ManageEngine Network Configuration Management

About

Network Configuration Manager is a multi-vendor network configuration and change management (NCCM) solution for switches, routers, firewalls and other network devices. Network configuration management (NCM) helps automate and take total control of the entire life cycle of device configuration management.

Product Details

Vendor URL: ManageEngine

Product Type: Network Configuration Management

Product Tier: Tier III

Integration Method: Syslog

Log Guide: ManageEngine NCM Rest API

Parser Details

Log Format: Syslog

Expected Normalization Rate: 100%

Data Label: MANAGEENGINE_NCM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
action	security_result.action_details
addr	target.resource.name
auditid	target.resource.id
auditreporttype	target.resource.name
auditscore	security_result.confidence_details
audittime	additional.fields
bandwidth	target.resource.attribute.labels
community	additional.fields
cpu	target.resource.attribute.labels
criticalcount	security_result.detection_fields
devid	principal.hostname
devname	principal.application
disk	target.resource.attribute.labels
dstip	target.ip
dstport	target.port
fazlograte	target.resource.attribute.labels
freediskstorage	target.resource.attribute.labels
gateway_ip	target.asset.ip
highcount	security_result.detection_fields
interface	target.resource.name
level	security_result.severity_details
logdesc	metadata.description
logid	metadata.product_log_id
lowcount	security_result.detection_fields
mask_ip	target.asset.ip
mediumcount	security_result.detection_fields
mem	target.asset.hardware.ram
method	network.application_protocol
msg	security_result.summary
passedcount	security_result.detection_fields
profile	target.user.attribute.roles.name
setuprate	target.resource.attribute.labels
sn	network.session_id
srcip	principal.ip
srcport	principal.port
status	security_result.action
stitch	security_result.rule_name
stitchaction	security_result.rule_labels
sysuptime	target.resource.attribute.labels
total	security_result.detection_fields
totalsession	target.resource.attribute.labels
trigger	security_result.rule_id
type - subtype	metadata.product_event_type
used	security_result.detection_fields
user	target.user.userid
vd	principal.administrative_domain
waninfo	additional.fields

Product Event Types

Event	UDM Event Classification
Dynamic address updated, FortiGate update succeeded, Security Rating summary	STATUS_UPDATE
login	USER_LOGIN
logout	USER_LOGOUT

Log Sample

<190>Jan 08 23:01:01 10.168.102.2 date=2025-01-08 time=19:01:01 devname="Fortigate-EDMIII" devid="EX1234ABCD" eventtime=1736391660656126309 tz="-0800" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1234567890" user="ex-ncm-mgnt" ui="ssh(10.16.103.254)" method="ssh" srcip=10.16.103.254 dstip=10.16.103.253 action="login" status="success" reason="none" profile="super_admin" msg="Administrator ex-ncm-mgnt logged in successfully from ssh(10.16.103.254)"

Sample Parsing

extensions.auth.auth_details = "SSH"
metadata.description = "Admin login successful"
metadata.event_type = "USER_LOGIN"
metadata.log_type = "MANAGEENGINE_NCM"
metadata.product_event_type = "event - system"
metadata.product_log_id = "0100032001"
metadata.product_name = "Network Configuration Management"
metadata.vendor_name = "ManageEngine"
network.application_protocol = "SSH"
network.session_id = "1234567890"
observer.ip = "10.168.102.2"
principal.administrative_domain = "root"
principal.application = "Fortigate-EDMIII"
principal.hostname = "EX1234ABCD"
principal.ip = "10.16.103.254"
security_result.action_details = "login"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "information"
security_result.summary = "Administrator ex-ncm-mgnt logged in successfully from ssh(10.16.103.254)"
target.ip = "10.16.103.253"
target.user.attribute.roles.name = "Member"
target.user.userid = "ex-ncm-mgnt"