How do I resolve the error "did not pass configuration check" when onboarding Salesforce logs to Panther?
ISSUE
Why am I getting one of the following errors when trying to onboard staging tenant Salesforce logs using Panther's native integration?
Source CB Cloud Staging test did not pass configuration check because: eventMonitoring: authentication failed with HTTP status code 500: unable to authenticate [INVALID_LOGIN: Invalid username, password, security token; or user locked out.]
or
Source Salesforce did not pass configuration check because: SOQL file list request failed with API error code INVALID_FIELD: EventType, LogDate, CreatedDate, Sequence, Interval From EventLogFile ...
RESOLUTION
Make sure you are onboarding Salesforce production
tenant logs.
For INVALID_LOGIN errors: in order to onboard different kinds of Salesforce environments such as Sandboxes, you can proceed manually by uploading your Salesforce logs to an S3 bucket in Panther's supported format, creating a custom schema, and then ingesting your logs using your custom schema.
For INVALID_FIELD errors: edit the log source in Panther, and change the pull frequency from Hourly to Daily.
CAUSE
For INVALID_LOGIN errors: this can occur if you attempt to ingest staging
logs from Salesforce. Panther's native integration currently supports only Salesforce production
environments.
For INVALID_FIELD errors: this can occur when the Salesforce instance isn't properly configured for hourly log pulling.