Filter NAP logs by Severity (#1169)

Author: aphralG

internal/collector/otel_collector_plugin.go

@@ -555,6 +555,24 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(nginxConfigContext *mo
 			oc.config.Collector.Receivers.TcplogReceivers["nginx_app_protect"] = &config.TcplogReceiver{
 				ListenAddress: nginxConfigContext.NAPSysLogServer,
 				Operators: []config.Operator{
+					// regex captures the priority number from the log line
+					{
+						Type: "regex_parser",
+						Fields: map[string]string{
+							"regex":      "^<(?P<priority>\\d+)>",
+							"parse_from": "body",
+							"parse_to":   "attributes",
+						},
+					},
+					// filter drops all logs that have a severity above 4
+					// https://docs.secureauth.com/0902/en/how-to-read-a-syslog-message.html#severity-code-table
+					{
+						Type: "filter",
+						Fields: map[string]string{
+							"expr":       "'int(attributes.priority) % 8 > 4'",
+							"drop_ratio": "1.0",
+						},
+					},
 					{
 						Type: "add",
 						Fields: map[string]string{

internal/collector/otel_collector_plugin_test.go

@@ -749,7 +749,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 		assert.True(tt, tcplogReceiverAdded)
 		assert.Len(tt, conf.Collector.Receivers.TcplogReceivers, 1)
 		assert.Equal(tt, "localhost:151", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
-		assert.Len(tt, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 4)
+		assert.Len(tt, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6)
 	})
 
 	// Calling updateNginxAppProtectTcplogReceivers shouldn't update the TcplogReceivers slice
@@ -759,7 +759,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 		assert.False(t, tcplogReceiverAdded)
 		assert.Len(t, conf.Collector.Receivers.TcplogReceivers, 1)
 		assert.Equal(t, "localhost:151", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
-		assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 4)
+		assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6)
 	})
 
 	t.Run("Test 3: TcplogReceiver deleted", func(tt *testing.T) {
@@ -778,7 +778,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 		assert.True(t, tcplogReceiverDeleted)
 		assert.Len(t, conf.Collector.Receivers.TcplogReceivers, 1)
 		assert.Equal(t, "localhost:152", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
-		assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 4)
+		assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6)
 	})
 }
 

internal/collector/otelcol.tmpl

@@ -298,7 +298,7 @@ service:
       receivers:
         {{- range $receiver := $pipeline.Receivers }}
           {{- if eq $receiver "tcplog/nginx_app_protect" }}
-        - tcplog/nginx_app_protect:
+        - tcplog/nginx_app_protect
           {{- else }}
         - {{ $receiver }}
           {{- end }}