Download and Visualize Event Log Files
- Download an event log file.
- Describe the structure of event log files.
- Identify an application for downloading event log files without writing code.
- Define a role that could use a cURL or Python script for downloading data.
- Identify some options for visualizing event log file data.
You can use Workbench to quickly check your organization’s recent events and filter the events using certain criteria. But because you’re accessing the data through the API, you can also use other tools that make it even easier to work with event log files. To maximize the benefits of event monitoring, you want to download your event log files from Salesforce so that you can track them over time.
- Direct download via the Event Log File browser application
- cURL script
- Python script
Let’s look at each approach.
- Log in to your Trailhead DE organization.
- Navigate to the event log file browser application.
- Click Production Login.
- Enter a date range for your search.
- Enter an event type for your search.
- Enter an interval (daily or hourly).
- Click Apply.
The list shows the same event log files that you see when you query the EventLogFile object using the REST Explorer in Workbench. You can’t open the files in the browser application, but you can directly download them or use a script. Let’s look at the direct download method.
Click the button to download a log to a comma-separated value (.csv) file. The ugly string of text that you saw in the REST Explorer is transformed into a format that’s easily readable in a spreadsheet application, like Microsoft Excel or Google Sheets. Each file contains all the events of a particular type that occurred in your organization in the past 24 hours.
That looks much better! Now we can finally figure out how that confidential information got leaked. Let’s say that our lead report’s ID is 00O30000008a3De. The URI field contains the ID of the report that was exported, and the USER_ID field contains the ID of the user who exported that report. All this information helps you pinpoint the culprit.
The user ID and the report ID are a match! You now have enough evidence to confirm that Rob Burgle exported the report. Now it’s time for justice to be served!
We know that you’re excited about cracking your first case, but this victory is only the beginning of your illustrious career as a Salesforce administrator/detective. Each event type also has a button that downloads a cURL script that you can run in your computer’s command line. cURL is one of many command-line tools that you can use to download data from your organization. The script downloads a .csv file exactly like the one you downloaded in the previous step. So why use cURL instead of the direct download tool?
- Providing your Salesforce credentials
- Logging in using OAuth and getting an access token
- Using a REST query to specify which logs you’re looking for
- Parsing the results of the query so that you can do things like create a date-based file structure—you can perform any transformations on your data that you want
For more information on using cURL with event log files, see this post.
If you need a more programmatic way of downloading your organization’s event log files, you can use Python scripts. One advantage of using a Python script over a cURL script is that it’s easier for Windows users to work with, but it’s also suitable for Mac and Linux users.
Python is easy to understand, even if you’re not an experienced programmer. Some setup is required, but after that you can easily run your download script. For more information and to download the code, see this post.
Now that you’ve taken the time to learn about event log files and how to download them from Salesforce, it’s time to talk about visualization. Searching for a specific piece of information in thousands of rows in a spreadsheet is like searching for a needle in a haystack. Most of the time, it’s not useful to look for a single instance of a report export or user login. You’re probably more interested in noticing behavior that’s out of the ordinary. To get immediate insights into your organization’s inner workings, you can regularly download your event log files and create visual representations of your data.
Event Monitoring Analytics App—This
a way to get insights into your event monitoring data without ever leaving the
platform. Your data is automatically loaded from Salesforce to
the app so you always get the most recent (and most stunning) visualization of
what’s going on in your org. The app provides a collection of dashboards that
use pre-integrated event data, so it’s a great way to get started with event
- Splunk App for Salesforce—The app lets you analyze and visualize your organization’s use of Salesforce and gain insights into security, performance, and user behavior. The Splunk Add-On for Salesforce lets a Splunk software administrator collect different types of data from Salesforce using REST APIs. And it provides the inputs to use with other Splunk apps, such as Splunk Enterprise Security.
- FairWarning—Purpose-built app to monitor and protect Salesforce against data theft that a busy business-minded person can easily understand and use. FairWarning provides continuous user activity monitoring and proactive alerts on abnormal behavior. It supports multi-orgs and can store your data for years while providing peace of mind that your organization’s most sensitive information is secure. Available from AppExchange.
- CloudLock and CloudLock Viewer—Cisco CloudLock, a cloud security provider, offers CloudLock for Salesforce, which helps organizations discover and protect sensitive information throughout their Salesforce environment. The CloudLock Event Monitoring Viewer is a free visualization tool that provides visibility into Salesforce event log files. Available from AppExchange.
- New Relic Insights—This solution for Salesforce makes it simple to understand the end-to-end business impact of your software performance. Automatically import your Event Monitoring data into Insights to power your easy-to-build dashboards and instantly query your data in the user interface.
You now have an idea of what event monitoring can do for your organization. You’ve used event log files to solve a case and seen the many possibilities for downloading and visualizing your organization’s events. Now you have the tools you need to investigate, secure, and improve your organization. Good luck, detective.