Legacy API usage and event log

apieventlogfile

Salesforce sent an email "because you're an admin of an org that is actively using the legacy API endpoints". While this mentions only version 7.0 through 20.0 I only found version 27.0 in the logs which will be retired at a later date.

Either way – the log file doesn't make any sense. I downloaded it as described in this help article: https://help.salesforce.com/s/articleView?id=000351312&type=1

The SOQL is:

SELECT LogFile, EventType, CreatedDate FROM EventLogFile WHERE EventType IN ('API', 'RestApi', 'ApiTotalUsage')

So – first of all, I don't understand why I only have entries for ApiTotalUsage – as we are actively using the REST API – but okay. All the entries are from one user that is used for all kinds of integrations which makes it hard to pinpoint the exact source. The client name is missing and IP addresses are all over the place. One really interesting fact is that the connected app id is 888U00000004CPV and the 888 prefix already looks pretty fishy.

Looking at the connected apps I can confirm that the id does not match any of the apps in this list let alone having a similar id:

SELECT Id, Name FROM ConnectedApplication

Since there's no client name but an (albeit very weird) connected app, I guess that it is somehow tied to some connected app activity I can't nail down just yet. Does anybody have any kind of suggestion whatsoever?

Best Answer

Unfortunately, I came to a dead end on this one. I believe you're going to need to get Support involved. Here's what I found out.

The key prefix 888 is for an object called OauthConsumer, with the label Remote Access. This object cannot be interacted with as a system administrator. Attempts to describe or query the object in any API I tried returns the usual "sObject type 'OauthConsumer' is not supported" error (note proper title-case, so it is indeed a restricted object).

If you try to use the key prefix as a URL, /888, you'll be taken to the URL: /identity/app/RemoteAccessRedirectPage.apexp?retURL=%2F02u, which tells you that it's been moved to Applications. You'll be redirected to Setup > Create > Applications in Classic mode (/02u). None of the records I see here have that key prefix...

You can try using /888U00000004CPV as the URL, it may redirect you to the correct Application, or you may just get some sort of weird Data Not Available type error. If it gets you where you need to be, great.

As for the former part, what that help topic does't tell you is that:

Enterprise, Unlimited, and Performance Edition organizations have free access to the insecure external assets, login, logout, and total API usage event log files with 1-day data retention. For an extra cost, you can access all log file types with 30-day data retention.

You don't get the logs you need unless you pay for it. That said, you can probably request temporary access to this feature so you can get the data you need.

Related Solutions

[SalesForce] Event Log Monitoring from salesforce API

Assuming you are talking about this mechanism Using Event Monitoring then in general you will need to use some technology other than Salesforce/Apex to do the work e.g. one of the stacks available on Heroku. You will need to write code that makes the REST web service calls, parses the data and constructs the CSV output.

The problem is that the event monitoring data volumes are large and so it is easy to exceed the 6MB/12MB (for synchronous/asynchronous code) Apex heap limit as streaming IO is not supported. So using Apex - you can make REST calls from Apex - only makes sense if you are sure that the data returned by the API calls you need to use plus the output you want to generate all fit within the relatively small heap limits.

[SalesForce] Sales force Event Log File shows only logout and URL event types

You can get the picklist values from the metadata using describes.

Set<String> eventTypes = new Set<String>();
for (PicklistEntry entry : EventLogFile.EventType.getDescribe().getPicklistValues())
    eventTypes.add(entry.getValue());

They are also listed here and should have the same values:

Event monitoring can be used with 32 different file types:

Apex Callout

Apex Execution

Apex SOAP

Apex Trigger

API

Async Report

Bulk API

Change Set Operation

Content Distribution

Content Document Link

Content Transfer

Dashboard

Document Attachment Downloads

Login

Login As

Logout

MDAPI Operation

Multiblock Report

Package Install

Queued Execution

Report

Report Export

REST API

Salesforce1 Adoption (UI Tracking)

Sandbox

Sites

Time-Based Workflow

URI

Visualforce

Wave Change

Wave Interaction

Wave Performance

They are also listed out here but with duplicates and strange formatting.

Best Answer

Related Solutions

[SalesForce] Event Log Monitoring from salesforce API

[SalesForce] Sales force Event Log File shows only logout and URL event types

Related Topic