Set up Real-Time Event Monitoring
Learning Objectives
After completing this unit, you’ll be able to:
- Set up Real-Time Event Monitoring via Event Manager.
- Set user access to Real-Time Event Monitoring through profiles and permission sets.
- Subscribe to Event Monitoring–specific platform events.
- Describe a common use case of Real-Time Events in an organization.
- Identify how to consume and view Real-Time Events using the Streaming Monitor app.
The challenges in this module rely on the data that come with a Trailhead Playground, so create a new Trailhead Playground for this module. Follow the steps below to create the Trailhead Playground.
Get Your Trailhead Playground Username and Password
Let’s get started by opening your Trailhead Playground. Scroll to the bottom of this page and click Launch. If you see a tab in your org labeled Get Your Login Credentials, great! Follow the steps below.
If not, from the App Launcher (), find and open Playground Starter and follow the steps. If you don’t see the Playground Starter app, check out Find the Username and Password for Your Trailhead Playground on Trailhead Help.
- Click the Get Your Login Credentials tab and take note of your username.
- Click Reset My Password. This sends an email to the address associated with your username.
- Click the link in the email.
Enter a new password, confirm it, and click Change Password.
Set Up Real-Time Event Monitoring
To get started, head to Setup and in the Quick Find box enter Event Manager
. Enterprise and Unlimited environments have access to the LogoutEvent platform event object by default, but the remainder of the events need licensing to access Shield Event Monitoring. If you don’t have access and would like to try them out, you can enable Real-Time Events in a Developer Edition org. As long as the Developer Edition org has the Event Monitoring add-on subscription, you have Real-Time Event Monitoring. The Trailhead Playground org will also have access. In order to activate the events, simply navigate to the event that you would like to use and enable streaming or storage.
Enable Access to Real-Time Event Monitoring
You can set user access to Real-Time Event Monitoring through profiles and permission sets. The user permissions needed are as follows.
- To view events: View Real-Time Event Monitoring Data
- To create, edit, and manage Transaction Security policies: Customize Application
To set user access, follow these steps.
1. From Setup, do one of the following:
- Enter
Permission Sets
in the Quick Find box, then select Permission Sets. - Enter
Profiles
in the Quick Find box, then select Profiles.
2. Select a permission set or profile.
3. Depending on whether you’re using permission sets or profiles, do one of the following:
- In permission sets or the enhanced profile user interface, select a permission. In the Find Settings dialog box, enter View
Real-Time Event Monitoring Data
. Click Edit, select the option, and click Save. Repeat these steps for the Customize Application permission. - In the original profile user interface, select a profile name, and then click Edit. Select View Real-Time Event Monitoring Data, and Customize Application if you plan to create Transaction Security policies. Click Save.
In addition to enabling Real-Time Event Monitoring, set user permissions to Real-Time Event objects. Real-Time Event Monitoring objects sometimes contain sensitive data.
Subscribe to Event Monitoring–Specific Platform Events
Real-Time Event Monitoring takes some of the events that would normally be logged and streams them using platform events. This means that you can consume the events in the same way that you do for platform events, via a subscriber. Unlike platform events, not all Real-Time Events can be subscribed to via triggers or declarative tools.
Use Real-Time Event Monitoring to subscribe to standard events published by Salesforce to monitor activity in your org. You can subscribe to this data from an external data system of your choice using a streaming API client.
Data is streamed using a publish-subscribe model. Salesforce publishes streaming data to an event subscription channel, and your app subscribes, or listens, to the event channel to get the data close to real time. Streaming events are retained for up to 3 days. Real-Time Event Monitoring’s streaming events don’t count against your Platform Events delivery allocation. Some system protection limits apply.
Subscribe Using EMP Connector
Let's take a look at one way to subscribe to platform events using EMP Connector.
Prerequisites
- Install Git from Git Downloads.
- Make sure you’ve completed the steps in Quick Start: Visual Studio Code for Salesforce Development to install Visual Studio Code, the Command Line Interface, and the Salesforce Extension Pack.
- Download the latest version of the Java Development Kit: See Java Downloads.
- If you have not set up a range of trusted IP addresses for your org, you need a security token that you append to your password. For more information, see Reset Your Security Token and Set Trusted IP Ranges for Your Organization.
Enable A Real-Time Event for Streaming
1. Enable the real-time event ReportEventStream for streaming.
- In your playground, in Setup, enter
Event Manager
in the Quick Find box, and then select Event Manager. - For Report Event, select Enable Streaming and Enable Storage from the dropdown.
2. To download the EMP Connector project files, open a terminal.
- On Windows, enter
CMD
in the search box at the bottom of your home screen next to the start button. - On Mac, press the Command button and the space bar simultaneously to open a search bar on your screen. Then enter
Terminal
to search for Terminal. Double-click Terminal in the left sidebar to open your Mac's terminal.
3. In the terminal, clone the repository from GitHub with this command:
git clone https://github.com/forcedotcom/EMP-Connector
4. In Visual Studio Code, click File | Open Folder.
5. Choose the EMP Connector folder you just cloned.
6. Navigate to the Extension Pack for Java page in your browser.
7. Click Install.
8. Click Open Visual Studio Code.
9. Click Install.
10. Click Run | Open Configurations.
11. Click Java.
12. If you get a prompt asking you to run Java language server in standard mode, select Yes. A new file, launch.json, opens.
