Using Event Monitoring

• Log files can be created within three days of generation. In the unlikely case where no log files are created for three days, contact Salesforce Customer Support.
• Log data is read only. You can’t insert, update, or delete log data. However, you can delete event log files.
• To determine which files were generated for your org, use the EventType field.
• An event generates log data in real time. However, daily log files are generated during nonpeak hours the day after an event takes place. Therefore, daily log file data is unavailable for at least 1 day after an event. For hourly log files, depending on event delivery and final processing time, expect an event to take place 3–6 hours from the time of the event to be available in the log file. However, it can take longer.
• Log files are generated only when at least one event of a type, represented by the EventType field, occurs for the day or hour. If no events took place, the file isn’t generated.
• Log files are available for 30 days after their CreatedDatein orgs with Event Monitoring licenses, after which they’re automatically deleted. In all Developer Edition orgs, log files are available for 1 day.
• All event monitoring logs are exposed to the API through the EventLogFile object. However, there’s no access through the user interface, except through the Event Monitoring Analytics app.
• Log files don’t count towards your org’s data or file storage allocations.
• Event Monitoring log files aren’t a system of record for user activity. They’re a source of truth, but they aren’t durable. During Salesforce site switches, instance refreshes, or unplanned system outages, data loss can occur. For example, if Salesforce moves your production org instance, your event log files can have a gap in data. Salesforce makes commercially reasonable efforts to preserve event log file data integrity and avoid data loss. When Salesforce performs a site switch or instance refresh, it uses an automated process to replicate event logs.
• Hourly event log files are provided for you to review events in your orgs on an accelerated basis. However, it’s possible that you don’t get all event log data in hourly event log files, especially during site switches, instance refreshes, or unplanned system outages. For complete data, use the daily log files.
• If event transmission failures take too long to recover from, log files are retransmitted to ensure that they’re delivered at least one time. As a result, latent log files can sometimes contain duplicate event data. When your application consumes latent log files, make sure that your application handles duplicate event delivery.
• When a daily incremental log file is delivered, a new file replaces the original file with the full set of available logs for that date. To ensure that you’re looking at the most recent log file, check the CreatedDate field.
• We recommend that you always query the EventLogFile object for new log files to ensure that you also include latent ones. To identify newly created log files, use the EventLogFile CreatedDate field. Hourly and daily incremental logs are delivered differently. For details, see Differences Between Hourly and 24-Hour Event Logs.

All queries and examples in this section require the View Event Log Files and API Enabled user permissions. Users with the View All Data permission can also view event monitoring data.