initial changes to salesforce module filesets

x-pack/filebeat/module/salesforce/_meta/config.yml

@@ -1,130 +1,87 @@
 - module: salesforce
 
-  apex-rest:
+  apex:
     enabled: false
+    var.api_version: 56
 
-    # Oauth Client ID
-    #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.jwt_enabled: true
 
-    # Oauth Client Secret
-    #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.client_username: "[email protected]"
+    var.client_key_path: client_key.pem
+    var.jwt_url: https://login.salesforce.com
 
-    # Oauth Token URL
-    #var.token_url: "https://login.salesforce.com/services/oauth2/token"
+    var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.token_url: "https://login.salesforce.com"
+    var.user: "[email protected]"
+    var.password: "P@$$W0₹D"
 
-    # Oauth User, should include the User mail
-    #var.user: "[email protected]"
-
-    # Oauth password, should include the User password
-    #var.password: "P@$$W0₹D"
-
-    # URL, should include the instance_url
-    #var.url: "https://instance_id.my.salesforce.com"
+    var.url: "https://instance_id.my.salesforce.com"
+    var.elf_interval: 1h
 
-  login-rest:
-    enabled: false
-
-    # Oauth Client ID
-    #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Client Secret
-    #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Token URL
-    #var.token_url: "https://login.salesforce.com/services/oauth2/token"
-
-    # Oauth User, should include the User mail
-    #var.user: "[email protected]"
-
-    # Oauth password, should include the User password
-    #var.password: "P@$$W0₹D"
-
-    # URL, should include the instance_url
-    #var.url: "https://instance_id.my.salesforce.com"
-
-  login-stream:
-    enabled: false
-
-    # Oauth Client ID
-    #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Client Secret
-    #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Token URL
-    #var.token_url: "https://login.salesforce.com/services/oauth2/token"
-
-    # Oauth User, should include the User mail
-    #var.user: "[email protected]"
-
-    # Oauth password, should include the User password
-    #var.password: "P@$$W0₹D"
-
-    # URL, should include the instance_url
-    #var.url: "https://instance_id.my.salesforce.com"
-
-  logout-rest:
+  login:
     enabled: false
+    var.api_version: 56
 
-    # Oauth Client ID
-    #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Client Secret
-    #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.jwt_enabled: true
 
-    # Oauth Token URL
-    #var.token_url: "https://login.salesforce.com/services/oauth2/token"
+    var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.client_username: "[email protected]"
+    var.client_key_path: client_key.pem
+    var.jwt_url: https://login.salesforce.com
 
-    # Oauth User, should include the User mail
-    #var.user: "[email protected]"
+    var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.token_url: "https://login.salesforce.com"
+    var.user: "[email protected]"
+    var.password: "P@$$W0₹D"
 
-    # Oauth password, should include the User password
-    #var.password: "P@$$W0₹D"
+    var.url: "https://instance_id.my.salesforce.com"
 
-    # URL, should include the instance_url
-    #var.url: "https://instance_id.my.salesforce.com"
+    var.event_log_file: true
+    var.elf_interval: 1h
+    var.real_time: true
+    var.real_time_interval: 5m
 
-  logout-stream:
+  logout:
     enabled: false
+    var.api_version: 56
 
-    # Oauth Client ID
-    #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Client Secret
-    #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.jwt_enabled: true
 
-    # Oauth Token URL
-    #var.token_url: "https://login.salesforce.com/services/oauth2/token"
+    var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.client_username: "[email protected]"
+    var.client_key_path: client_key.pem
+    var.jwt_url: https://login.salesforce.com
 
-    # Oauth User, should include the User mail
-    #var.user: "[email protected]"
+    var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.token_url: "https://login.salesforce.com"
+    var.user: "[email protected]"
+    var.password: "P@$$W0₹D"
 
-    # Oauth password, should include the User password
-    #var.password: "P@$$W0₹D"
+    var.url: "https://instance_id.my.salesforce.com"
 
-    # URL, should include the instance_url
-    #var.url: "https://instance_id.my.salesforce.com"
+    var.event_log_file: true
+    var.elf_interval: 1h
+    var.real_time: true
+    var.real_time_interval: 5m
 
