function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
John Devine 14John Devine 14 

get SIEM data and events in real time?

is there a way to get SIEM events and data in real time from the REST API? Which endpoints might I want to make use of? what sort of queries would I use? I tried to query EventLogFile but it says it is not supported.
Best Answer chosen by John Devine 14
eyewellseeyewellse
As you may have discovered, there are a subset of all Event Monitoring event types (https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile_supportedeventtypes.htm)which are streamed realtime. These are streamed out using the salesforce Platform Events architecture, and the channels are named /event/ApiEventStream,  /event/LoginEventStream, etc... (https://help.salesforce.com/articleView?id=real_time_event_monitoring_streaming.htm&type=5)

A client app can subscribe to these streams by implementing a long polling technique/CometD protocol, in python if you like. Searching the internet, there appears to be a python library which may expedite this for you - more info here (https://salesforce.stackexchange.com/questions/219239/how-to-publish-platform-event-from-aiosfstream-python-library)

The REST SELECT statement you mentioned in the comments refers specifically to retrieving the daily/hourly logs.

All Answers

VinayVinay (Salesforce Developers) 
Hi John,

Accessing EventLogFile object requires View Event Log Files and API Enabled user permissions. Users with View All Data permission can view event log files.

Review below link for more information.

https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile.htm

Hope above information was helpful.

Please mark as Best Answer so that it can help others in the future.

Thanks,
Vinay Kumar
John Devine 14John Devine 14

thanks for your reply. I read this in the REST API developer guide about event monitoring:

"An event generates log data in real time. However, daily log files are generated during nonpeak hours the day after an event takes place. Therefore, daily log file data is unavailable for at least one day after an event. For hourly log files, depending on event delivery and final processing time, an event is expected to take three to six hours from the time of the event to be available in the log file. However, it can take longer."

 

This does not seem like real-time event monitoring. How can I view event data in real time?

VinayVinay (Salesforce Developers) 
Hi John,

Use below link to access Event Monitoring log files.

https://salesforce-elf.herokuapp.com
https://success.salesforce.com/issues_view?id=a1p3A000001SHKTQA4&title=how-to-access-and-download-your-event-monitoring-log-files

Please mark as Best Answer if above information was helpful so that it can help others in the future.

Thanks,
Vinay Kumar
John Devine 14John Devine 14
thanks that is helpful but not quite what I am looking for. I am still trying to figure out how to enable View Event Log Files and API Enabled user permissions. If I do this, will the events be in real-time?
VinayVinay (Salesforce Developers) 
Hi John,

You might need to reach out to your Account executive to purchase Event Monitoring.

Enable Event Monitoring
===================
https://help.salesforce.com/articleView?id=000339868&language=en_US&type=1&mode=1

API Enabled
==========
https://ebstalimited.zendesk.com/hc/en-us/articles/229295368-How-do-I-enable-API-access-in-Salesforce

Thanks,
Vinay Kumar
John Devine 14John Devine 14

I found under Setup in Event Manager I have a list of subscription channels such as:

/event/ApiEventStream
/event/LoginEventStream

etc. each of type Event Monitoring... I have enabled each of them for streaming. I am trying to use a python script to subscribe to these to receive real time data. Any idea how I can do this?

John Devine 14John Devine 14
I was able to view event log files via a REST call but it is returning zero records. I can view the logs in the event log file browser but my query: 'SELECT Id, EventType, LogFile, LogDate, LogFileLength FROM EventLogFile' is not returning any records. I tried many different WHERE filters as well.
eyewellseeyewellse
As you may have discovered, there are a subset of all Event Monitoring event types (https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile_supportedeventtypes.htm)which are streamed realtime. These are streamed out using the salesforce Platform Events architecture, and the channels are named /event/ApiEventStream,  /event/LoginEventStream, etc... (https://help.salesforce.com/articleView?id=real_time_event_monitoring_streaming.htm&type=5)

A client app can subscribe to these streams by implementing a long polling technique/CometD protocol, in python if you like. Searching the internet, there appears to be a python library which may expedite this for you - more info here (https://salesforce.stackexchange.com/questions/219239/how-to-publish-platform-event-from-aiosfstream-python-library)

The REST SELECT statement you mentioned in the comments refers specifically to retrieving the daily/hourly logs.
This was selected as the best answer
John Devine 14John Devine 14
thank you for your answer. I had been researching how to use the aiosfstream library since asking this question it appears to meet my needs