Integrating Coro with Syslog

Coro can forward ticket data to external platforms using the Syslog protocol with RFC 5424 formatting over Transport Layer Security (TLS).

This integration enables Coro to transmit ticket data to systems that rely on structured Syslog ingestion, such as SIEM or logging platforms. Admin users can consolidate security event data and align Coro ticket data with other sources in their environment.

Configuring a Syslog connector

To configure a Syslog connector:

1. Sign in to the Coro console .
2. From the sidebar, select to access the Control Panel .
3. Select Connectors :

   

   Coro displays the Connectors page.

4. Select Syslog :

   

5. Select ADD CONNECTION :

   

   Coro displays the Add a Syslog connection dialog:

   

6. Configure the following Syslog connection settings:
   • Server Name : Enter a suitable name for your Syslog connector.
   • Destination IP address or Hostname : Enter the IP address or fully qualified domain name (FQDN) of the external Syslog server receiving the forwarded Coro ticket data.
   • Port : Enter the port number that the external platform uses to receive Syslog messages over TLS.

     Important

     Coro supports only Syslog connections over TLS for transmission of ticket data.

   • Syslog Protocol : Coro uses RFC 5424 formatting to structure forwarded Syslog messages.

     note

     You cannot modify this setting.

   • Certificate : Upload a certificate to establish a trusted, encrypted TLS connection between Coro and the external Syslog server.

     Important

     Upload a certificate only if the external Syslog server uses a self-signed or privately issued certificate. For publicly trusted certificates, no upload is required.

     note

     If you are using chained certificates, you must combine them into a single .pem file before uploading.

   • Select Modules : Choose the Coro modules for which you want to forward ticket data through the Syslog integration. Choose from:
     • Cloud Security
     • Email Security
     • Endpoint Security
     • User Data Governance
     • Endpoint Data Governance
     • EDR
   • Facility : Select a facility code for each module.

     note

     Facility codes help external platforms categorize and route Coro ticket data by module. Coro can assign a facility code to each module's ticket data. The receiving system then uses these codes to route ticket data, such as Cloud Security and Email Security, to separate queues.

   • Is the SIEM Multi-tenant? : Select Yes if the destination SIEM supports multi-tenancy, then enter a Tenant label . Coro includes the label in each Syslog message to help the Security Information and Event Management (SIEM) platform identify the tenant and route ticket data accordingly:

     

7. To create the connector, select CONNECT :

   

   Coro sends a test message to the external Syslog server to verify the configuration.

   If Coro successfully establishes a connection to the specified Syslog server without receiving an error, it adds the connector to the Syslog connector list with a status of Active:

   

   If Coro cannot establish a connection to the specified Syslog server, it displays an error message describing the issue and does not add the connector to the Syslog connector list.

Managing Syslog connectors

Use the three-dot menu of a configured Syslog connector to:

• Edit : Modify the configuration settings of the connector.
• Duplicate : Create a copy of the connector with the same configuration. Use this to set up a similar integration with other destinations.
• Test : Trigger a test to verify that the connector successfully communicates with the configured destination.
• Disable : Stop forwarding ticket data through this connector without deleting its configuration.

  note

  Coro disables a connector immediately if the connection to the Syslog server fails.

• Enable : (Disabled connectors only) Reactivate the connector to resume forwarding ticket data.
• Remove : Delete the connector configuration.