Download and Visualize Event Log Files

Learning Objectives

After completing this unit, you’ll be able to:
  • Download an event log file.
  • Describe the structure of event log files.
  • Identify an application for downloading event log files without writing code.
  • Define a role that could use a cURL or Python script for downloading data.
  • Identify some options for visualizing event log file data.

Download Event Log Files

You can use Workbench to quickly check your organization’s recent events and filter the events using certain criteria. But because you’re accessing the data through the API, you can also use other tools that make it even easier to work with event log files. To maximize the benefits of event monitoring, you want to download your event log files from Salesforce so that you can track them over time.

You can download event log files in several ways, including:
  • Direct download via the Event Log File browser application
  • cURL script
  • Python script

Let’s look at each approach.

Download Logs from Your Browser

Using the event log file browser application is the most straightforward approach to downloading your organization’s event monitoring data. Let’s check it out.
  1. Log in to your Trailhead DE organization.
  2. Navigate to the event log file browser application.
  3. Click Production Login.
  4. Enter a date range for your search.
  5. Enter an event type for your search.
  6. Enter an interval (daily or hourly).
  7. Click Apply.
You’ll see something like this:
The event log file browser page.


If your organization doesn’t have any events in the specified date range or type, the page displays an error.

The list shows the same event log files that you see when you query the EventLogFile object using the REST Explorer in Workbench. You can’t open the files in the browser application, but you can directly download them or use a script. Let’s look at the direct download method.

Click the The direct download button. button to download a log to a comma-separated value (.csv) file. The ugly string of text that you saw in the REST Explorer is transformed into a format that’s easily readable in a spreadsheet application, like Microsoft Excel or Google Sheets. Each file contains all the events of a particular type that occurred in your organization in the past 24 hours.

Download the ReportExport log file. Open it in a spreadsheet, and let’s see what we can find.


If you don’t have any report export events, download another type of event log file or export a report and try this step again tomorrow. Events do not appear in the log file until at least 24 hours after they occur.

The directly downloaded .csv format of the event log file.

That looks much better! Now we can finally figure out how that confidential information got leaked. Let’s say that our lead report’s ID is 00O30000008a3De. The URI field contains the ID of the report that was exported, and the USER_ID field contains the ID of the user who exported that report. All this information helps you pinpoint the culprit.

The user ID and report ID from the event log file match that of our suspect and report, respectively.

The user ID and the report ID are a match! You now have enough evidence to confirm that Rob Burgle exported the report. Now it’s time for justice to be served!

Download Event Log Files Using cURL

We know that you’re excited about cracking your first case, but this victory is only the beginning of your illustrious career as a Salesforce administrator/detective. Each event type also has a The script download button. button that downloads a cURL script that you can run in your computer’s command line. cURL is one of many command-line tools that you can use to download data from your organization. The script downloads a .csv file exactly like the one you downloaded in the previous step. So why use cURL instead of the direct download tool?

Although using cURL is more complicated than the first method, it provides more flexibility in working with event log files. Rather than manually downloading log files, you can schedule when to run the script so that you always have the most recent event log files for your organization. You can also transform your data so that it’s in a format that you want. If your organization has an integration specialist, you can pass off these scripts to kickstart automation efforts.


cURL is best-suited for Mac and Linux users. It’s possible to use it on Windows, but it requires extra configuration.

Using a cURL script to download your event log files requires the following:
  1. Providing your Salesforce credentials
  2. Logging in using OAuth and getting an access token
  3. Using a REST query to specify which logs you’re looking for


    If you’re scheduling a recurring download, this step is important. You can use something like this query to filter events by the current day.

  4. Parsing the results of the query so that you can do things like create a date-based file structure—you can perform any transformations on your data that you want

For more information on using cURL with event log files, see this post.

Download Event Log Files Using Python

If you need a more programmatic way of downloading your organization’s event log files, you can use Python scripts. One advantage of using a Python script over a cURL script is that it’s easier for Windows users to work with, but it’s also suitable for Mac and Linux users.

Python is easy to understand, even if you’re not an experienced programmer. Some setup is required, but after that you can easily run your download script. For more information and to download the code, see this post.

Visualize Event Log File Data

Now that you’ve taken the time to learn about event log files and how to download them from Salesforce, it’s time to talk about visualization. Searching for a specific piece of information in thousands of rows in a spreadsheet is like searching for a needle in a haystack. Most of the time, it’s not useful to look for a single instance of a report export or user login. You’re probably more interested in noticing behavior that’s out of the ordinary. To get immediate insights into your organization’s inner workings, you can regularly download your event log files and create visual representations of your data.

Event monitoring comes with the Event Monitoring Analytics app, a visualization tool for your log data. You can also use other tools to beautify your data. Some provide specific support for event log files, while others require more setup. We don’t go into the details of each platform, but check out this list for some ideas.
  • Event Monitoring Analytics App—This Analytics app is a way to get insights into your event monitoring data without ever leaving the Salesforce platform. Your data is automatically loaded from Salesforce to the app so you always get the most recent (and most stunning) visualization of what’s going on in your org. The app provides a collection of dashboards that use pre-integrated event data, so it’s a great way to get started with event monitoring.
    A dashboard displaying Login event data.


    As part of Event Monitoring, you also get the Event Monitoring Analytics app. Use this app to upload and access only the data provided to you as part of your subscription. Please prevent your users from using the app to upload or access any other data. Salesforce sometimes monitors such usage. The Event Monitoring Analytics app is available in English only. Learn more at Salesforce Help: Event Monitoring Analytics App and Trailhead: Event Monitoring Analytics App.

  • Splunk App for Salesforce—The app lets you analyze and visualize your organization’s use of Salesforce and gain insights into security, performance, and user behavior. The Splunk Add-On for Salesforce lets a Splunk software administrator collect different types of data from Salesforce using REST APIs. And it provides the inputs to use with other Splunk apps, such as Splunk Enterprise Security.
  • FairWarning—Purpose-built app to monitor and protect Salesforce against data theft that a busy business-minded person can easily understand and use. FairWarning provides continuous user activity monitoring and proactive alerts on abnormal behavior. It supports multi-orgs and can store your data for years while providing peace of mind that your organization’s most sensitive information is secure. Available from AppExchange. FairWarning page showing user details from a dashboard
  • CloudLock and CloudLock Viewer—Cisco CloudLock, a cloud security provider, offers CloudLock for Salesforce, which helps organizations discover and protect sensitive information throughout their Salesforce environment. The CloudLock Event Monitoring Viewer is a free visualization tool that provides visibility into Salesforce event log files. Available from AppExchange. CloudLock Event Location Map displayed in Salesforce org
  • New Relic Insights—This solution for Salesforce makes it simple to understand the end-to-end business impact of your software performance. Automatically import your Event Monitoring data into Insights to power your easy-to-build dashboards and instantly query your data in the user interface.

You now have an idea of what event monitoring can do for your organization. You’ve used event log files to solve a case and seen the many possibilities for downloading and visualizing your organization’s events. Now you have the tools you need to investigate, secure, and improve your organization. Good luck, detective.