Salesforce sent an email "because you're an admin of an org that is actively using the legacy API endpoints". While this mentions only version 7.0 through 20.0 I only found version 27.0 in the logs which will be retired at a later date.
Either way – the log file doesn't make any sense. I downloaded it as described in this help article: https://help.salesforce.com/s/articleView?id=000351312&type=1
The SOQL is:
SELECT LogFile, EventType, CreatedDate FROM EventLogFile WHERE EventType IN ('API', 'RestApi', 'ApiTotalUsage')
So – first of all, I don't understand why I only have entries for ApiTotalUsage
– as we are actively using the REST API – but okay. All the entries are from one user that is used for all kinds of integrations which makes it hard to pinpoint the exact source. The client name is missing and IP addresses are all over the place. One really interesting fact is that the connected app id is 888U00000004CPV
and the 888
prefix already looks pretty fishy.
Looking at the connected apps I can confirm that the id does not match any of the apps in this list let alone having a similar id:
SELECT Id, Name FROM ConnectedApplication
Since there's no client name but an (albeit very weird) connected app, I guess that it is somehow tied to some connected app activity I can't nail down just yet. Does anybody have any kind of suggestion whatsoever?
Best Answer
Unfortunately, I came to a dead end on this one. I believe you're going to need to get Support involved. Here's what I found out.
The key prefix
888
is for an object calledOauthConsumer
, with the labelRemote Access
. This object cannot be interacted with as a system administrator. Attempts to describe or query the object in any API I tried returns the usual "sObject type 'OauthConsumer' is not supported" error (note proper title-case, so it is indeed a restricted object).If you try to use the key prefix as a URL,
/888
, you'll be taken to the URL:/identity/app/RemoteAccessRedirectPage.apexp?retURL=%2F02u
, which tells you that it's been moved to Applications. You'll be redirected to Setup > Create > Applications in Classic mode (/02u
). None of the records I see here have that key prefix...You can try using
/888U00000004CPV
as the URL, it may redirect you to the correct Application, or you may just get some sort of weirdData Not Available
type error. If it gets you where you need to be, great.As for the former part, what that help topic does't tell you is that:
You don't get the logs you need unless you pay for it. That said, you can probably request temporary access to this feature so you can get the data you need.