Hello,
We got the Splunk Add-on for SalesForce and configured the API User but it's only pulling Authentication logs (Login/Logout), we are able to see other Audit trail logs in the SalesForce console, but it seems the Add-on is not pulling those logs.
Basically we need logs that will capture:
Password policy was changed
A user account has been granted API access
A user account has been granted privileged access
Verify invalid & valid logical access attempts is logged
Verify changes, additions, deletions to root or administrative accounts is logged
Verify initialization stopping or pausing of audit logs is logged
Verify creation and deletion of system level objects is logged
Verify affected system component, resource or data is including in log entries
Would anyone know how to pull this from SalesForce? Should the Add-on be getting these events?
To answer my own question, all this information can be found in the Setup Audit Trail which is not a default input for the Add-on, you will need to add it by creating a New Input.
Hi guarisma, did you find an answer to you question? I'm still going through the same issue.
I've answer my own question but I'm having another issue
Object Fields should be = Id,Action,Section,CreatedDate,CreatedById,Display,DelegateUser,ResponsibleNamespacePrefix
Orther By field should be = CreatedDate
But it pulls the initial 90 days of logs and then it never pulls again.
This actually pulled the first 90 days of events as expected by default but after that it stopped pulling data
The logs in _internal are not showing any errors, but the API call seems to have gotten stuck in the last checkpoint forever.