What is the most important tip for working with Event Monitoring Settings?

Quick Fact: Event Monitoring on-platform retention is 30 days. Without an external SIEM archive, historical event data is gone after a month. Set up the archive on day one, not after you need the data.

AdministrationBeginner

Event Monitoring Settings

Q: Can a Salesforce admin configure Event Monitoring Settings without writing code?

Event Monitoring Settings is a declarative admin feature, meaning it can be configured through Salesforce's point-and-click interface without writing any code.

Q: Why is understanding Event Monitoring Settings important for Salesforce admins?

Administration features like Event Monitoring Settings are fundamental to maintaining a healthy, secure, and efficient Salesforce org on an ongoing basis.

Q: In which area of Salesforce would you typically find Event Monitoring Settings?

Event Monitoring Settings is an administrative feature found in Salesforce Setup - the central hub where admins configure and manage the org.

Event Monitoring Settings is the Setup page where Salesforce admins configure how Event Monitoring data is captured, retained, and surfaced.

Hear it

§ 01

Definition

Event Monitoring Settings is the Setup page where Salesforce admins configure how Event Monitoring data is captured, retained, and surfaced. Event Monitoring is the paid Shield add-on that produces fine-grained event logs for user activity: API calls, Apex executions, report runs, dashboard views, login events, file downloads, list view exports, and 70+ other event types. The settings page controls which event types stream in real time vs at end-of-day, how long the data is retained, and which storage objects receive the events.

Event Monitoring data flows through three surfaces. EventLogFile is the legacy daily-aggregated CSV-style log. Streaming Real-Time Event Monitoring delivers events as they happen through Platform Events, queryable in SOQL and consumable by external SIEM systems. Event Monitoring Analytics App is the CRM Analytics-powered visualization layer that turns the raw events into dashboards. The settings page lets admins decide which event types use which delivery channels and how long history is kept on each. Together with Transaction Security and Health Check, Event Monitoring forms the operational backbone of Salesforce security operations.

§ 02

How Event Monitoring captures and routes Salesforce activity

Event types: what Event Monitoring captures

Event Monitoring captures over 70 event types across categories. Authentication: LoginEvent, LoginAsEvent, LogoutEvent. API access: ApiEvent, BulkApiResultEvent, RestApiEvent. Apex: ApexExecutionEvent, ApexCalloutEvent, ApexTriggerEvent. Reports and dashboards: ReportEvent, ReportAnomalyEvent, DashboardEvent. Files: FilesEvent, ContentTransferEvent. List views and exports: ListViewEvent, BulkApiResultEvent. Each event type is a row in the EventLogFile object (for daily logs) or a Platform Event (for real-time streaming). The payload includes the user, IP, timestamp, and event-specific fields. The breadth of coverage is what makes Event Monitoring the most comprehensive observability product on the Salesforce platform.

Streaming vs daily aggregation

Event Monitoring has two delivery modes. Daily aggregation produces an EventLogFile per event type, per day. The platform writes the file at end-of-day, and admins query it through SOQL or download it through the API. Streaming Real-Time Event Monitoring delivers events as Platform Events within seconds of the action. Streaming is required for Transaction Security policies and real-time alerting. Daily aggregation is sufficient for batch analytics and weekly compliance reports. Most orgs use both: streaming for security-relevant event types (LoginEvent, ApiAnomaly, CredentialStuffing), daily for everything else (file downloads, light usage analytics).

Retention: 30 days on platform, longer with archival

EventLogFile retention is 30 days by default. After that, the platform purges. Customers who need longer retention can buy Event Monitoring Plus, which extends the on-platform retention. Most orgs combine the 30-day on-platform window with an external archive: a CI job or scheduled Apex pulls the EventLogFile rows daily and pushes them to S3, Splunk, or another SIEM. Streaming Real-Time events are not stored on the platform at all; they are consumed in flight by Platform Event subscribers or written to Big Objects by an Apex subscriber.

Event Monitoring Analytics App

The Event Monitoring Analytics App is a CRM Analytics-powered dashboard suite that visualizes EventLogFile data. Out of the box, it includes dashboards for User Activity, API Usage, Report and Dashboard Usage, Login Forensics, and Adoption Metrics. The app deploys as a managed package and refreshes daily from the EventLogFile data. For most security and IT teams, this is the starting point: a turnkey set of dashboards that surface the data without writing custom SOQL or visualizations.

Integration with external SIEMs

Most enterprise customers connect Event Monitoring to an external SIEM (Splunk, Sumo Logic, Datadog, Microsoft Sentinel). The integration uses either daily EventLogFile pulls (a scheduled job downloads the files and ingests them) or streaming Platform Event subscribers (an external system subscribes to the real-time event stream and ingests as events arrive). The SIEM is where cross-product correlation happens: a Salesforce login from an unusual IP gets correlated with a VPN login from the same IP and a sensitive document access in SharePoint. Event Monitoring is the Salesforce-side source feed for that correlation.

