Splunk Add-on for Salesforce Streaming API
Overview
Details
Install
Install the add-on on Forwarders and IDM.
(Splunk Cloud Platform deployments on Victoria Experience do not require IDM. If your deployment is on Victoria Experience you can run add-ons that contain scripted and modular inputs directly on the search head. To determine if your deployment has the Classic or Victoria experience, see Determine your Splunk Cloud Platform Experience.
For Splunk Cloud, refer to Install apps in your Splunk Cloud deployment. For customer managed deployments, refer to the standard methods for Splunk Add-on installs as documented for a Single Server Install or a Distributed Environment Install.
Configuration
Salesforce
Setup Connected App and OAuth access
- Create a connected app and use the consumer key and secret to authenticate the application
(via SETUP -> Platform Tools → Apps → App Manager -> New Connected App) - Enable OAuth access for the application.
- Setup Callback URL -> https://<sfdc-instance>/services/oauth2/callback
- Get OAuth Credentials (Consumer Key and Consumer Secret)
- Add
Full Accessto Selected OAuth scopes under OAuth Settings for the connected app - Enable Username-Password Flow
- Enable Real-time streaming objects
- Splunk add-on for SFDC Streaming API will require SFDC username, password, consumer key and consumer password to create a connection.
NOTE: Security Token
When you access Salesforce from an IP address that isn’t trusted for your company, and you use a desktop client or the API, you need a security token to log in.
What’s a security token? It’s a case-sensitive alphanumeric code that’s tied to your password. Whenever your password is reset, your security token is also reset.
password : \<password> + <security_token>
Another alternative to avoid using the security token, is to relax IP restrictions.
Splunk
- Install Splunk add-on for SFDC Streaming API
- Create a connection in the Connection tab with SFDC username, password, consumer key and consumer password to create a connection. Check the sandbox option if you're connecting to a SFDC sandbox instance (http://test.salesforce.com/services/oauth2/token)
- Create a data input in the Inputs tab to subscribe to any of the channels Real-time streaming objects. (For instance: To subscribe to the LoginEventStream set channel topic to
/event/LoginEventStream)
TroubleShooting
- Logs can be found with the search
index=_internal sourcetype=ta_sfdc_streaming_api_sfdc_streaming_api_events - Salesforce Error Codes
- OAuth Error Codes
Authorization Failure
ERROR('Authentication failed', {'error': 'invalid_grant', 'error_description': 'authentication failure'})
Check if your creds are correct. You can curl your SFDC instance to validate your credentials.
curl -d 'grant_type=password&client_id=<client_id>&client_secret=<client_secret>&username=<username>&password=<password>' "https://login.salesforce.com/services/oauth2/token"
You can check authorization errors cause by going to Setup -> Users -> Users and checking the Login History of the account you are using to authenticate
Additional permissions may be required: Additional setting in the App: Apps -> [select your "Connected App"] -> Edit -> Oauth Policies -> Permitted Users -> All users may self-authorize.
Channel Subscription Failure
ERROR pid=28219 tid=MainThread file=base.py:_send_payload_with_auth:321 | server error response for Channel (/meta/subscribe): '403:denied_by_security_policy:create_denied'
Enable access monitoring for real-time event monitoring - Enable Access to the Real-Time Event Monitoring
Release Notes
Version 1.1.1
BREAKING CHANGE WARNING
Due to change of development framework there is a change in secrets handling.
After update to version 1.1.1 please re-enter credentials (Consumer Key/Secret, Username/Password) and update each of your connections.
Otherwise the connection will fail.
If you don't want this change, do not update.
Updates
- Update of splunk-sdk library
- Update of development framework
- hot fix
Version 1.0.6
Update Splunk libs for cloud compatibility.
Version 1.0.5
Removing older jquery dependcies.
Version 1.0.4
Adding Sourcetypes and CIM compatibility.
Sourcetypes and CIM Compatibility
sfdc-streaming-api-events: Default sourcetype for all streaming API events
sfdc-streaming-api-events:login: Use this sourcetype for login related events (EG: LoginEventStream, LoginAsEventStream, LogoutEventStream).
This sourcetype maps to the authentication data model
sfdc-streaming-api-events:report: Use this sourcetype for report related events (EG: ReportEventStream).
This sourcetype maps to the data and access data model
sfdc-streaming-api-events:security: Use this sourcetype for security related events (EG: ApiAnomalyEvent, CredentialStuffingEvent, SessionHijackingEvent, ReportAnomalyEvent).
This sourcetype maps to the IDS and attack data model