Skip to main content

Set up Real-Time Event Monitoring

Learning Objectives

After completing this unit, you’ll be able to:

  • Set up Real-Time Event Monitoring via Event Manager.
  • Set user access to Real-Time Event Monitoring through profiles and permission sets.
  • Subscribe to Event Monitoring–specific platform events.
  • Describe a common use case of Real-Time Events in an organization.
  • Identify how to consume and view Real-Time Events using the Streaming Monitor app.

The challenges in this module rely on the data that come with a Trailhead Playground, so create a new Trailhead Playground for this module. Follow the steps below to create the Trailhead Playground.

Get Your Trailhead Playground Username and Password

Let’s get started by opening your Trailhead Playground. Scroll to the bottom of this page and click Launch. If you see a tab in your org labeled Get Your Login Credentials, great! Follow the steps below. 

If not, from the App Launcher App Launcher, find and open Playground Starter and follow the steps. If you don’t see the Playground Starter app, check out Find the Username and Password for Your Trailhead Playground on Salesforce Help.

  1. Click the Get Your Login Credentials tab and take note of your username.
  2. Click Reset My Password. This sends an email to the address associated with your username.
  3. Click the link in the email.
  4. Enter a new password, confirm it, and click Change Password.

Set Up Real-Time Event Monitoring

To get started, head to Setup and in the Quick Find box enter Event Manager. Enterprise and Unlimited environments have access to the LogoutEvent platform event object by default, but the remainder of the events need licensing to access Shield Event Monitoring. If you don’t have access and would like to try them out, you can enable Real-Time Events in a Developer Edition org. As long as the Developer Edition org has the Event Monitoring add-on subscription, you have Real-Time Event Monitoring. The Trailhead Playground org will also have access. In order to activate the events, simply navigate to the event that you would like to use and enable streaming or storage. 

Setup Event Manager displaying events and their name, subscription channel, type, description, and indication of whether they represent streaming data or storing data, or both.

Enable Access to Real-Time Event Monitoring

You can set user access to Real-Time Event Monitoring through profiles and permission sets. The user permissions needed are as follows.

  • To view events: View Real-Time Event Monitoring Data
  • To create, edit, and manage Transaction Security policies: Customize Application

Note

Your Trailhead Playground already has access enabled to Real-Time Event Monitoring. However, if you want to set user access to Real-Time Event Monitoring in your Salesforce org, follow these steps.

To set user access, follow these steps.

1. From Setup, do one of the following:

    • Enter Permission Sets in the Quick Find box, then select Permission Sets.
    • Enter Profiles in the Quick Find box, then select Profiles.

2. Select a permission set or profile.

3. Depending on whether you’re using permission sets or profiles, do one of the following:

    • In permission sets or the enhanced profile user interface, select a permission. In the Find Settings dialog box, enter View Real-Time Event Monitoring Data. Click Edit, select the option, and click Save. Repeat these steps for the Customize Application permission.
    • In the original profile user interface, select a profile name, and then click Edit. Select View Real-Time Event Monitoring Data, and Customize Application if you plan to create Transaction Security policies. Click Save.

In addition to enabling Real-Time Event Monitoring, set user permissions to Real-Time Event objects. Real-Time Event Monitoring objects sometimes contain sensitive data.

Subscribe to Event Monitoring–Specific Platform Events

Real-Time Event Monitoring takes some of the events that would normally be logged and streams them using platform events. This means that you can consume the events in the same way that you do for platform events, via a subscriber. Unlike platform events, not all Real-Time Events can be subscribed to via triggers or declarative tools.

Use Real-Time Event Monitoring to subscribe to standard events published by Salesforce to monitor activity in your org. You can subscribe to this data from an external data system of your choice using a Pub/Sub API client.

Data is streamed using a publish-subscribe model. Salesforce publishes streaming data to an event subscription channel, and your app subscribes, or listens, to the event channel to get the data close to real time. Streaming events are retained for up to 3 days. Real-Time Event Monitoring’s streaming events don’t count against your Platform Events delivery allocation. Some system protection limits apply.

