This document discusses the manner in which the GRAX application streams application logs, the content of said logs, and the security implications of such behavior.
GRAX is designed to operate in secure, restrictive environments that minimize the ingress and egress paths available as well as those that don't allow any vendor access. As such, Log Streaming is an authenticated egress-only zero-infrastructure-access method of making your logs available to GRAX Engineering for the sake of supportability and bug fixing. Without such a feature, GRAX Support is flying blind when it comes to application failures in your environment.
Before diving deeper, some key points:
- GRAX logging never contains your Salesforce records or any system secrets.
- Logs utilize the same authenticated hq.grax.com connection as licensing and telemetry.
- Access to these logs is tightly controlled internally at GRAX.
- Logs are only retained for 15 days by default.
- This functionality cannot be disabled.
Log Streaming is a forward-only live collector of logs and does not transmit logs from an earlier point in time.
Logs emitted by GRAX never contain customer CRM data, PII, or secrets. These logs are intentionally designed to be useful for GRAX engineers; as such, they contain:
- Source Function Names
- Source File Names
- Function Timing Information
- API Request Methods
- API Request Paths
- CPU Performance Metrics / Profiles
- Memory Performance Metrics / Profiles
- Storage Performance Metrics / Profiles
- Function Metadata (Object Names, Batch Sizes, Record Counts, etc.)
As you can see, the data logged within the GRAX logging system is strictly related to operation and performance of the GRAX application, with no exposure of protected data at any time.
Your logs are only visible to the engineers who directly support and manage operation of the GRAX application. For more information about security controls, audits, and compliance, see here.
Updated 3 months ago