AUTOMATED SALESFORCE ELF ARCHIVING FOR SECURITY COMPLIANCE
OVERVIEW
A global enterprise operating multiple Salesforce orgs needed a reliable way to retain event log file (ELF) data beyond Salesforce’s default 30-day retention window. Their teams frequently investigated incidents months after they occurred, but vital logs were already deleted. We built an automated, scalable solution that archives all Salesforce event logs daily, ensuring long-term visibility and compliance.
THE CHALLENGE
Salesforce event logs are retained for just 30 days. For a large, high-traffic enterprise, this created a major security gap: if an incident was discovered months later, the necessary logs no longer existed. Downloading these event logs manually was not feasible because Salesforce only allows per-day, per-event-type retrieval — meaning dozens of downloads each day for the Salesforce org. The organization needed a centralized, automated, and compliant way to retain 18 months of event log data across multiple divisions.
OUR SOLUTION
We designed and implemented a fully automated log-archiving integration that retrieves every Salesforce event log type every day and stores it in an Amazon S3 bucket with a clean, predictable folder hierarchy. An AWS Lambda function runs daily, calling Salesforce APIs to pull each event type for the previous day, plus an additional backfill day to ensure coverage during outages. Each log is saved as a separate CSV file, organized by year, month, day, and event type. Existing files are safely overwritten to prevent duplication. S3 lifecycle rules automatically purge files after 18 months, meeting security protocol requirements without manual maintenance.
KEY FEATURES
- • Automated retrieval of all Salesforce event log types daily
• Two-day collection window for outage protection
• Structured S3 storage by year → month → day → event type
• Automatic file overwrite handling to avoid duplication
• S3 lifecycle policy for 18-month retention and auto-deletion
GLOBAL IMPACT/RESULTS
- • Ensured compliance with strict 18-month log retention requirements
• Eliminated manual downloading of hundreds of log files
• Provided reliable visibility into historical incidents well beyond Salesforce’s 30-day limit
• Improved security posture across multiple business units
• Delivered a scalable framework now used across multiple internal programs
TECHNOLOGIES & SERVICES
AWS Lambda — automated daily event-driven processing
Amazon S3 — structured, durable log storage with lifecycle policies
Salesforce APIs — event log file retrieval
CloudWatch Events / EventBridge — scheduled Lambda execution
CloudWatch Alarms - sends automated notifications in case of an error
CONCLUSION
This automation ensures long-term log visibility, strengthens incident response, and brings the Salesforce org into full compliance with internal security protocols. By eliminating manual effort and centralizing archival, the organization is now equipped with a scalable, repeatable pattern for secure data retention across all current and future teams.