From fc56cc3d49c3444431aa3f429f665717a959bc00 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Tue, 2 Dec 2025 16:00:18 +0530 Subject: [PATCH 1/3] initial commit --- packages/salesforce/changelog.yml | 5 +++++ .../data_stream/login/agent/stream/salesforce.yml.hbs | 9 +++++---- packages/salesforce/data_stream/login/manifest.yml | 8 ++++++++ .../data_stream/logout/agent/stream/salesforce.yml.hbs | 9 +++++---- packages/salesforce/data_stream/logout/manifest.yml | 8 ++++++++ .../setupaudittrail/agent/stream/salesforce.yml.hbs | 5 +++-- .../salesforce/data_stream/setupaudittrail/manifest.yml | 8 ++++++++ packages/salesforce/manifest.yml | 2 +- 8 files changed, 43 insertions(+), 11 deletions(-) diff --git a/packages/salesforce/changelog.yml b/packages/salesforce/changelog.yml index 0c0c000a4d0..6f3b47187d0 100644 --- a/packages/salesforce/changelog.yml +++ b/packages/salesforce/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.0" + changes: + - description: Adding limit to queries in `login`, `logout` and `setupaudittrail`. + type: enhancement + link: https://github.com/elastic/integrations/pull/16023 - version: "1.6.0" changes: - description: Improve documentation diff --git a/packages/salesforce/data_stream/login/agent/stream/salesforce.yml.hbs b/packages/salesforce/data_stream/login/agent/stream/salesforce.yml.hbs index 8838980e6b4..cd1cba30997 100644 --- a/packages/salesforce/data_stream/login/agent/stream/salesforce.yml.hbs +++ b/packages/salesforce/data_stream/login/agent/stream/salesforce.yml.hbs @@ -1,4 +1,5 @@ version: {{api_version}} +limit: {{limit}} auth.oauth2: {{#if jwt_enabled }} jwt_bearer_flow: @@ -22,16 +23,16 @@ event_monitoring_method: enabled: {{#if event_log_file}}true{{else}}false{{/if}} interval: {{elf_period}} query: - default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Login' ORDER BY LogDate ASC NULLS FIRST - value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Login' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY LogDate ASC NULLS FIRST + default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' AND {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} + value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] AND {{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} cursor: field: "CreatedDate" object: enabled: {{#if object}}true{{else}}false{{/if}} interval: {{real_time_period}} query: - default: SELECT FIELDS(STANDARD) FROM LoginEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} - value: SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] + default: SELECT FIELDS(STANDARD) FROM LoginEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} + value: SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} cursor: field: "EventDate" tags: diff --git a/packages/salesforce/data_stream/login/manifest.yml b/packages/salesforce/data_stream/login/manifest.yml index 1456c163e64..27e579c6f21 100644 --- a/packages/salesforce/data_stream/login/manifest.yml +++ b/packages/salesforce/data_stream/login/manifest.yml @@ -43,6 +43,14 @@ streams: required: false show_user: true default: 5m + - name: limit + type: integer + title: Query limit + description: Query limit. + multi: false + required: false + show_user: true + default: 2000 - name: initial_interval type: text title: Initial Interval diff --git a/packages/salesforce/data_stream/logout/agent/stream/salesforce.yml.hbs b/packages/salesforce/data_stream/logout/agent/stream/salesforce.yml.hbs index 53d388a71d6..6f011d2c938 100644 --- a/packages/salesforce/data_stream/logout/agent/stream/salesforce.yml.hbs +++ b/packages/salesforce/data_stream/logout/agent/stream/salesforce.yml.hbs @@ -1,4 +1,5 @@ version: {{api_version}} +limit: {{limit}} auth.oauth2: {{#if jwt_enabled }} jwt_bearer_flow: @@ -22,16 +23,16 @@ event_monitoring_method: enabled: {{#if event_log_file}}true{{else}}false{{/if}} interval: {{elf_period}} query: - default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST - value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Logout' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY LogDate ASC NULLS FIRST + default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Logout' AND {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} + value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Logout' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] AND {{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} cursor: field: "CreatedDate" object: enabled: {{#if object}}true{{else}}false{{/if}} interval: {{real_time_period}} query: - default: SELECT FIELDS(STANDARD) FROM LogoutEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} - value: SELECT FIELDS(STANDARD) FROM LogoutEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] + default: SELECT FIELDS(STANDARD) FROM LogoutEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} + value: SELECT FIELDS(STANDARD) FROM LogoutEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} cursor: field: "EventDate" tags: diff --git a/packages/salesforce/data_stream/logout/manifest.yml b/packages/salesforce/data_stream/logout/manifest.yml index 616282ec472..7b3a92e9635 100644 --- a/packages/salesforce/data_stream/logout/manifest.yml +++ b/packages/salesforce/data_stream/logout/manifest.yml @@ -43,6 +43,14 @@ streams: required: false show_user: true default: 5m + - name: limit + type: integer + title: Query limit + description: Query limit. + multi: false + required: false + show_user: true + default: 2000 - name: initial_interval type: text title: Initial Interval diff --git a/packages/salesforce/data_stream/setupaudittrail/agent/stream/salesforce.yml.hbs b/packages/salesforce/data_stream/setupaudittrail/agent/stream/salesforce.yml.hbs index 62f80c2b804..e38dcd3eb09 100644 --- a/packages/salesforce/data_stream/setupaudittrail/agent/stream/salesforce.yml.hbs +++ b/packages/salesforce/data_stream/setupaudittrail/agent/stream/salesforce.yml.hbs @@ -1,4 +1,5 @@ version: {{api_version}} +limit: {{limit}} auth.oauth2: {{#if jwt_enabled }} jwt_bearer_flow: @@ -22,8 +23,8 @@ event_monitoring_method: enabled: true interval: {{period}} query: - default: SELECT FIELDS(STANDARD) FROM SetupAuditTrail{{#if initial_interval}} WHERE CreatedDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY CreatedDate ASC NULLS FIRST - value: SELECT FIELDS(STANDARD) FROM SetupAuditTrail WHERE CreatedDate > [[ .cursor.object.last_event_time ]] ORDER BY CreatedDate ASC NULLS FIRST + default: SELECT FIELDS(STANDARD) FROM SetupAuditTrail{{#if initial_interval}} WHERE CreatedDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY CreatedDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} + value: SELECT FIELDS(STANDARD) FROM SetupAuditTrail WHERE CreatedDate > [[ .cursor.object.last_event_time ]] ORDER BY CreatedDate ASC {{#if limit}}LIMIT {{limit}}{{/if}} cursor: field: "CreatedDate" tags: diff --git a/packages/salesforce/data_stream/setupaudittrail/manifest.yml b/packages/salesforce/data_stream/setupaudittrail/manifest.yml index 52a9ff613c1..163e33c00a5 100644 --- a/packages/salesforce/data_stream/setupaudittrail/manifest.yml +++ b/packages/salesforce/data_stream/setupaudittrail/manifest.yml @@ -27,6 +27,14 @@ streams: required: false show_user: true default: 168h + - name: limit + type: integer + title: Query limit + description: Query limit. + multi: false + required: false + show_user: true + default: 2000 - name: tags type: text title: Tags diff --git a/packages/salesforce/manifest.yml b/packages/salesforce/manifest.yml index 4334cc145d3..807296fee86 100644 --- a/packages/salesforce/manifest.yml +++ b/packages/salesforce/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: salesforce title: Salesforce -version: "1.6.0" +version: "1.7.0" description: | Collect logs from Salesforce instances using the Elastic Agent. This integration enables monitoring and analysis of various Salesforce logs, including Login, Logout, Setup Audit Trail, and Apex execution logs. Gain insights into user activity, security events, and application performance. type: integration From 971518c462cf61741f95590e31879466998e1e52 Mon Sep 17 00:00:00 2001 From: Linu-Elias Date: Tue, 2 Dec 2025 16:10:26 +0530 Subject: [PATCH 2/3] Update changelog.yml --- packages/salesforce/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/salesforce/changelog.yml b/packages/salesforce/changelog.yml index 6f3b47187d0..76d819d9070 100644 --- a/packages/salesforce/changelog.yml +++ b/packages/salesforce/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Adding limit to queries in `login`, `logout` and `setupaudittrail`. type: enhancement - link: https://github.com/elastic/integrations/pull/16023 + link: https://github.com/elastic/integrations/pull/16193 - version: "1.6.0" changes: - description: Improve documentation From 54f26790cf3e7c15a6828f093bbd4636072a720d Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Tue, 2 Dec 2025 16:31:35 +0530 Subject: [PATCH 3/3] update limit to optional --- .../salesforce/data_stream/login/manifest.yml | 15 +++++++-------- .../salesforce/data_stream/logout/manifest.yml | 15 +++++++-------- .../data_stream/setupaudittrail/manifest.yml | 15 +++++++-------- 3 files changed, 21 insertions(+), 24 deletions(-) diff --git a/packages/salesforce/data_stream/login/manifest.yml b/packages/salesforce/data_stream/login/manifest.yml index 27e579c6f21..b75ee223622 100644 --- a/packages/salesforce/data_stream/login/manifest.yml +++ b/packages/salesforce/data_stream/login/manifest.yml @@ -3,6 +3,13 @@ title: Salesforce login logs streams: - input: salesforce vars: + - name: limit + type: integer + title: Query limit + description: Query limit. + multi: false + required: false + show_user: false - name: api_version type: text title: API Version @@ -43,14 +50,6 @@ streams: required: false show_user: true default: 5m - - name: limit - type: integer - title: Query limit - description: Query limit. - multi: false - required: false - show_user: true - default: 2000 - name: initial_interval type: text title: Initial Interval diff --git a/packages/salesforce/data_stream/logout/manifest.yml b/packages/salesforce/data_stream/logout/manifest.yml index 7b3a92e9635..782c331215a 100644 --- a/packages/salesforce/data_stream/logout/manifest.yml +++ b/packages/salesforce/data_stream/logout/manifest.yml @@ -3,6 +3,13 @@ title: Salesforce logout logs streams: - input: salesforce vars: + - name: limit + type: integer + title: Query limit + description: Query limit. + multi: false + required: false + show_user: false - name: api_version type: text title: API Version @@ -43,14 +50,6 @@ streams: required: false show_user: true default: 5m - - name: limit - type: integer - title: Query limit - description: Query limit. - multi: false - required: false - show_user: true - default: 2000 - name: initial_interval type: text title: Initial Interval diff --git a/packages/salesforce/data_stream/setupaudittrail/manifest.yml b/packages/salesforce/data_stream/setupaudittrail/manifest.yml index 163e33c00a5..866ef06d57c 100644 --- a/packages/salesforce/data_stream/setupaudittrail/manifest.yml +++ b/packages/salesforce/data_stream/setupaudittrail/manifest.yml @@ -3,6 +3,13 @@ title: Salesforce setupaudittrail logs streams: - input: salesforce vars: + - name: limit + type: integer + title: Query limit + description: Query limit. + multi: false + required: false + show_user: false - name: api_version type: text title: API Version @@ -27,14 +34,6 @@ streams: required: false show_user: true default: 168h - - name: limit - type: integer - title: Query limit - description: Query limit. - multi: false - required: false - show_user: true - default: 2000 - name: tags type: text title: Tags