Salesforce Event Logs
Capture detailed information about user activities, system operations, and performance metrics within a Salesforce organization.
Ingest Methods
RunReveal offers the following ways to ingest Salesforce Event Logs logs:
API Polling
Salesforce Event Logs supports API polling to collect event logs from your Salesforce organization using OAuth 2.0 client credentials. The setup steps are the same as for Salesforce Audit Trail; you can use the same Connected App credentials for both Event Logs and Audit Trail if you want to run both sources.
API and polling: We use Salesforce API v65.0. Backfill is limited to 30 days. We poll daily by default; while we can poll hourly, daily polling is recommended to reduce the chance of missing late-arriving logs from the Salesforce API.
Step 1: Create the External Client App
- In Salesforce, go to Setup (click the gear icon)
- In the Quick Find box, search for “External Client App Manager” (or go to Apps → External Client Apps → External Client App Manager in the sidebar)
- Click “New External Client App” in the top right
- Fill in the basic information:
- Connected App Name: Your integration name (e.g. “RunReveal”)
- API Name: (auto-fills based on the name)
- Contact Email: Your email
Step 2: Configure OAuth Settings
- Check “Enable OAuth Settings”
- Set Callback URL to:
https://login.salesforce.com/services/oauth2/callback(or your specific callback URL if different) - Under Selected OAuth Scopes, add:
- Perform requests at any time (
refresh_token,offline_access) - Manage user data via APIs (
api)
- Perform requests at any time (
- Check “Enable Client Credentials Flow”
- Click “Create”
Step 3: Enable Client Credentials Flow
- Edit the app you just created
- Check “Enable Client Credentials Flow”
- In the “Run As” field, search for and select the execution user
The Run As user must have “View All Data” and “API Enabled” permissions.
Step 4: Save and Retrieve Credentials
- Click “Save”
- Click “Continue” on the confirmation page
- You’ll see the Consumer Key displayed immediately
- Click “Manage Consumer Details” to view the Consumer Secret
- Salesforce will send a verification code to your email — enter it to proceed
- Copy both the Consumer Key and Consumer Secret for use in RunReveal
Step 5: Connect in RunReveal
- Go to Sources in RunReveal
- Click the Salesforce Event Logs source tile
- Give it a name and fill in the required fields:
- Salesforce Instance Host: Your Salesforce instance URL (e.g.
company.my.salesforce.com) - Client ID: The Consumer Key from Step 4
- Client Secret: The Consumer Secret from Step 4
- Salesforce Instance Host: Your Salesforce instance URL (e.g.
- Click Connect Source
RunReveal will poll the Salesforce Event Logs API daily and backfill the last 30 days on first sync.
Video Walkthrough
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: salesforce_logs (36 columns)
salesforce_logs (36 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
Table: salesforce_login_logs (70 columns)
salesforce_login_logs (70 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
| Column | Type |
|---|---|
rawLog | String |
eventType | String |
timestamp | String |
requestId | String |
organizationId | String |
userId | String |
runTime | String |
cpuTime | String |
uri | String |
sessionKey | String |
loginKey | String |
userType | String |
requestStatus | String |
dbTotalTime | String |
loginType | String |
browserType | String |
apiType | String |
apiVersion | String |
userName | String |
tlsProtocol | String |
cipherSuite | String |
useApiToken | String |
httpReferer | String |
loginUrl | String |
countryCode | String |
authenticationMethodReference | String |
loginSubType | String |
authenticationServiceId | String |
timestampDerived | String |
userIdDerived | String |
clientIp | String |
uriIdDerived | String |
loginStatus | String |
sourceIp | String |
forwardedForIp | String |
Table: salesforce_logout_logs (54 columns)
salesforce_logout_logs (54 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
| Column | Type |
|---|---|
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
eventType | String |
timestamp | String |
requestId | String |
organizationId | String |
userId | String |
runTime | String |
cpuTime | String |
sessionKey | String |
userType | String |
requestStatus | String |
dbTotalTime | String |
browserType | String |
userName | String |
timestampDerived | String |
userIdDerived | String |
clientIp | String |
sessionLevel | String |
sessionType | String |