Skip to content

[Salesforce] Add limit to queries in login, logout and setupaudittrail data streams. #16193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[Salesforce] Add limit to queries in login, logout and setupaudittrail data streams. #16193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fc56cc3
initial commit
Linu-Elias Dec 2, 2025
971518c
Update changelog.yml
Linu-Elias Dec 2, 2025
54f2679
update limit to optional
Linu-Elias Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/salesforce/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.7.0"
changes:
- description: Adding limit to queries in `login`, `logout` and `setupaudittrail`.
type: enhancement
link: https://github.com/elastic/integrations/pull/16193
- version: "1.6.0"
changes:
- description: Improve documentation
Expand Down
9 changes: 5 additions & 4 deletions packages/salesforce/data_stream/login/agent/stream/salesforce.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
version: {{api_version}}
limit: {{limit}}
auth.oauth2:
{{#if jwt_enabled }}
jwt_bearer_flow:
Expand All @@ -22,16 +23,16 @@ event_monitoring_method:
enabled: {{#if event_log_file}}true{{else}}false{{/if}}
interval: {{elf_period}}
query:
default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Login' ORDER BY LogDate ASC NULLS FIRST
value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Login' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY LogDate ASC NULLS FIRST
default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' AND {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] AND {{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
cursor:
field: "CreatedDate"
object:
enabled: {{#if object}}true{{else}}false{{/if}}
interval: {{real_time_period}}
query:
default: SELECT FIELDS(STANDARD) FROM LoginEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}}
value: SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[ .cursor.object.first_event_time ]]
default: SELECT FIELDS(STANDARD) FROM LoginEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
value: SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
cursor:
field: "EventDate"
tags:
Expand Down
7 changes: 7 additions & 0 deletions packages/salesforce/data_stream/login/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@ title: Salesforce login logs
streams:
- input: salesforce
vars:
- name: limit
type: integer
title: Query limit
description: Query limit.
multi: false
required: false
show_user: false
- name: api_version
type: text
title: API Version
Expand Down
9 changes: 5 additions & 4 deletions packages/salesforce/data_stream/logout/agent/stream/salesforce.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
version: {{api_version}}
limit: {{limit}}
auth.oauth2:
{{#if jwt_enabled }}
jwt_bearer_flow:
Expand All @@ -22,16 +23,16 @@ event_monitoring_method:
enabled: {{#if event_log_file}}true{{else}}false{{/if}}
interval: {{elf_period}}
query:
default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST
value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{#if log_file_interval}}Interval = '{{log_file_interval}}' AND {{/if}}EventType = 'Logout' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY LogDate ASC NULLS FIRST
default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Logout' AND {{#if initial_interval}}LogDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]] AND {{/if}}{{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Logout' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] AND {{#if log_file_interval}}Interval = '{{log_file_interval}}'{{/if}} ORDER BY LogDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
cursor:
field: "CreatedDate"
object:
enabled: {{#if object}}true{{else}}false{{/if}}
interval: {{real_time_period}}
query:
default: SELECT FIELDS(STANDARD) FROM LogoutEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}}
value: SELECT FIELDS(STANDARD) FROM LogoutEvent WHERE EventDate > [[ .cursor.object.first_event_time ]]
default: SELECT FIELDS(STANDARD) FROM LogoutEvent{{#if initial_interval}} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
value: SELECT FIELDS(STANDARD) FROM LogoutEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] ORDER BY EventDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
cursor:
field: "EventDate"
tags:
Expand Down
7 changes: 7 additions & 0 deletions packages/salesforce/data_stream/logout/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@ title: Salesforce logout logs
streams:
- input: salesforce
vars:
- name: limit
type: integer
title: Query limit
description: Query limit.
multi: false
required: false
show_user: false
- name: api_version
type: text
title: API Version
Expand Down
5 changes: 3 additions & 2 deletions packages/salesforce/data_stream/setupaudittrail/agent/stream/salesforce.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
version: {{api_version}}
limit: {{limit}}
auth.oauth2:
{{#if jwt_enabled }}
jwt_bearer_flow:
Expand All @@ -22,8 +23,8 @@ event_monitoring_method:
enabled: true
interval: {{period}}
query:
default: SELECT FIELDS(STANDARD) FROM SetupAuditTrail{{#if initial_interval}} WHERE CreatedDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY CreatedDate ASC NULLS FIRST
value: SELECT FIELDS(STANDARD) FROM SetupAuditTrail WHERE CreatedDate > [[ .cursor.object.last_event_time ]] ORDER BY CreatedDate ASC NULLS FIRST
default: SELECT FIELDS(STANDARD) FROM SetupAuditTrail{{#if initial_interval}} WHERE CreatedDate > [[ (formatTime (now.Add (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z0700") ]]{{/if}} ORDER BY CreatedDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
value: SELECT FIELDS(STANDARD) FROM SetupAuditTrail WHERE CreatedDate > [[ .cursor.object.last_event_time ]] ORDER BY CreatedDate ASC {{#if limit}}LIMIT {{limit}}{{/if}}
cursor:
field: "CreatedDate"
tags:
Expand Down
7 changes: 7 additions & 0 deletions packages/salesforce/data_stream/setupaudittrail/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@ title: Salesforce setupaudittrail logs
streams:
- input: salesforce
vars:
- name: limit
type: integer
title: Query limit
description: Query limit.
multi: false
required: false
show_user: false
- name: api_version
type: text
title: API Version
Expand Down
2 changes: 1 addition & 1 deletion packages/salesforce/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.2
name: salesforce
title: Salesforce
version: "1.6.0"
version: "1.7.0"
description: |
Collect logs from Salesforce instances using the Elastic Agent. This integration enables monitoring and analysis of various Salesforce logs, including Login, Logout, Setup Audit Trail, and Apex execution logs. Gain insights into user activity, security events, and application performance.
type: integration
Expand Down