How do I resolve the error "did not pass configuration check" when onboarding Salesforce logs to Panther?

Last updated: May 20, 2026

ISSUE

Why am I getting one of the following errors when trying to onboard Salesforce logs to Panther?

Source CB Cloud Staging test did not pass configuration check because: eventMonitoring: authentication failed with HTTP status code 500: unable to authenticate [INVALID_LOGIN: Invalid username, password, security token; or user locked out.]

or

Source Salesforce did not pass configuration check because: SOQL file list request failed with API error code INVALID_FIELD: EventType, LogDate, CreatedDate, Sequence, Interval From EventLogFile ...

or

Source Salesforce did not pass configuration check because: eventMonitoring: SOAP API login HTTP request failed...

RESOLUTION

Make sure you are onboarding Salesforce production or Sandbox tenant logs. Staginglogs are not supported.

For INVALID_LOGIN errors: In order to onboard different kinds of Salesforce environments such as Sandboxes, you can proceed manually by uploading your Salesforce logs to an S3 bucket in Panther's supported format, creating a custom schema, and then ingesting your logs using your custom schema.

You can also check the following steps in order to address this error message:

  • Try to manually log in to Salesforce. This in order to examine whether the account is locked or perhaps deactivated.

  • Check if there have been any recent failed login attempts that might have triggered a lockout.

  • Try updating the credentials (both password and security token).

Perhaps the account may have experienced a lockout during the password reset process, which can sometimes leave the API access in an inconsistent state even if manual login works.

To make sure everything is fresh and clear, try the following steps:

  1. Unlock the account in Salesforce explicitly. Even if the account appears active, this action is expected to clear any API-level lock state.

  2. Reset the password again now that the account is unlocked. This ensures that the credentials are brand new and not associated with the lockout event.

  3. Generate a new security token. Kindly note that each password reset probably invalidates the previous token, so a fresh token is needed after step 2.

  4. Update your log source in Panther by entering the new password and new security token in the Salesforce Event Monitoring log source configuration and save.

For INVALID_FIELD or API failed errors: Edit the log source in Panther, and change the pull frequency from Hourly to Daily. Also ensure that Event Monitoring is Enabled.

For [CLIENT_NOT_ACCESSIBLE_FOR_USER: Sorry, your administrator has blocked access to this client.] : check the API Access Control settings in Salesforce.

If "For Admin-approved users, limit API access to allowlisted connected apps" is enabled, ensure that the 'Use Any API client' permission is checked on the Permission Set.

api access control.png

CAUSE

For INVALID_LOGIN errors: this can occur if you attempt to ingest staging logs from Salesforce. 

For INVALID_FIELD errors: this can occur when the Salesforce instance isn't properly configured for hourly log pulling.