Note

To more efficiently obtain and process event data from 3 days ago or less, we recommend querying events from big objects instead of subscribing to past events in a stream.

Enable A Real-Time Event ReportEventStream for Streaming

To enable the real-time event ReportEventStream for streaming:

  1. In your playground, in Setup, enter Event Manager in the Quick Find box, and then select Event Manager.
  2. For Report Event, select Enable Streaming and Enable Storage from the dropdown.

Subscribe to Platform Events Using Pub/Sub API

Let’s take a look at one way to subscribe to platform events using Pub/Sub API.

Prerequisites

Steps

  1. Fork and then clone the pub-sub-api GitHub repository: https://github.com/forcedotcom/pub-sub-api. For more information, see Fork a repository in GitHub Docs. Forking a repository enables you to save your changes in your forked repository. If you want to skip forking the repo, you can just clone the repo, but you can’t save changes that you make in the pub-sub-api repo.
  2. In a terminal window, go to the java folder in your cloned pub-sub-api folder.
  3. Build the Java client package and generate required sources from the proto file. From the java folder, enter: mvn clean install
  4. Then, configure client parameters and supply the configuration parameters in arguments.yaml.
    1. Keep the default values for PUBSUB_HOST and PUBSUB_PORT.
    2. For LOGIN_URL, enter the URL that you use to log in to Salesforce. This can be your My Domain login URL, such as https://mycompany.my.salesforce.com, or https://login.salesforce.com.
    3. Get the username and password for your Trailhead Playground org in the Playground Starter app. For more information, see Get Your Trailhead Playground Username and Password unit in the Trailhead Playground Management module.
    4. For USERNAME, enter your Trailhead Playground username.
    5. For PASSWORD, provide the Trailhead Playground password and append the security token to your password. To get a security token, see Reset Your Security Token in Salesforce Help.
    6. For TOPIC, provide /event/ReportEventStream
  1. Save your changes.
  2. In a Terminal window, navigate to the top-level java folder.
  3. To subscribe to the ReportEventStream events, enter:./run.sh genericpubsub.Subscribe
  4. To generate an event message, perform the action that fires the event. For ReportEventStream, run any report in your playground.
    1. To create a report in your playground, click the App launcher icon and type Reports.
    2. Click Reports.
    3. Click New Report.
    4. Choose Cases and click Start Report.
    5. Click Run.
  5. The output looks similar to the following: 
{
  "CreatedDate": 1717793026359,
  "CreatedById": "0058b00000I1GW8AAN",
  "EventIdentifier": "707db074-db25-4c72-b6f8-890ca7fa5b13",
  "UserId": "0058b00000HpWcRAAV",
  "Username": "k.n.hage@empathetic-shark-4d78ty.com",
  "EventDate": 1717793022000,
  "RelatedEventIdentifier": null,
  "LoginHistoryId": "0Ya8b0000GiFqkFCQS",
  "RowsProcessed": 26,
  "RowsReturned": null,
  "Operation": "ReportPreviewed",
  "QueriedEntities": "Case",
  "PolicyId": null,
  "PolicyOutcome": null,
  "EvaluationTime": 0,
  "SessionKey": "xAfEud9YsCJ6tMmi",
  "LoginKey": "mGeQ0eDvCsv5RkKl",
  "SessionLevel": "STANDARD",
  "SourceIp": "Salesforce.com IP",
  "DashboardId": null,
  "DashboardName": null,
  "EventSource": "Lightning",
  "ExecutionIdentifier": "7121db11-2082-44cc-a716-688266be7c5d",
  "ExportFileFormat": null,
  "IsScheduled": false,
  "NumberOfColumns": 7,
  "ColumnHeaders": "[Case.Owner.Name, Case.Account.Name, Case.Subject, Case.CreatedDate, AGE, OPEN, Case.IsClosed]",
  "GroupedColumnHeaders": null,
  "Description": null,
  "Format": "Tabular",
  "ReportId": null,
  "Records": "{\"totalSize\":26,\"rows\":[
