Skip to main content

Acknowledgements: Many thanks to Tomás García Hidalgo and Roberto Moreda for their creation and contribution of this collector!

Salesforce provides an API endpoint to execute a SOQL query to get records of the requested object.

Salesforce defines standard objects, such as LoginHistory or SetupAuditTrail, whose records are useful in a SIEM pipeline. EventLogFile is a special case because its records contain data about event log files ready to be downloaded from a different endpoint.

This Cribl REST Collector enables a compact way to get:

Find the collector here.

 

Usage Instructions

  1. Import the Event Breaker Ruleset:
    1. Go to Processing -> Knowledge -> Event Breaker Rules -> Add Ruleset.
    2. Click on Manage as JSON and paste the content of breaker.json.
  2. Import the REST Collector:
    1. Go to Data -> Sources -> Collectors -> REST -> Add Collector.
    2. Go to Configure as JSON tab and click on Import.
    3. Import the collector.json file.
    4. Provide the required values: domain of the customer, API version, user name, password, client ID and client secret.
  3. (Optional) Edit the queries on object records in the format discovery result code of the collector to suit your needs.
  4. Commit and Deploy.

How it Works

 

The basic steps follow the usual workflow in Cribl collectors:

  1. Discover the event log files to be downloaded using a HTTP request to get EventLogFile records.
  2. Add a static list of discover results for records of other objects that don't require subsequent downloads using format discover result.
  3. Collect event log files and records using the appropriate URL and event breaker rules.

All files included are meant to be adapted for your specific case. Depending on your needs you can decide to create a collector just for records and just for event log files. They are based on an actual deployment and they were developed by the teams of Repsol and Allenta.

 

Get Started

 

Find the latest instructions and information on the official Cribl GitHub page for the collector.

 

I’m getting the following error:

_raw:w{"message":"unexpected token: 'undefined'","errorCode":"MALFORMED_QUERY"}

If I use HTTP Request the error is:

error.message == "Http Error, statusCode: 400, details: {"host":"mydomain.my.salesforce.com","port":"","path":"/services/data/v57.0/query?q=SELECT%20Id,CreatedDate,Interval,LogDate,LogFile%20FROM%20EventLogFile%20WHERE%20Interval%20=%20%27Hourly%27%20AND%20CreatedDate%20%3E=%202025-08-13T07:21:31.551Z%20AND%20CreatedDate%20%3C%202025-08-13T07:36:31.551Z%20ORDER%20BY%20CreatedDate%20ASC%20NULLS%20FIRST","method":"get","statusCode":400,"response":"[{\"message\":\"\\nInterval,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly'\\n                              ^\\nERROR at Row:1:Column:53\\nsObject type 'EventLogFile' is not supported. If you are attempting to use a custom object, be sure to append the '__c' after the entity name. Please reference your WSDL or the describe call for the appropriate names.\",\"errorCode\":\"INVALID_TYPE\"}]","contentType":"application/json;charset=UTF-8","elapsed":58,"startTime":1755070651551}"

Hi ​@Ian Broughton, searching for similar errors typically points back to some kind of permission or profile issue. Can you confirm the api user has the correct permissions? For example, check out the EventLogFile page: https://developer.salesforce.com/docs/atlas.en-us.256.0.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm

-Jeff, Cribl

Hi, ​@Ian Broughton .

I think that the key is in the message that you are receiving from Salesforce: "Object type 'EventLogFile' is not supported". For what I understand, that is s a response to the discover trying to get the list of records of the object EventLogFile. You can try to execute the some SOQL query with curl and see what your Salesforce config actually provides you 😊.

There are a variety of possible causes for the "not supported" error: I would review the configuration of Salesforce or contact your support there.

In the meanwhile, if you want to download only records of supported objects, you can select the JSON Response type in discover and set the Discover result with the queries and cursors that you need.

Best, 

  Rober

Terms & Conditions