-  setupaudittrail-rest:
+  setupaudittrail:
     enabled: false
+    var.api_version: 56
 
-    # Oauth Client ID
-    #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Client Secret
-    #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-    # Oauth Token URL
-    #var.token_url: "https://login.salesforce.com/services/oauth2/token"
+    var.jwt_enabled: true
 
-    # Oauth User, should include the User mail
-    #var.user: "[email protected]"
+    var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.client_username: "[email protected]"
+    var.client_key_path: client_key.pem
+    var.jwt_url: https://login.salesforce.com
 
-    # Oauth password, should include the User password
-    #var.password: "P@$$W0₹D"
+    var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    var.token_url: "https://login.salesforce.com"
+    var.user: "[email protected]"
+    var.password: "P@$$W0₹D"
 
-    # URL, should include the instance_url
-    #var.url: "https://instance_id.my.salesforce.com"
+    var.url: "https://instance_id.my.salesforce.com"
 
-    # Interval, should include the time interval
-    #var.interval: 1h
+    var.real_time: true
+    var.real_time_interval: 5m

x-pack/filebeat/module/salesforce/apex/config/apex.yml

@@ -0,0 +1,79 @@
+{{ if eq .input "salesforce" }}
+
+type: salesforce
+enabled: true
+{{ if .api_version }}
+version: {{ .api_version }}
+{{ end }}
+auth.oauth2:
+{{ if .jwt_enabled }}
+  jwt_bearer_flow:
+    enabled: true
+    {{ if .client_id }}
+    client.id: {{ .client_id }}
+    {{ end }}
+    {{ if .client_username }}
+    client.username: {{ .client_username }}
+    {{ end }}
+    {{ if .client_key_path }}
+    client.key_path: {{ .client_key_path }}
+    {{ end }}
+    {{ if .jwt_url }}
+    url: {{ .jwt_url }}
+    {{ end }}
+{{ else }}
+  user_password_flow:
+    enabled: true
+    {{ if .client_id }}
+    client.id: {{ .client_id }}
+    {{ end }}
+    {{ if .client_secret }}
+    client.secret: {{ .client_secret }}
+    {{ end }}
+    {{ if .token_url }}
+    token_url: {{ .token_url }}
+    {{ end }}
+    {{ if .username }}
+    username: {{ .username }}
+    {{ end }}
+    {{ if .password }}
+    password: {{ .password }}
+    {{ end }}
+{{ end }}
+# Query params will be overwritten by request.transforms from start of the input and 
+# it is to indicate that this url is for Apex type of events as cursor stores the url as source.
+# Each filebeat input cursor source needs to be uniquely identified with a name.
+url: {{ .url }}
+event_monitoring_method:
+  event_log_file:
+    enabled: true
+    interval: {{ .elf_interval }}
+    query:
+      default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY LogDate ASC NULLS FIRST"
+      value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY LogDate ASC NULLS FIRST"
+    cursor:
+      field: "CreatedDate"
+
+{{ else if eq .input "file" }}
+
+type: log
+paths:
+{{ range $i, $path := .paths }}
+  - {{$path}}
+{{ end }}
+exclude_files: [".gz$"]
+
+{{ end }}
+
+tags: {{.tags | tojson}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+
+processors:
+  - decode_json_fields:
+      fields: [message]
+      target: "json"
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.12.0
+  - add_locale: ~

x-pack/filebeat/module/salesforce/apex/manifest.yml

@@ -0,0 +1,24 @@
+module_version: 1.0
+
+var:
+  - name: input
+    default: salesforce
+  - name: tags
+    default: [salesforce-apex,forwarded]
+  - name: api_version
+  - name: jwt_enabled
+  - name: client_id
+  - name: client_username
+  - name: client_key_path
+  - name: jwt_url
+  - name: client_secret
+  - name: token_url
+  - name: user
+  - name: password
+  - name: url
+  - name: elf_interval
+    default: 1h
+
+ingest_pipeline:
+  - ingest/pipeline.yml
+input: config/apex.yml