Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for SalesForce - Can't find events

guarisma
Contributor
‎02-15-2019 01:14 PM

Hello,

We got the Splunk Add-on for SalesForce and configured the API User but it's only pulling Authentication logs (Login/Logout), we are able to see other Audit trail logs in the SalesForce console, but it seems the Add-on is not pulling those logs.
Basically we need logs that will capture:

Password policy was changed
A user account has been granted API access
A user account has been granted privileged access
Verify invalid & valid logical access attempts is logged
Verify changes, additions, deletions to root or administrative accounts is logged
Verify initialization stopping or pausing of audit logs is logged
Verify creation and deletion of system level objects is logged
Verify affected system component, resource or data is including in log entries

Would anyone know how to pull this from SalesForce? Should the Add-on be getting these events?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

guarisma
Contributor
‎02-20-2019 12:53 PM

To answer my own question, all this information can be found in the Setup Audit Trail which is not a default input for the Add-on, you will need to add it by creating a New Input.

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

ADRIANODL
Explorer
‎05-08-2019 10:38 PM

Hi guarisma, did you find an answer to you question? I'm still going through the same issue.

0 Karma
Reply
Solved! Jump to solution

guarisma
Contributor
‎07-26-2019 08:39 AM

I've answer my own question but I'm having another issue

Object Fields should be = Id,Action,Section,CreatedDate,CreatedById,Display,DelegateUser,ResponsibleNamespacePrefix
Orther By field should be = CreatedDate

But it pulls the initial 90 days of logs and then it never pulls again.

0 Karma
Reply
Solved! Jump to solution
Solution

guarisma
Contributor
‎02-20-2019 12:53 PM

To answer my own question, all this information can be found in the Setup Audit Trail which is not a default input for the Add-on, you will need to add it by creating a New Input.

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

guarisma
Contributor
‎07-26-2019 10:59 AM

This actually pulled the first 90 days of events as expected by default but after that it stopped pulling data
The logs in _internal are not showing any errors, but the API call seems to have gotten stuck in the last checkpoint forever.

0 Karma
Reply
Solved! Jump to solution

guarisma
Contributor
‎07-30-2019 01:45 PM

Found a workaround

https://answers.splunk.com/answers/715709/salesforce-add-on-v20-misses-indexing-events-from.html

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...