Salesforce provides business management, customer relationship management, and sales tools in an online Cloud platform. The Salesforce system generates various type of logs that Graylog can consume via the EventLogFile API. See the official documentation for all supported log event types.

Prerequisites

Required Salesforce Setup

In order for Graylog to connect to the Salesforce EventLogFile API:

  1. First, create a Connected App in the App Manager modal. (See the Salesforce documentation for more details.)

  2. Ensure during this initial setup that the EventLogFile API has read permission for the Graylog application.

  3. Then, configure OAuth for the Connected App, which will produce the Client ID and Secret that Graylog needs to successfully connect to the Salesforce API. (See the Salesforce documentation for more details.)

Now, you can configure the input in your Graylog environment.

Graylog Configuration

When launching a new Salesforce input from the Graylog Inputs tab, the following parameters will need to be completed:

  • Input Name: Provide a unique name for your new input.

  • Instance Name: Your domain name to which the content belongs.

  • Salesforce Client ID: The Client ID of the Salesforce Connected App created with sufficient API permissions.

  • Client Secret: The Client Secret of the Salesforce Connected App.

  • Logs Types to Collect: The activity log for the above content types will be fetched.

  • Polling Interval: Determines how often (in minutes) Graylog will check for new data in Salesforce. The smallest allowable interval is 5 minutes.

  • Enable Throttling: If enabled, no new messages will be read from this input until Graylog catches up with its message load. This is typically useful for inputs, reading from files or message queue systems like AMQP or Kafka. If you regularly poll an external system, e.g. via HTTP, then you normally want to leave this disabled.