Licensing: Event Monitoring vs Event Monitoring Plus vs Shield

Three SKUs exist. Standalone Event Monitoring includes the daily EventLogFile and the analytics app, with 30-day retention. Event Monitoring Plus adds Streaming Real-Time events and Transaction Security integration. Salesforce Shield bundles Event Monitoring Plus with Field Audit Trail (longer history) and Platform Encryption. Most enterprises buy Shield as the integrated package, which is also the most cost-effective path if multiple security products are needed.

Settings page: where to configure

Event Monitoring Settings lives at Setup, Security, Event Monitoring Settings (on orgs with the add-on enabled). The page lets admins toggle individual event types on or off, configure retention extensions for specific event types, view current event volume per type, and link to the related Transaction Security policy page. Most admins do not need to change defaults: Event Monitoring captures everything by default once licensed. The settings page is more relevant for orgs that want to disable specific high-volume event types they cannot consume downstream, like ApiEvent in an API-heavy integration org.

§ 03

Configuring Event Monitoring for security operations

Configuring Event Monitoring is mostly about consumption rather than setup. The platform captures events by default once licensed. The work is on the downstream side: enabling streaming for security-critical event types, building SIEM integrations, and deploying the analytics app.

Confirm Event Monitoring licensing
Setup, Quick Find Event Monitoring. If the page does not appear, the org does not have the license. Confirm with the Salesforce account team. Event Monitoring is included in Shield and available standalone.
Open Event Monitoring Settings
Setup, Security, Event Monitoring Settings. The page lists every event type, its delivery mode (streaming, daily, both), and current daily volume.
Enable streaming on security-critical event types
LoginEvent, LoginAsEvent, ApiEvent, CredentialStuffingEvent, ReportEvent, ReportAnomalyEvent. Switch each to Streaming. The change takes effect within an hour. Streaming is required for real-time Transaction Security policies.
Install the Event Monitoring Analytics App
From AppExchange or the App Manager, install Event Monitoring Analytics App. The app deploys CRM Analytics dashboards (User Activity, API Usage, Report Forensics) that refresh daily from EventLogFile data.
Set up SIEM integration
For external archival: schedule a job (Apex Scheduled, MuleSoft, or CI cron) that pulls EventLogFile rows daily and pushes to the SIEM. For real-time: build a Platform Event subscriber (Apex, external client) that consumes streaming events as they arrive.
Build Transaction Security policies on streaming events
Open Transaction Security Policies, create new policies on the streaming event types. The policies fire in real time against the same event stream Event Monitoring captures. This is the action layer on top of the observability layer.
Plan retention extensions if needed
Event Monitoring retention is 30 days on platform. For compliance-driven longer retention, the choices are Event Monitoring Plus (extended on-platform retention) or external SIEM archival. Most orgs pick external archival.

Key options

Event type toggleremember

Per-event-type enable/disable. Default is enabled for all types once licensed. Disable selectively if the org cannot consume the volume downstream.

Delivery moderemember

Daily EventLogFile, Streaming Real-Time, or both. Streaming is required for real-time Transaction Security policies; daily for batch analytics.

Retentionremember

30 days on platform by default. Extended retention requires Event Monitoring Plus or external SIEM archival.

Event Monitoring Analytics Appremember

Pre-built CRM Analytics dashboards for User Activity, API Usage, Report Forensics. Deployed as a managed package, refreshed daily.

Platform Event subscriberremember

Apex or external client that consumes streaming events. Used to ingest events into Big Objects or external SIEMs.

Gotchas

Event Monitoring retention is 30 days on platform. Anything older is purged unless you archived to a SIEM. Plan the integration before you need the historical data.
Streaming is required for Transaction Security real-time policies. Daily EventLogFile delivery is too slow to drive Block actions on suspicious behavior.
ApiEvent volume can be enormous in API-heavy orgs. A single integration making 100K calls per day produces 100K event rows. Plan the SIEM ingestion capacity before enabling streaming on ApiEvent.
The Event Monitoring Analytics App is a managed package. Customizing the dashboards inside the package is blocked. Clone to custom dashboards if you need to extend.
Event Monitoring is not Field History Tracking and not Setup Audit Trail. Each captures different signals. Operational security needs all three.

Trust & references

Sources

Cross-checked against the following references.

Event MonitoringSalesforce Help

Official documentation

Straight from the source - Salesforce's reference material on Event Monitoring Settings.

Event MonitoringSalesforce Help
Real-Time Event MonitoringSalesforce Help
EventLogFile Object ReferenceSalesforce Developers

Keep learning

Hands-on resources to go deeper on Event Monitoring Settings.

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. Can a Salesforce admin configure Event Monitoring Settings without writing code?

Q2. Why is understanding Event Monitoring Settings important for Salesforce admins?

Q3. In which area of Salesforce would you typically find Event Monitoring Settings?

Discussion

Loading…

Loading discussion…

Back to Dictionary