agent: download: source_uri: https://artifacts.elastic.co/downloads/ monitoring: enabled: true logs: true metrics: true namespace: default use_output: default fleet: hosts: - https://fleet-server:8220 id: 030525f0-494a-11ed-a2cb-f773a6a66d20 inputs: - data_stream: namespace: default id: httpjson-salesforce-e72e4ecc-a221-4546-973c-cf892ff9327d meta: package: name: salesforce version: 0.5.0 name: salesforce-1 revision: 1 streams: - auth.oauth2: client.id: xxxxxxxxxxxxxxxx client.secret: xxxxxxxxxxxxxxxx enabled: true password: xxxxxxxxxxxxxxxx token_url: https://login.salesforce.com/services/oauth2/token user: xxxxxxxxxxxxxxxx@elastic.co chain: - step: replace: $.records[:].Id request.method: GET request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/sobjects/EventLogFile/$.records[:].Id/LogFile config_version: 2 cursor: last_published_login: value: '[[.last_event.LogDate]]' data_stream: dataset: salesforce.login_rest type: logs id: httpjson-salesforce.login_rest-e72e4ecc-a221-4546-973c-cf892ff9327d interval: 1h publisher_pipeline.disable_host: true request.method: GET request.transforms: - set: default: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Login' ORDER BY LogDate ASC NULLS FIRST target: url.params.q value: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Login' AND LogDate > [[.cursor.last_published_login]] ORDER BY LogDate ASC NULLS FIRST request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/query?q=login+rest response.split: target: body.records tags: - preserve_original_event - salesforce-login_rest - forwarded - auth.oauth2: client.id: xxxxxxxxxxxxxxxx client.secret: xxxxxxxxxxxxxxxx enabled: true password: xxxxxxxxxxxxxxxx token_url: https://login.salesforce.com/services/oauth2/token user: xxxxxxxxxxxxxxxx@elastic.co chain: - step: replace: $.records[:].Id request.method: GET request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/sobjects/EventLogFile/$.records[:].Id/LogFile config_version: 2 cursor: last_published_logout: value: '[[.last_event.LogDate]]' data_stream: dataset: salesforce.logout_rest type: logs id: httpjson-salesforce.logout_rest-e72e4ecc-a221-4546-973c-cf892ff9327d interval: 1h publisher_pipeline.disable_host: true request.method: GET request.transforms: - set: default: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST target: url.params.q value: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Daily' AND EventType = 'Logout' AND LogDate > [[.cursor.last_published_logout]] ORDER BY CreatedDate ASC NULLS FIRST request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/query?q=logout+rest response.split: target: body.records tags: - preserve_original_event - salesforce-logout_rest - forwarded - auth.oauth2: client.id: xxxxxxxxxxxxxxxx client.secret: xxxxxxxxxxxxxxxx enabled: true password: xxxxxxxxxxxxxxxx token_url: https://login.salesforce.com/services/oauth2/token user: xxxxxxxxxxxxxxxx@elastic.co config_version: 2 cursor: last_published_setupaudittrail: value: '[[.last_event.CreatedDate]]' data_stream: dataset: salesforce.setupaudittrail type: logs id: httpjson-salesforce.setupaudittrail-e72e4ecc-a221-4546-973c-cf892ff9327d interval: 1h publisher_pipeline.disable_host: true request.method: GET request.transforms: - set: default: SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail ORDER BY CreatedDate ASC NULLS FIRST target: url.params.q value: SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail WHERE CreatedDate > [[.cursor.last_published_setupaudittrail]] ORDER BY CreatedDate ASC NULLS FIRST request.url: https://elastic33-dev-ed.my.salesforce.com/services/data/v54.0/query?q=setupaudittrail+rest response.split: target: body.records tags: - preserve_original_event - salesforce-setupaudittrail - forwarded type: httpjson use_output: default - data_stream: namespace: default id: cometd-salesforce-e72e4ecc-a221-4546-973c-cf892ff9327d meta: package: name: salesforce version: 0.5.0 name: salesforce-1 revision: 1 streams: - auth.oauth2: client.id: xxxxxxxxxxxxxxxx client.secret: xxxxxxxxxxxxxxxx password: xxxxxxxxxxxxxxxx token_url: https://login.salesforce.com/services/oauth2/token user: xxxxxxxxxxxxxxxx@elastic.co channel_name: /event/LoginEventStream data_stream: dataset: salesforce.login_stream type: logs id: cometd-salesforce.login_stream-e72e4ecc-a221-4546-973c-cf892ff9327d publisher_pipeline.disable_host: true tags: - preserve_original_event - salesforce-login_stream - forwarded type: cometd use_output: default output_permissions: default: _elastic_agent_checks: cluster: - monitor _elastic_agent_monitoring: indices: - names: - logs-elastic_agent.apm_server-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.apm_server-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.auditbeat-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.auditbeat-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.cloudbeat-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.cloudbeat-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.elastic_agent-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.endpoint_security-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.endpoint_security-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.filebeat-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.filebeat-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.fleet_server-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.fleet_server-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.heartbeat-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.heartbeat-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.metricbeat-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.metricbeat-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.osquerybeat-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.osquerybeat-default privileges: - auto_configure - create_doc - names: - logs-elastic_agent.packetbeat-default privileges: - auto_configure - create_doc - names: - metrics-elastic_agent.packetbeat-default privileges: - auto_configure - create_doc e72e4ecc-a221-4546-973c-cf892ff9327d: indices: - names: - logs-salesforce.login_rest-default privileges: - auto_configure - create_doc - names: - logs-salesforce.logout_rest-default privileges: - auto_configure - create_doc - names: - logs-salesforce.setupaudittrail-default privileges: - auto_configure - create_doc - names: - logs-salesforce.login_stream-default privileges: - auto_configure - create_doc outputs: default: api_key: hosts: - https://elasticsearch:9200 type: elasticsearch revision: 2