Event Monitoring

• Event monitoring is one of the many tools that Salesforce provides to help keep your data secure. 

• It lets you see the granular details of user activity in your organization. We refer to these user activities as events. You can view information about individual events or track trends in events to swiftly identify abnormal behavior and safeguard your company’s data.

• Event monitoring provides tracking for lots of types of events, including:

• Logins

• Logouts

• URI (web clicks in Salesforce Classic)

• Lightning (web clicks, performance, and errors in Lightning Experience and the Salesforce mobile app)

• Visualforce page loads

• API calls

• Apex executions

• Report exports

How Event Monitoring works?

All these events are stored in event log files. An event log file is generated when an event occurs in your organization and is available to view and download after 24 hours. The event types you can access and how long the files remain available depends on your edition.

• Developer Edition (DE) organizations have free access to all log types with one-day data retention.

• Enterprise, Unlimited, and Performance Edition organizations have free access to the insecure external assets, login, and logout event log files with one-day data retention. For an extra cost, you can access all log file types with 30-day data retention.

So how can you use event log files to become an all-knowing Salesforce super-sleuth? Let’s take login activity as an example. We’ll talk about accessing, downloading, and visualizing event log files later on. For now, assume that we did these steps and produced this graph of login activity.

What are the Benefits of Event Monitoring?

• Monitor data loss—Imagine that a sales representative leaves your company and joins a major competitor. Later, you find out that your organization is losing deal after deal to this other company. You suspect that your former employee downloaded a report containing leads and shared it with the competition. If you’d been using event monitoring, you could have caught this bad behavior before it cost your company sales.

• Increase adoption—Event monitoring isn’t just for catching your users’ bad behavior. It can also alert you to parts of your organization that aren’t performing well. For example, you just rolled out a new Visualforce page in your organization that combines accounts and contacts and allows end users to add custom fields. Without any metrics, it’s difficult to tell how users are interacting with this page—if at all. Event monitoring helps you figure out which parts of your organization need increased adoption efforts and even helps you identify areas that need redevelopment.

• Optimize performance—Sometimes it’s hard to determine the cause of slow page performance in your organization. Imagine that your company has an office in San Francisco and one in London. The users in London tell you that their reports are running slowly or even timing out. You can use event monitoring to determine whether the cause is related to a network issue in London or with the way your app is configured.

Query Event Log Files in Workbench

• Event monitoring requires the “API Enabled” and “View Event Log File” permissions.

• All events logged in EventLogFile, and you can retrieve a particular event after 24 hours.

• There are 17 fields here, but EventType and LogFile are very important.

• Query: SELECT EventType FROM EventLogFile

View Events in the REST Explorer

The REST Explorer gives you access to the Salesforce REST API, a web service that lets you retrieve data from your organization.

To get more information about your organization’s Report Export events in Workbench:

1. In the top menu, select utilities | REST Explorer.

2. Replace the existing text with /services/data/v<APIversion>.0/query?q=SELECT+Id+,+EventType+,+LogDate+,+LogFileLength+,+LogFile+FROM+EventLogFile+ WHERE+EventType+=+'ReportExport', where <APIversion> is the API version you’re using, such as 46.

3. Click Execute.

Download Event Log Files

You can use Workbench to quickly check your organization’s recent events and filter the events using certain criteria. But because you’re accessing the data through the API (REST & SOAP), you can also use other tools that make it even easier to work with event log files. To maximize the benefits of event monitoring, you want to download your event log files from Salesforce so that you can track them over time.

You can download event log files in several ways, including:

• Direct download via the Event Log File browser application. Navigate to the event log file browser application and download the csv file.

• cURL script

• Python script

Visualize Event Log File Data

As you already know how to download event logs  from Salesforce, it’s time to talk about visualization. Searching for a specific piece of information in thousands of rows in a spreadsheet is like searching for a needle in a haystack. Most of the time, it’s not useful to look for a single instance of a report export or user login. You’re probably more interested in noticing behavior that’s out of the ordinary. To get immediate insights into your organization’s inner workings, you can regularly download your event log files and create visual representations of your data.

Event monitoring comes with the Event Monitoring Analytics app, a visualization tool for your log data. You can also use other tools to beautify your data. Some provide specific support for event log files, while others require more setup. 

• Event Monitoring Analytics App- The Event Monitoring Analytics app makes it easy for you to base your actions on insights drawn from data. Event Monitoring Analytics pulls its data from Salesforce event logs. Event Monitoring Analytics provides dashboards for both you—the Salesforce admin—and your users. This app helps you drill into your org’s data and swiftly identify suspicious behavior, slow page performance, and poor user adoption.

• Splunk App for Salesforce-The app lets you analyze and visualize your organization’s use of Salesforce and gain insights into security, performance, and user behavior. The Splunk Add-On for Salesforce lets a Splunk software administrator collect different types of data from Salesforce using REST APIs. And it provides the inputs to use with other Splunk apps, such as Splunk Enterprise Security.

• FairWarning- Purpose-built app to monitor and protect Salesforce against data theft that a busy business-minded person can easily understand and use. FairWarning provides continuous user activity monitoring and proactive alerts on abnormal behavior. It supports multi-orgs and can store your data for years while providing peace of mind that your organization’s most sensitive information is secure. Available from AppExchange.

• CloudLock and CloudLock Viewer—Cisco CloudLock, a cloud security provider, offers CloudLock for Salesforce, which helps organizations discover and protect sensitive information throughout their Salesforce environment. The CloudLock Event Monitoring Viewer is a free visualization tool that provides visibility into Salesforce event log files. Available from AppExchange.

• New Relic Insights—This solution for Salesforce makes it simple to understand the end-to-end business impact of your software performance. Automatically import your Event Monitoring data into Insights to power your easy-to-build dashboards and instantly query your data in the user interface.