There is no syslog forwarding feature for operations performed on the EPC.
Instead, two different methods can be used.
1) Transferring logs via REST API. API Details :
API Endpoint :
/emsapi/server/auditLogs
API Description:
To fetch the event logs of actions performed in the EndpointCentral console, for the requested time frame. The API is exposed for those customers who have self-implemented Third party log collection Tools to pull event logs of an application and post them to any SIEM tools.
Supported HTTP Method :
GET
For OnPremise:
Rate Limits :
APIs can be used to a maximum of 30 times per 5 minutes per technician
[With the server side limit of 5000 records per each API call , the user can fetch a max of 1.5lakh events per 5 min]
API Request Parameters:
/emsapi/server/auditLogs?startTime=...&page=...&endTime=...
Method : GET
Filters :
startTime - start time in currentmillis
endTime - end time in currentmillis
eventModule - optional list of modules ( * default all ) (comma separated)
Row Limit :
page - page number , in case of multipage response
pageLimit - optional Page Limit ( * default 5000 ), minimum (100)
Header:
Accept - application/auditlogsdata.v1+json
For EC On Premise:
List of modules (Modules may subject to change):
EC onPremise - AD Reports, Application Control, BMP, BitLocker Management, Chat, Compliance, Configuration, Custom Group, DLP, Database Backup, Device Control, Edr, Emergency Mitigations, Forwarding Server, General, Help Desk, Integrations, Inventory Mgmt, MDM, Maintenance Window, OS Deployer, Patch Mgmt, Privacy Settings, Remote Control, Query Reports, Remote DB Access, Remote Shutdown, Report Exported, Reports, Schedule, Security Settings, SoM, Software Deployment, System Manager, System Tools, User Management, Wake On LAN
API Response Parameters:
{
"messageResponse": [
],
"metadata": {
"page": Long,
"pageLimit": Long,
"total": Long,
"totalPages": Long,
"links": {
"next": String
}
},
"status": "success",
"messageVersion": "v1",
"messageType": "auditLogs"
}
where,
page - current page number
pageLimit - maximum records per page
total - total number of records available
totalPages - total number of pages
links - links of next pages
Sample Request :
GET /emsapi/server/auditLogs?page=1&startTime=1677609000000&endTime=1680201000000
HTTP/1.1
Host: Endpointcentral URL
Headers:
Content-Type: application/auditlogsdata.v1+json
For On premise:
Authorization: [<token>]
sample response :
{ "metadata": {
"pageLimit": 5000,
"total": "3",
"totalPages": 1,
"page": 0,
"links": {
"next": "/emsapi/server/auditLogs?&endTime=1695364960919&startTime=1695364960202&page=1"}
}, "messageResponse": [ {
"hostName": "ManageEngine Endpoint Central 11",
"module": "User Management",
"priority": "Information",
"timeDuration": "0",
"application": "ManageEngine Endpoint Central 11",
"computerName": "--",
"domainName": "--",
"viewerIp": "--",
"eventTime": "1695365222646",
"userIp": "172.21.148.119",
"startTime": "--",
"endTime": "--",
"remarks": "The host 172.21.148.119 is connected as admin with Administrator role",
"userName": "admin",
"startTimeISO": "--",
"endTimeISO": "--",
"eventTimeISO": "2023-09-22T12:17:02.646+05:30"
}, {
"hostName": "ManageEngine Endpoint Central 11",
"module": "User Management",
"priority": "Information",
"timeDuration": "0",
"application": "ManageEngine Endpoint Central 11",
"computerName": "--",
"domainName": "--",
"viewerIp": "--",
"eventTime": "1695365162253",
"userIp": "127.0.0.1",
"startTime": "--",
"endTime": "--",
"remarks": "The host 127.0.0.1 is connected as null with null role",
"userName": "--",
"startTimeISO": "--",
"endTimeISO": "--",
"eventTimeISO": "2023-09-22T12:16:02.253+05:30"
}, {
"hostName": "ManageEngine Endpoint Central 11",
"module": "Configurations",
"priority": "Information",
"timeDuration": "0",
"application": "ManageEngine Endpoint Central 11",
"computerName": "--",
"domainName": "--",
"viewerIp": "--",
"eventTime": "1695362922256",
"userIp": "--",
"startTime": "--",
"endTime": "--",
"remarks": "macOS PPPC Policy - \"PPPCConfigMacDriver\" is deployed sucessfully",
"userName": "DC-SYSTEM-USER",
"startTimeISO": "--",
"endTimeISO": "--",
"eventTimeISO": "2023-09-22T11:38:42.256+05:30"
}],"messagetype": "auditLogs",
"messageversion": "v1",
"status": "success"
}
GET /emsapi/server/auditLogs?page=1&startTime=1677609000000&endTime=1680201000000&eventModule=Configuration
HTTP/1.1
Host: Endpointcentral URL
Headers:
Content-Type: application/auditlogsdata.v1+json
2) Reading this information from the report with Schedule report
Steps to set up a Scheduled query report:
1. Create a Query report with the Query given below
2. Create a Scheduled Report with the Query report created in the previous step
- Select appropriate File format (csv or xlsx or pdf)
- Select the option to Publish reports on the Central server and send the URL.
This file can then be further included into the SIEM product as required.
Query for collecting logs of this month:
SELECT
EventCode.EVENT_TYPE AS "TYPE",
LONG_TO_DATE(EventLog.EVENT_TIMESTAMP, "EVENT TIME"),
EventCode.EVENT_MODULE AS "MODULE",
I18N_TRANSLATE(EventLog.EVENT_REMARKS,EventLog.EVENT_REMARKS_ARGS),
EventLog.LOGON_USER_NAME AS "USERNAME",
RDSConnectionReason.REASON_MESSAGE AS "REASON MESSAGE",
LONG_TO_DATE(EventTimeDuration.EVENT_START_TIME, "START TIME"),
LONG_TO_DATE(EventTimeDuration.EVENT_END_TIME, "END TIME"),
EventTimeDuration.EVENT_TIME_DURATION AS "TIME DURATION",
ResourceEventLogRel.RESOURCE_NAME AS "COMPUTER NAME",
ResourceEventLogRel.DOMAIN_NETBIOS_NAME AS "DOMAIN NAME",
EventTimeDuration.VIEWER_IP AS "VIEWER IP"
FROM
EventLog
LEFT JOIN CustomerEventLog
ON EventLog.EVENT_LOG_ID=CustomerEventLog.EVENT_LOG_ID
INNER JOIN EventCode
ON EventLog.EVENT_ID=EventCode.EVENT_ID
LEFT JOIN EventTimeDuration
ON EventLog.EVENT_LOG_ID=EventTimeDuration.EVENT_LOG_ID
LEFT JOIN RDSConnectionReason
ON EventLog.EVENT_LOG_ID=RDSConnectionReason.EVENT_LOG_ID
LEFT JOIN ResourceEventLogRel
ON EventLog.EVENT_LOG_ID=ResourceEventLogRel.EVENT_LOG_ID
LEFT JOIN Resource
ON ResourceEventLogRel.RESOURCE_ID=Resource.RESOURCE_ID
WHERE
EventLog.EVENT_TIMESTAMP<= <to_thismonth>
AND EventLog.EVENT_TIMESTAMP>= <from_thismonth>
ORDER BY
EventLog.EVENT_TIMESTAMP DESC