filebeat: inputs: - auth: oauth2: client.id: xxxxxxxxxxxxxxxx client.secret: xxxxxxxxxxxxxxxx enabled: true password: xxxxxxxxxxxxxxxx token_url: https://login.salesforce.com/services/oauth2/token user: xxxxxxxxxxxxxxxx@elastic.co chain: - step: replace: $.records[:].Id request.method: GET request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/sobjects/EventLogFile/$.records[:].Id/LogFile config_version: 2 cursor: last_published_login: value: '[[.last_event.LogDate]]' id: httpjson-salesforce.login_rest-e72e4ecc-a221-4546-973c-cf892ff9327d index: logs-salesforce.login_rest-default interval: 1h meta: package: name: salesforce version: 0.5.0 name: salesforce-1 processors: - add_fields: fields: input_id: httpjson-salesforce-e72e4ecc-a221-4546-973c-cf892ff9327d target: '@metadata' - add_fields: fields: dataset: salesforce.login_rest namespace: default type: logs target: data_stream - add_fields: fields: dataset: salesforce.login_rest target: event - add_fields: fields: stream_id: httpjson-salesforce.login_rest-e72e4ecc-a221-4546-973c-cf892ff9327d target: '@metadata' - add_fields: fields: id: 69ea7ab6-91d2-4b90-ad6f-eb81548f342a snapshot: false version: 8.4.1 target: elastic_agent - add_fields: fields: id: 69ea7ab6-91d2-4b90-ad6f-eb81548f342a target: agent publisher_pipeline.disable_host: true request.method: GET request.transforms: - set: default: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Login' ORDER BY LogDate ASC NULLS FIRST target: url.params.q value: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Login' AND LogDate > [[.cursor.last_published_login]] ORDER BY LogDate ASC NULLS FIRST request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/query?q=login+rest response: split: target: body.records revision: 1 tags: - preserve_original_event - salesforce-login_rest - forwarded type: httpjson - auth: oauth2: client.id: xxxxxxxxxxxxxxxx client.secret: xxxxxxxxxxxxxxxx enabled: true password: xxxxxxxxxxxxxxxx token_url: https://login.salesforce.com/services/oauth2/token user: xxxxxxxxxxxxxxxx@elastic.co chain: - step: replace: $.records[:].Id request.method: GET request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/sobjects/EventLogFile/$.records[:].Id/LogFile config_version: 2 cursor: last_published_logout: value: '[[.last_event.LogDate]]' id: httpjson-salesforce.logout_rest-e72e4ecc-a221-4546-973c-cf892ff9327d index: logs-salesforce.logout_rest-default interval: 1h meta: package: name: salesforce version: 0.5.0 name: salesforce-1 processors: - add_fields: fields: input_id: httpjson-salesforce-e72e4ecc-a221-4546-973c-cf892ff9327d target: '@metadata' - add_fields: fields: dataset: salesforce.logout_rest namespace: default type: logs target: data_stream - add_fields: fields: dataset: salesforce.logout_rest target: event - add_fields: fields: stream_id: httpjson-salesforce.logout_rest-e72e4ecc-a221-4546-973c-cf892ff9327d target: '@metadata' - add_fields: fields: id: 69ea7ab6-91d2-4b90-ad6f-eb81548f342a snapshot: false version: 8.4.1 target: elastic_agent - add_fields: fields: id: 69ea7ab6-91d2-4b90-ad6f-eb81548f342a target: agent publisher_pipeline.disable_host: true request.method: GET request.transforms: - set: default: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST target: url.params.q value: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Logout' AND LogDate > [[.cursor.last_published_logout]] ORDER BY CreatedDate ASC NULLS FIRST request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/query?q=logout+rest response: split: target: body.records revision: 1 tags: - preserve_original_event - salesforce-logout_rest - forwarded type: httpjson - auth: oauth2: client.id: xxxxxxxxxxxxxxxx client.secret: xxxxxxxxxxxxxxxx enabled: true password: xxxxxxxxxxxxxxxx token_url: https://login.salesforce.com/services/oauth2/token user: xxxxxxxxxxxxxxxx@elastic.co config_version: 2 cursor: last_published_setupaudittrail: value: '[[.last_event.CreatedDate]]' id: httpjson-salesforce.setupaudittrail-e72e4ecc-a221-4546-973c-cf892ff9327d index: logs-salesforce.setupaudittrail-default interval: 1h meta: package: name: salesforce version: 0.5.0 name: salesforce-1 processors: - add_fields: fields: input_id: httpjson-salesforce-e72e4ecc-a221-4546-973c-cf892ff9327d target: '@metadata' - add_fields: fields: dataset: salesforce.setupaudittrail namespace: default type: logs target: data_stream - add_fields: fields: dataset: salesforce.setupaudittrail target: event - add_fields: fields: stream_id: httpjson-salesforce.setupaudittrail-e72e4ecc-a221-4546-973c-cf892ff9327d target: '@metadata' - add_fields: fields: id: 69ea7ab6-91d2-4b90-ad6f-eb81548f342a snapshot: false version: 8.4.1 target: elastic_agent - add_fields: fields: id: 69ea7ab6-91d2-4b90-ad6f-eb81548f342a target: agent publisher_pipeline.disable_host: true request.method: GET request.transforms: - set: default: SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail ORDER BY CreatedDate ASC NULLS FIRST target: url.params.q value: SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail WHERE CreatedDate > [[.cursor.last_published_setupaudittrail]] ORDER BY CreatedDate ASC NULLS FIRST request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/query?q=setupaudittrail+rest response: split: target: body.records revision: 1 tags: - preserve_original_event - salesforce-setupaudittrail - forwarded type: httpjson output: elasticsearch: api_key: hosts: - https://elasticsearch:9200