDC bundle, (the sumojanus-2.0-salesforce.tar.gz file) to the sumojanus-2.0 folder on your production system.
  4. Copy the token file (salesforce.token) you generated in the Authenticate with Salesforce step into the sumojanus-2.0/data folder.

Configure a script source

In Sumo Logic, configure a Script Source using the instructions in Script Source.

For the Sumo Logic App for Salesforce, use the following configuration settings:

  • Frequency: Every 6 Hours
  • Specify a timeout for your command: 3 Hours
  • Command: /bin/bash
  • Type a path to the script to execute: /opt/SumoCollector/sumojanus-2.0/bin/SumoJanus_SF.bash
  • Working Directory: /opt/SumoCollector/sumojanus-2.0
  • Advanced > Timestamp Format: yyyy-MM-dd’T’HH:mm:ss.SSS

Sample log message

{
   "EVENT_TYPE":"Report",
   "TIMESTAMP":"20171002172229.677",
   "REQUEST_ID":"423LBHidMGMvdMH5Tie2a-",
   "ORGANIZATION_ID":"00XT0000000ABmu",
   "USER_ID":"006X0000006TZhh",
   "RUN_TIME":"606",
   "CPU_TIME":"90",
   "CLIENT_IP":"38.99.50.98",
   "URI":"/00OE0000003MThb",
   "REQUEST_STATUS":"S",
   "DB_TOTAL_TIME":"475884875",
   "ENTITY_NAME":"",
   "DISPLAY_TYPE":"S",
   "RENDERING_TYPE":"W",
   "REPORT_ID":"00OE0000003MThb",
   "NUMBER_EXCEPTION_FILTERS":"0",
   "NUMBER_COLUMNS":"3",
   "SORT":"",
   "DB_BLOCKS":"65351",
   "DB_CPU_TIME":"430",
   "NUMBER_BUCKETS":"2",
   "TIMESTAMP_DERIVED":"2016-02-08T21:55:55.667Z",
   "USER_ID_DERIVED":"006X0000006TZhhIAG",
   "USER_ID_DERIVED_LOOKUP":"saad@acme.com",
   "URI_ID_DERIVED":"00OE0000003MThbMAG",
   "REPORT_ID_DERIVED":"00OE0000003MThbMAG",
   "REPORT_ID_DERIVED_LOOKUP":"g Current Q MQL(C) by LC"
}

Query sample

Most Accessed Reports

_sourceCategory=salesforce event type "Report"
| json "REPORT_ID_DERIVED","REPORT_ID_DERIVED_LOOKUP" as report_id, report_name
| count by report_name, report_id
| format("%s : %s",report_name, report_id) as report_id
| count by report_id 
| sort by _count desc | top 20 report_id by _count