13. In launch.json, find the following line: "mainClass": "com.salesforce.emp.connector.example.LoginExample"
and the line below it, "projectName": "emp-connector"
.
14. Add a comma and then press enter and copy the following text to the new line: "args": "username password /event/ReportEventStream"
.
15. Replace username and password with your playground credentials.
16. Save the file.
17. Find main/java/com/salesforce/emp/connector/example/LoginExample.java, right-click it, and select Run.
18. A terminal window opens with the subscription:
19. To generate an event message, perform the action that fires the event. For ReportEventStream, run any report in your playground.
- To create a report in your playground, click and type
Reports
- Click Reports.
- Click New Report.
- Choose Cases and click Continue.
- Click Run.
20. After you run the report, EMP Connector receives an event notification and prints it to the console. The output looks similar to the following.
{ "schema": "mn_C9tvH0ofZbpxU2XthsQ", "payload": { "EventDate": "2020-11-18T22:39:26.000Z", "Description": null, "EvaluationTime": 0.0, "NumberOfColumns": 7, "Operation": "ReportRunAndNotificationSent", "DashboardId": null, "LoginHistoryId": "0YaB000003NcnpbKAB", "Name": "Total Cases Created", "IsScheduled": false, "ColumnHeaders": "[OWNER, ACCOUNT.NAME, SUBJECT, CREATED_DATE, AGE, OPEN, CLOSED]", "Format": "Tabular", "CreatedById": "005B0000006xcmjIAA", "OwnerId": "005B00000078z7S", "SessionKey": "+Tned3rTsZ5a1hBA", "PolicyOutcome": null, "Records": "{\"totalSize\":26,\"rows\":[{\"datacells\":[\"005B00000078z7SIAQ\",\"500B00000062HLqIAM\",\"500B00000062HLqIAM\",\"001B000001KYEVsIAP\"]},{\"datacells\":[\"005B00000078z7SIAQ\",\"500B00000062HLrIAM\",\"500B00000062HLrIAM\",\"001B000001KYEVxIAP\"]},{\"datacells\":[\"005B00000078z7SIAQ\",\"500B00000062HLsIAM\",\"500B00000062HLsIAM\",\"001B000001KYEVxIAP\"]},{\"datacells\":[\"005B00000078z7SIAQ\",\"500B00000062HLtIAM\",\"500B00000062HLtIAM\",\"001B000001KYEVyIAP\"]},{\"datacells\":[\"005B00000078z7SIAQ\",\"500B00000062HLuIAM\",\"500B00000062HLuIAM\",\"001B000001KYEVyIAP\"]},{\"datacells\":[\"005B00000078z7SIAQ\",\"500B00000062HLvIAM\",\"500B00000062HLvIAM\",\"001B000001KYEVyIAP\"]}]}", "EventIdentifier": "92b7815d-acfd-465e-9b1b-54d3a2833571", "DisplayedFieldEntities": "Account,Owner,Case", "RelatedEventIdentifier": null, "ExecutionIdentifier": "cb56d782-ee73-44c5-b4b6-10a9e014b6ae", "RowsProcessed": 26.0, "RowsReturned": null, "ReportId": null, "Sequence": 1, "DashboardName": null, "EventSource": "Lightning", "SourceIp": "Salesforce.com IP", "Scope": "organization", "Username": "rburgle@force.com", "UserId": "005B00000078z7SIAQ", "CreatedDate": "2020-11-18T22:39:36.796Z", "ExportFileFormat": null, "LoginKey": "B9AyV/N2mnoXMyXc", "PolicyId": null, "GroupedColumnHeaders": null, "QueriedEntities": "Case", "SessionLevel": "STANDARD" }, "event": { "replayId": 127201 } }
The output contains information about the size of the report in lines 7 (NumberOfColumns) and 19 (totalSize), the IP address of the client that logged in in line 30, login history so that you can track a user session and correlate user activity with a particular series of report events in line 10, the policy outcome of any transaction policy associated with the event, such as whether the user approved or denied the two-factor authentication request in line 18, and more.
As you can see in this example event, we can begin to piece together details around the user’s activity. We can look for other events with the same LoginHistoryID to trace events back to the user’s original authentication, and track his activity with a particular series of report events. We can also take a look at the PolicyOutcome. If the user was blocked from performing the operation that triggered the policy, entered an invalid password too many times, or denied the two-factor approval request in the authenticator app, this may signal that he tried to access unauthorized information.
Streaming Real-Time Events
As mentioned before, Real-Time Events are streamed using platform events and can be consumed by any relevant client application. If you are using a third-party application for monitoring, you can subscribe to the Real-Time Events and evaluate them there. A great way to explore the events is to use the Streaming Monitor app provided by Salesforce Labs! Streaming Monitor allows you to select the type of event and then subscribe to a number of events using the lighting-emp-api component. If you would like to learn more, check out this blog post on Salesforce’s streaming capabilities.
Resources
- Salesforce Developers Blog: Introduction to Real-Time Event Monitoring
- Salesforce Help: Enable Access to the Real-Time Event Monitoring
- Salesforce Help: Real-Time Event Monitoring
- Salesforce Help: Real-Time Event Monitoring Data Streaming
- Appexchange: Streaming Monitor
- Salesforce Developer Blog: A Refresher on the Four Streaming APIs and a Monitoring Tool
- Salesforce Developer Documentation: Subscribing to Platform Events
- Trailhead: Quick Start: Visual Studio Code for Salesforce Development