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMluzAAD\",\"5008b00002OMluzAAD\",\"0018b00002UroeBAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv0AAD\",\"5008b00002OMlv0AAD\",\"0018b00002UroeGAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv1AAD\",\"5008b00002OMlv1AAD\",\"0018b00002UroeGAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv2AAD\",\"5008b00002OMlv2AAD\",\"0018b00002UroeHAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv3AAD\",\"5008b00002OMlv3AAD\",\"0018b00002UroeHAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv4AAD\",\"5008b00002OMlv4AAD\",\"0018b00002UroeHAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv5AAD\",\"5008b00002OMlv5AAD\",\"0018b00002UroeLAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv6AAD\",\"5008b00002OMlv6AAD\",\"0018b00002UroeFAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv7AAD\",\"5008b00002OMlv7AAD\",\"0018b00002UroeFAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv8AAD\",\"5008b00002OMlv8AAD\",\"0018b00002UroeJAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlv9AAD\",\"5008b00002OMlv9AAD\",\"0018b00002UroeKAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvAAAT\",\"5008b00002OMlvAAAT\",\"0018b00002UroeKAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvBAAT\",\"5008b00002OMlvBAAT\",\"0018b00002UroeIAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvCAAT\",\"5008b00002OMlvCAAT\",\"0018b00002UroeFAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvDAAT\",\"5008b00002OMlvDAAT\",\"0018b00002UroeFAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvEAAT\",\"5008b00002OMlvEAAT\",\"0018b00002UroeKAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvFAAT\",\"5008b00002OMlvFAAT\",\"0018b00002UroeLAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvGAAT\",\"5008b00002OMlvGAAT\",\"0018b00002UroeBAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvHAAT\",\"5008b00002OMlvHAAT\",\"0018b00002UroeBAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvIAAT\",\"5008b00002OMlvIAAT\",\"0018b00002UroeCAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvJAAT\",\"5008b00002OMlvJAAT\",\"0018b00002UroeCAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvKAAT\",\"5008b00002OMlvKAAT\",\"0018b00002UroeGAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvLAAT\",\"5008b00002OMlvLAAT\",\"0018b00002UroeGAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvMAAT\",\"5008b00002OMlvMAAT\",\"0018b00002UroeGAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvNAAT\",\"5008b00002OMlvNAAT\",\"0018b00002UroeGAAR\"]},
{\"datacells\":[\"0058b00000HpWcRAAV\",\"5008b00002OMlvOAAT\",\"5008b00002OMlvOAAT\",\"0018b00002UroeGAAR\"]}]}",
  "Name": "Total Cases Created",
  "OwnerId": "0058b00000HpWcR",
  "Scope": "organization",
  "Sequence": 1,
  "DisplayedFieldEntities": "Account,Owner,Case"
}

The output contains information about the size of the report in the NumberOfColumns field and the total number of records returned in the RowsProcessed field. The IP address of the client that logged in is in the SourceIp field. The login history is in the LoginHistoryId field. It enables you to track a user session and correlate user activity with a particular series of report events in line 10. The policy outcome of any transaction policy associated with the event, such as whether the user approved or denied the two-factor authentication request is in the PolicyOutcome field. The data in the report is returned in the Records field, which contains record IDs. For a description of the ReportEventStream fields, see ReportEventStream in the Platform Events Developer Guide.

As you can see in this example event, we can begin to piece together details around the user’s activity. We can look for other events with the same LoginHistoryID to trace events back to the user’s original authentication, and track their activity with a particular series of report events. We can also take a look at the PolicyOutcome. If the user was blocked from performing the operation that triggered the policy, entered an invalid password too many times, or denied the two-factor approval request in the authenticator app, this may signal that they tried to access unauthorized information.

Streaming Real-Time Events

As mentioned before, Real-Time Events are streamed using platform events and can be consumed by any relevant client application. If you are using a third-party application for monitoring, you can subscribe to the Real-Time Events and evaluate them there.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback