nginx · aphralG · Oct 3, 2025
@@ -572,7 +572,7 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(
 		oc.config.Collector.Receivers.TcplogReceivers = make(map[string]*config.TcplogReceiver)
 	}
 
-	napSysLogServer := oc.findAvailableSyslogServers(ctx, nginxConfigContext.NAPSysLogServers)
+	napSysLogServer := oc.findAvailableSyslogServers(ctx, nginxConfigContext.NAPSysLogServer)
 
 	if napSysLogServer != "" {
 		if !oc.doesTcplogReceiverAlreadyExist(napSysLogServer) {
@@ -705,40 +705,30 @@ func (oc *Collector) updateResourceAttributes(
 	return actionUpdated
 }
 
-func (oc *Collector) findAvailableSyslogServers(ctx context.Context, napSyslogServers []string) string {
-	napSyslogServersMap := make(map[string]bool)
-	for _, server := range napSyslogServers {
-		napSyslogServersMap[server] = true
+func (oc *Collector) findAvailableSyslogServers(ctx context.Context, napSyslogServer string) string {
+	if oc.previousNAPSysLogServer != "" && oc.previousNAPSysLogServer == napSyslogServer {
+		return oc.previousNAPSysLogServer
 	}
 
-	if oc.previousNAPSysLogServer != "" {
-		if _, ok := napSyslogServersMap[oc.previousNAPSysLogServer]; ok {
-			return oc.previousNAPSysLogServer
-		}
-	}
-
-	for _, napSyslogServer := range napSyslogServers {
-		listenConfig := &net.ListenConfig{}
-		ln, err := listenConfig.Listen(ctx, "tcp", napSyslogServer)
-		if err != nil {
-			slog.DebugContext(ctx, "NAP syslog server is not reachable", "address", napSyslogServer,
-				"error", err)
+	listenConfig := &net.ListenConfig{}
+	ln, err := listenConfig.Listen(ctx, "tcp", napSyslogServer)
+	if err != nil {
+		slog.DebugContext(ctx, "NAP syslog server is not reachable", "address", napSyslogServer,
+			"error", err)
 
-			continue
-		}
-		closeError := ln.Close()
-		if closeError != nil {
-			slog.DebugContext(ctx, "Failed to close syslog server", "address", napSyslogServer, "error", closeError)
-		}
+		return ""
+	}
 
-		slog.DebugContext(ctx, "Found valid NAP syslog server", "address", napSyslogServer)
+	closeError := ln.Close()
+	if closeError != nil {
+		slog.DebugContext(ctx, "Failed to close syslog server", "address", napSyslogServer, "error", closeError)
+	}
 
-		oc.previousNAPSysLogServer = napSyslogServer
+	slog.InfoContext(ctx, "Found valid NAP syslog server", "address", napSyslogServer)
 
-		return napSyslogServer
-	}
+	oc.previousNAPSysLogServer = napSyslogServer
 
-	return ""
+	return napSyslogServer
 }
 
 func isOSSReceiverChanged(nginxReceiver config.NginxReceiver, nginxConfigContext *model.NginxConfigContext) bool {

@@ -744,7 +744,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 	require.NoError(t, err)
 
 	nginxConfigContext := &model.NginxConfigContext{
-		NAPSysLogServers: []string{"localhost:15632"},
+		NAPSysLogServer: "localhost:15632",
 	}
 
 	assert.Empty(t, conf.Collector.Receivers.TcplogReceivers)
@@ -777,7 +777,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 	t.Run("Test 4: NewCollector tcplogReceiver added and deleted another", func(tt *testing.T) {
 		tcplogReceiverDeleted := collector.updateNginxAppProtectTcplogReceivers(ctx,
 			&model.NginxConfigContext{
-				NAPSysLogServers: []string{"localhost:1555"},
+				NAPSysLogServer: "localhost:1555",
 			},
 		)
 
@@ -927,49 +927,49 @@ func TestCollector_findAvailableSyslogServers(t *testing.T) {
 		name                    string
 		expectedSyslogServer    string
 		previousNAPSysLogServer string
-		syslogServers           []string
+		syslogServers           string
 		portInUse               bool
 	}{
 		{
 			name:                    "Test 1: port available",
 			expectedSyslogServer:    "localhost:15632",
 			previousNAPSysLogServer: "",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               false,
 		},
 		{
 			name:                    "Test 2: port in use",
 			expectedSyslogServer:    "",
 			previousNAPSysLogServer: "",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               true,
 		},
 		{
 			name:                    "Test 3: syslog server already configured",
 			expectedSyslogServer:    "localhost:15632",
 			previousNAPSysLogServer: "localhost:15632",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               false,
 		},
 		{
 			name:                    "Test 4: new syslog server",
 			expectedSyslogServer:    "localhost:15632",
 			previousNAPSysLogServer: "localhost:1122",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               false,
 		},
 		{
 			name:                    "Test 5: port in use find next server",
 			expectedSyslogServer:    "localhost:1122",
 			previousNAPSysLogServer: "",
-			syslogServers:           []string{"localhost:15632", "localhost:1122"},
+			syslogServers:           "localhost:1122",
 			portInUse:               true,
 		},
 		{
 			name:                    "Test 6: port hasn't changed",
 			expectedSyslogServer:    "localhost:1122",
 			previousNAPSysLogServer: "localhost:1122",
-			syslogServers:           []string{"localhost:1122"},
+			syslogServers:           "localhost:1122",
 			portInUse:               true,
 		},
 	}

@@ -122,6 +122,7 @@ func ResolveConfig() (*Config, error) {
 		Features:           viperInstance.GetStringSlice(FeaturesKey),
 		Labels:             resolveLabels(),
 		LibDir:             viperInstance.GetString(LibDirPathKey),
+		SyslogServer:       resolveSyslogServer(),
 	}
 
 	defaultCollector(collector, config)
@@ -420,6 +421,12 @@ func registerFlags() {
 		"A comma-separated list of features enabled for the agent.",
 	)
 
+	fs.String(
+		SyslogServerPort,
+		DefSyslogServerPort,
+		"The port Agent will start the syslog server for Nginx App Protect Security violations on",
+	)
+
 	registerCommonFlags(fs)
 	registerCommandFlags(fs)
 	registerAuxiliaryCommandFlags(fs)
@@ -897,6 +904,12 @@ func resolveLog() *Log {
 	}
 }
 
+func resolveSyslogServer() *SyslogServer {
+	return &SyslogServer{
+		Port: viperInstance.GetString(SyslogServerPort),
+	}
+}
+
 func resolveLabels() map[string]interface{} {
 	input := viperInstance.GetStringMapString(LabelsRootKey)
 

@@ -1068,6 +1068,9 @@ func createConfig() *Config {
 			Level: "debug",
 			Path:  "./test-path",
 		},
+		SyslogServer: &SyslogServer{
+			Port: "1512",
+		},
 		Client: &Client{
 			HTTP: &HTTP{
 				Timeout: 15 * time.Second,

@@ -23,6 +23,8 @@ const (
 	DefNginxReloadBackoffMaxInterval         = 3 * time.Second
 	DefNginxReloadBackoffMaxElapsedTime      = 10 * time.Second
 
+	DefSyslogServerPort = "1514"
+
 	DefCommandServerHostKey               = ""
 	DefCommandServerPortKey               = 0
 	DefCommandServerTypeKey               = "grpc"

@@ -135,6 +135,8 @@ var (
 	NginxExcludeLogsKey                      = pre(DataPlaneConfigRootKey, "nginx") + "exclude_logs"
 	NginxApiTlsCa                            = pre(DataPlaneConfigRootKey, "nginx") + "api_tls_ca"
 
+	SyslogServerPort = pre("syslog_server") + "port"
+
 	FileWatcherMonitoringFrequencyKey = pre(FileWatcherKey) + "monitoring_frequency"
 	NginxExcludeFilesKey              = pre(FileWatcherKey) + "exclude_files"
 )

@@ -23,7 +23,11 @@ features:
       - metrics
       - api-action
       - logs-nap
-
+
+
+syslog_server:
+    port: 1512
+
 data_plane_config:
     nginx:
         reload_monitoring_period: 30s

@@ -43,6 +43,7 @@ type (
 		Client             *Client          `yaml:"client"              mapstructure:"client"`
 		Collector          *Collector       `yaml:"collector"           mapstructure:"collector"`
 		Watchers           *Watchers        `yaml:"watchers"            mapstructure:"watchers"`
+		SyslogServer       *SyslogServer    `yaml:"syslog_server"       mapstructure:"syslog_server"`
 		Labels             map[string]any   `yaml:"labels"              mapstructure:"labels"`
 		Version            string           `yaml:"-"`
 		Path               string           `yaml:"-"`
@@ -61,6 +62,9 @@ type (
 		Nginx *NginxDataPlaneConfig `yaml:"nginx" mapstructure:"nginx"`
 	}
 
+	SyslogServer struct {
+		Port string `yaml:"port" mapstructure:"port"`
+	}
 	NginxDataPlaneConfig struct {
 		ReloadBackoff          *BackOff      `yaml:"reload_backoff"           mapstructure:"reload_backoff"`
 		APITls                 TLSConfig     `yaml:"api_tls"                  mapstructure:"api_tls"`

@@ -151,7 +151,6 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 	payload *crossplane.Payload,
 	configPath string,
 ) (*model.NginxConfigContext, error) {
-	napSyslogServersFound := make(map[string]bool)
 	napEnabled := false
 
 	nginxConfigContext := &model.NginxConfigContext{
@@ -167,7 +166,7 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 			Listen:   "",
 			Location: "",
 		},
-		NAPSysLogServers: make([]string, 0),
+		NAPSysLogServer: "",
 	}
 
 	rootDir := filepath.Dir(instance.GetInstanceRuntime().GetConfigPath())
@@ -223,8 +222,8 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 					if len(directive.Args) > 1 {
 						napEnabled = true
 						sysLogServer := ncp.findLocalSysLogServers(directive.Args[1])
-						if sysLogServer != "" && !napSyslogServersFound[sysLogServer] {
-							napSyslogServersFound[sysLogServer] = true
+						if sysLogServer != "" {
+							nginxConfigContext.NAPSysLogServer = sysLogServer
 							slog.DebugContext(ctx, "Found NAP syslog server", "address", sysLogServer)
 						}
 					}
@@ -251,15 +250,10 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 			nginxConfigContext.PlusAPIs = append(nginxConfigContext.PlusAPIs, plusAPIs...)
 		}
 
-		if len(napSyslogServersFound) > 0 {
-			var napSyslogServer []string
-			for server := range napSyslogServersFound {
-				napSyslogServer = append(napSyslogServer, server)
-			}
-			nginxConfigContext.NAPSysLogServers = napSyslogServer
-		} else if napEnabled {
-			slog.WarnContext(ctx, "Could not find available local NGINX App Protect syslog server. "+
-				"Security violations will not be collected.")
+		if napEnabled && nginxConfigContext.NAPSysLogServer == "" {
+			slog.WarnContext(ctx, fmt.Sprintf("Could not find available local NGINX App Protect syslog"+
+				" server configured on port %s. Security violations will not be collected.",
+				ncp.agentConfig.SyslogServer.Port))
 		}
 
 		fileMeta, err := files.FileMeta(conf.File)
@@ -280,11 +274,15 @@ func (ncp *NginxConfigParser) findLocalSysLogServers(sysLogServer string) string
 	re := regexp.MustCompile(`syslog:server=([\S]+)`)
 	matches := re.FindStringSubmatch(sysLogServer)
 	if len(matches) > 1 {
-		host, _, err := net.SplitHostPort(matches[1])
+		host, port, err := net.SplitHostPort(matches[1])
 		if err != nil {
 			return ""
 		}
 
+		if port != ncp.agentConfig.SyslogServer.Port {
+			return ""
+		}
+
 		ip := net.ParseIP(host)
 		if ip.IsLoopback() || strings.EqualFold(host, "localhost") {
 			return matches[1]