[Filebeat][Salesforce] Add Salesforce filebeat module #2
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| - module: salesforce | ||
| # All logs | ||
| login: | ||
| enabled: false | ||
|
|
||
| # Set custom paths for the log files. If left empty, | ||
| # Filebeat will choose the paths depending on your OS. | ||
|
|
||
| # Variable which specifies if data collection should be done using httpjson input or not. | ||
| # var.httpjson.enabled: true | ||
|
|
||
| # Variable which specifies if data collection should be done using cometd input or not. | ||
| # var.cometd.enabled: true | ||
|
|
||
| # Oauth Client ID | ||
| # var.clientid: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | ||
|
|
||
| # Oauth Client Secret | ||
| # var.clientsecret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | ||
|
|
||
| # Oauth User, should include the User mail | ||
| # var.user: "[email protected]" | ||
|
|
||
| # Oauth password, should include the User password | ||
| # var.password: "P@$$W0₹D" | ||
|
|
||
| # URL, should include the instance_url | ||
| # var.url: "https://instance_id.my.salesforce.com" | ||
|
|
||
| logout: | ||
| enabled: false | ||
|
|
||
| # Set custom paths for the log files. If left empty, | ||
| # Filebeat will choose the paths depending on your OS. | ||
| # Oauth Client ID | ||
| # var.clientid: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | ||
|
|
||
|
|
||
| # Oauth Client Secret | ||
| # var.clientsecret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | ||
|
|
||
|
|
||
| # Oauth User, should include the User mail | ||
| # var.user: "[email protected]" | ||
|
|
||
| # Oauth password, should include the User password | ||
| # var.password: "P@$$W0₹D" | ||
|
|
||
| # URL, should include the instance_url | ||
| # var.url: "https://instance_id.my.salesforce.com" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| :modulename: salesforce | ||
| :has-dashboards: true | ||
|
|
||
| == salesforce module | ||
|
|
||
| This is the salesforce module. | ||
|
|
||
|
There was a problem hiding this comment. Would it be helpful to explain somewhere that for the rest of the events, users could use inputs provided above? There was a problem hiding this comment. Makes sense, let me update that. Thanks! |
||
| include::../include/what-happens.asciidoc[] | ||
|
|
||
| include::../include/gs-link.asciidoc[] | ||
|
|
||
| [float] | ||
| === Compatibility | ||
|
|
||
| TODO: document with what versions of the software is this tested | ||
|
|
||
| include::../include/configuring-intro.asciidoc[] | ||
|
|
||
| TODO: provide an example configuration | ||
|
|
||
| :fileset_ex: {fileset} | ||
|
|
||
| include::../include/config-option-intro.asciidoc[] | ||
|
|
||
| TODO: document the variables from each fileset. If you're describing a variable | ||
| that's common to other modules, you can reuse shared descriptions by including | ||
| the relevant file. For example: | ||
|
|
||
| [float] | ||
| ==== `{fileset}` log fileset settings | ||
|
|
||
| include::../include/var-paths.asciidoc[] | ||
|
|
||
| [float] | ||
| === Example dashboard | ||
|
|
||
| This module comes with a sample dashboard. For example: | ||
|
|
||
| TODO: include an image of a sample dashboard. If you do not include a dashboard, | ||
| remove this section and set `:has-dashboards: false` at the top of this file. | ||
|
|
||
| :has-dashboards!: | ||
|
|
||
| :fileset_ex!: | ||
|
|
||
| :modulename!: | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| - key: salesforce | ||
| title: "salesforce" | ||
| description: > | ||
| salesforce Module | ||
| fields: | ||
| - name: access_mode | ||
| type: keyword | ||
| description: > | ||
| The mode of collecting logs from salesforce - "rest" or "stream". | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| - name: salesforce.login | ||
| type: group | ||
| # TODO: What should be the appropriate release value? | ||
| release: ga | ||
|
There was a problem hiding this comment. Definitely not a GA, let's start with "experimental" or "beta" |
||
| description: > | ||
| Module for ingesting Salesforce login logs. | ||
|
|
||
| fields: | ||
| - name: api_type | ||
| type: keyword | ||
| description: > | ||
| The type of API that’s used to log in. Values include SOAP Enterprise, SOAP Partner, REST API | ||
| - name: api_version | ||
| type: keyword | ||
| description: > | ||
| The version number of the API. If no version number is available, “Unknown” is returned. | ||
| - name: application | ||
| type: keyword | ||
| description: > | ||
| The application used to access the org. Possible values include: AppExchange, Browser, Salesforce for iOS, Salesforce Developers API Explorer, N/A | ||
| - name: auth_method_reference | ||
| type: keyword | ||
| description: > | ||
| The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. | ||
| - name: auth_service_id | ||
| type: keyword | ||
| description: > | ||
| The 18-character ID for an authentication service for a login event. | ||
| - name: client_ip | ||
| type: keyword | ||
| description: > | ||
| The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”. | ||
| - name: client_version | ||
| type: keyword | ||
| description: > | ||
| The version number of the login client. If no version number is available, “Unknown” is returned. | ||
| - name: cpu_time | ||
| type: keyword | ||
| description: > | ||
| The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. | ||
| - name: created_by_id | ||
| type: keyword | ||
