ManageEngine Endpoint Central via API Integration Guide

Purpose

This guide explains how to generate the required OAuth credentials in the Zoho API Console for ManageEngine Endpoint Central Cloud, and how to use those credentials in Logsign USO to ingest console audit logs (Patch Management, Configurations, Inventory, Software Metering, and other module activity) for security analytics and forensic purposes.

Endpoint Central Cloud has no customer-side server to originate outbound syslog, so this API poller is the only supported way to bring its audit logs into Logsign USO. If you run Endpoint Central on-premises instead of Cloud, use syslog forwarding rather than this integration.

Prerequisites

The Zoho account you use to generate credentials must hold the Administrator role in the Endpoint Central console. The audit log API is restricted to administrators; a technician-level account will get authorization errors.

Step 1: Identify Your Console URL and Data Center

Note the address you use to log in to Endpoint Central Cloud, for example https://endpointcentral.manageengine.com. The domain suffix tells you which data center your tenant lives in, which determines both the console URL and the Zoho accounts server you will use in the next step.

Data CenterConsole URLZoho Accounts Server
United Stateshttps://endpointcentral.manageengine.comhttps://accounts.zoho.com
Europehttps://endpointcentral.manageengine.euhttps://accounts.zoho.eu
Indiahttps://endpointcentral.manageengine.inhttps://accounts.zoho.in
Australiahttps://endpointcentral.manageengine.com.auhttps://accounts.zoho.com.au
Japanhttps://endpointcentral.manageengine.jphttps://accounts.zoho.jp
Canadahttps://endpointcentral.manageengine.cahttps://accounts.zohocloud.ca
United Kingdomhttps://endpointcentral.manageengine.ukhttps://accounts.zoho.uk

Step 2: Create a Self Client in the Zoho API Console

  1. Go to the Zoho API Console for your data center, for example https://api-console.zoho.com for a .com tenant.
  2. Choose Self Client as the client type.
  3. Open the Client Secret tab and copy the Client ID and Client Secret.

Step 3: Generate a Refresh Token

  1. In the same Self Client, open the Generate Code tab.
  2. Enter the scope DesktopCentralCloud.Common.READ and a short validity window (10 minutes is enough), then click Create. Copy the resulting grant code; it is only valid for about 60 seconds.
  3. Exchange the grant code for a refresh token right away:
curl -X POST "https://accounts.zoho.com/oauth/v2/token" \
  -d "code=<GRANT_CODE>" \
  -d "client_id=<CLIENT_ID>" \
  -d "client_secret=<CLIENT_SECRET>" \
  -d "grant_type=authorization_code"

Use the accounts server for your own data center from the table above instead of accounts.zoho.com if you are not on the US tenant. The response contains a refresh_token. This value does not expire on its own and is what Logsign will use to mint access tokens going forward, so store it securely alongside the Client ID and Client Secret.

If a request later returns 401 or 403 once the integration is running, the scope above may be too narrow for the modules you are polling. Recreate the Self Client with the broader scope DesktopCentralCloud.Common.READ,DesktopCentralCloud.SOM.READ,DesktopCentralCloud.Inventory.READ,DesktopCentralCloud.PatchMgmt.READ,DesktopCentralCloud.VulnerabilityMgmt.READ and generate a new refresh token.

Step 4: Configure the Integration in Logsign USO

After obtaining these credentials, log in to Logsign USO and add a new ManageEngine Endpoint Central data source. You will be asked for:

FieldValue
API URLYour console URL from Step 1, for example https://endpointcentral.manageengine.com
Accounts URLYour Zoho accounts server from Step 1, for example https://accounts.zoho.com
Client IDFrom Step 2
Client SecretFrom Step 2
Refresh TokenFrom Step 3
Event Module (optional)Comma-separated list of modules to limit ingestion to, for example Patch Mgmt,Configurations. Leave empty to collect all modules

Logsign exchanges the refresh token for a short-lived access token automatically and refreshes it as needed; you do not need to generate a new access token yourself after the initial setup.

Notes and Limits

  • Access tokens obtained by the integration are valid for one hour. If polling ever stops and the source logs repeated authorization errors, the most common cause is that the stored refresh token was revoked or regenerated in the Zoho API Console; generate a fresh refresh token and update the data source.
  • Endpoint Central Cloud allows a maximum of 30 API requests per 5-minute window per technician account. If you see rate-limit related failures, avoid running other integrations or scripts against the same technician account at the same time.
  • Make sure the API URL you enter is your Endpoint Central console address, not zohoapis.com. The api_domain value returned in Zoho's own OAuth responses is a generic Zoho field and is not the Endpoint Central API host.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.