We're having trouble importing Salesforce SetupAuditTrail logs.
Chronicle successfully calls Salesforce: /services/data/v50.0/query and our Salesforce instance returns logs from Salesforce: /services/data/v50.0/sobjects/EventLogFile/ but logs from /services/data/v51.0/sobjects/SetupAuditTrail/ are failing.
What experience do other Chronicle users have with importing Salesforce logs, specifically SetupAuditTrail.
Have you followed the guidance given in the Collect Salesforce Logs documentation?
Have you followed the guidance given in the Collect Salesforce Logs documentation?
Yes, we're aware of that documentation, but we're making a direct API call, and not using an S3 bucket. There isn't an issue with the parser, we're not receiving the raw log events for SetupAuditTrail. The other event types are ingested and parsed OK.
Our Google customer engineer has confirmed SetupAuditTrail event records are arriving with a 'null' status, which suggests an issue with the Salesforce server, but we also have a Splunk SIEM making the exact same API calls with no issues.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.