| description: > | ||
| Unavailable | ||
| - name: db_total_time | ||
| type: keyword | ||
| description: > | ||
| The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB_CPU_TIME. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. | ||
| - name: evaluation_time | ||
| type: long | ||
| description: > | ||
| The amount of time it took to evaluate the transaction security policy, in milliseconds. | ||
| - name: event_type | ||
| type: keyword | ||
| description: > | ||
| The type of event. The value is always Login. | ||
| - name: login_geo_id | ||
| type: keyword | ||
| description: > | ||
| The Salesforce ID of the LoginGeo object associated with the login user’s IP address. | ||
| - name: login_history_id | ||
| type: keyword | ||
| description: > | ||
| Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication. | ||
| - name: login_key | ||
| type: keyword | ||
| description: > | ||
| The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. | ||
| - name: login_type | ||
| type: keyword | ||
| description: > | ||
| The type of login used to access the session. | ||
| - name: organization_id | ||
| type: keyword | ||
| description: > | ||
| The 15-character ID of the organization. | ||
| - name: policy_id | ||
| type: keyword | ||
| description: > | ||
| The ID of the transaction security policy associated with this event. | ||
| - name: policy_outcome | ||
| type: keyword | ||
| description: > | ||
| The result of the transaction policy. | ||
| - name: related_event_identifier | ||
| type: keyword | ||
| description: > | ||
| This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. | ||
| - name: replay_id | ||
| type: long | ||
| description: > | ||
| Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window. | ||
| - name: request_id | ||
| type: keyword | ||
| description: > | ||
| The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. | ||
| - name: request_status | ||
| type: keyword | ||
| description: > | ||
| The status of the request for a page view or user interface action. | ||
| - name: run_time | ||
| type: keyword | ||
| description: > | ||
| The amount of time that the request took in milliseconds. | ||
| - name: schema | ||
| type: keyword | ||
| description: > | ||
| Unavailable | ||
| - name: session_level | ||
| type: keyword | ||
| description: > | ||
| Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD | ||
| - name: uri_id_derived | ||
| type: keyword | ||
| description: > | ||
| The 18-character case insensitive ID of the URI of the page that’s receiving the request. | ||
| - name: user_id_derived | ||
| type: keyword | ||
| description: > | ||
| The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| {{ if .httpjson.enabled }} | ||
|
|
||
| type: httpjson | ||
|
|
||
| interval: {{ .interval }} | ||
| request.method: GET | ||
| auth.oauth2: | ||
| enabled: true | ||
| client.id: {{ .clientid }} | ||
| client.secret: {{ .clientsecret}} | ||
| token_url: https://login.salesforce.com/services/oauth2/token | ||
| user: {{ .user }} | ||
| password: {{ .password }} | ||
| request.url: {{ .url }}/services/data/v52.0/query | ||
|
There was a problem hiding this comment. Is it always There was a problem hiding this comment. The reason for keeping it as a constant would be to explicitly call out that we're supporting v52.0 as it's the stable version and we have tested it out. I don't think we should rely on the end-users to provide the correct version, the module might not work as expected if the user provides some incorrect value for that field. That's just my two cents. Let me know what you think of it. Thanks! There was a problem hiding this comment. Make sense now, thanks for clarifying :) |
||
| {{ if .proxy_url }} | ||
| request.proxy_url: {{ .proxy_url }} | ||
| {{ end }} | ||
| request.transforms: | ||
| - set: | ||
| target: url.params.q | ||
| value: "SELECT Id,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Login' AND CreatedDate >= [[formatDate (now (parseDuration \"-1h\")) \"2006-01-02T15:04:05.9999999Z\"]] ORDER BY LogDate ASC NULLS FIRST" | ||
| default: "SELECT Id,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Login' ORDER BY CreatedDate ASC NULLS FIRST" | ||
|
|
||
| chain: | ||
| - step: | ||
| request.url: {{ .url }}/services/data/v52.0/sobjects/EventLogFile/records.#.Id/LogFile | ||
| request.method: GET | ||
| replace: records.#.Id | ||
|
|
||
| {{ end }} | ||
|
|
||
| {{ if .cometd.enabled }} | ||
|
|
||
| type: cometd | ||
| channel_name: /event/LoginEventStream | ||
| auth.oauth2: | ||
| client.id: {{ .clientid }} | ||
| client.secret: {{ .clientsecret}} | ||
| token_url: https://login.salesforce.com/services/oauth2/token | ||
| user: {{ .user }} | ||
| password: {{ .password }} | ||
|
|
||
| {{ end }} | ||
|
|
||
| tags: {{.tags | tojson}} | ||
| publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} | ||
|
|
||
| processors: | ||
| - decode_json_fields: | ||
| fields: [message] | ||
| target: "json" | ||
| - add_fields: | ||
| target: '' | ||
| fields: | ||
| ecs.version: 1.12.0 | ||
| - add_locale: ~ | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think that any of these filesets should be enabled by default? I mean, whenever user enables the filebeat module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's right, I thought of the same and tried that out earlier. But I faced the following, and hence decided to go with false.
salesforce module dataset login must be explicitly disabled (needsenabled: false)