nginx
diff --git a/‎internal/collector/securityviolationsprocessor/README.md‎
Lines changed: 49 additions & 3 deletions b/‎internal/collector/securityviolationsprocessor/README.md‎
Lines changed: 49 additions & 3 deletions
diff --git a/‎internal/collector/securityviolationsprocessor/csv_parser.go‎
Lines changed: 136 additions & 0 deletions b/‎internal/collector/securityviolationsprocessor/csv_parser.go‎
Lines changed: 136 additions & 0 deletions
diff --git a/‎internal/collector/securityviolationsprocessor/helpers.go‎
Lines changed: 69 additions & 0 deletions b/‎internal/collector/securityviolationsprocessor/helpers.go‎
Lines changed: 69 additions & 0 deletions
@@ -1,5 +1,51 @@
-# SecurityViolations Processor
+# Security Violations Processor
 
-Internal component of the NGINX Agent that processes security violation syslog messages. Parses RFC3164 formatted syslog entries from log records and extracts structured attributes. Successfully parsed messages have their body replaced with the clean message content.
+OpenTelemetry Collector processor that transforms NGINX App Protect security violation syslog messages into structured protobuf events.
 
-Part of the NGINX Agent's log collection pipeline.
+## What It Does
+
+Processes NGINX App Protect WAF syslog messages and transforms them into `SecurityViolationEvent` protobuf messages:
+
+1. Parses RFC3164 syslog messages (best-effort mode)
+2. Extracts CSV formatted data from NAP `secops_dashboard` log profile
+3. Parses XML violation details with context extraction (parameter, header, cookie, uri, request)
+4. Extracts attack signature details
+5. Outputs structured protobuf events for downstream consumption
+
+## Implementation
+
+| File | Purpose |
+|------|---------|
+| [`processor.go`](processor.go) | Main processor implementation, RFC3164 parsing, orchestration |
+| [`csv_parser.go`](csv_parser.go) | CSV parsing and field mapping |
+| [`violations_parser.go`](violations_parser.go) | XML parsing, context extraction, signature parsing |
+| [`xml_structs.go`](xml_structs.go) | XML structure definitions (BADMSG, violation contexts) |
+| [`helpers.go`](helpers.go) | Utility functions |
+
+See individual files for implementation details. Protobuf schema defined in [`api/grpc/events/v1/security_violation.proto`](../../../api/grpc/events/v1/security_violation.proto).
+
+## Requirements
+
+- **Input**: NAP syslog messages with `secops_dashboard` log profile (33 CSV fields)
+- **Output**: `SecurityViolationEvent` protobuf messages
+
+## Testing
+
+```bash
+# Run all tests
+go test ./internal/collector/securityviolationsprocessor -v
+
+# Check coverage
+go test ./internal/collector/securityviolationsprocessor -coverprofile=coverage.out
+go tool cover -html=coverage.out
+```
+
+Test coverage: CSV parsing, XML parsing (5 violation contexts), encoding edge cases, error handling.
+
+## Error Handling
+
+Implements graceful degradation:
+- Malformed XML: Logs warning, continues processing
+- Base64 decode errors: Falls back to raw data
+- Missing fields: Uses empty strings
+- Context inference: Derives from violation names when not explicit
@@ -0,0 +1,136 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+package securityviolationsprocessor
+
+import (
+	"strings"
+
+	events "github.com/nginx/agent/v3/api/grpc/events/v1"
+)
+
+// parseCSVLog parses comma-separated syslog messages where fields are in a
+// order : blocking_exception_reason,dest_port,ip_client,is_truncated_bool,method,policy_name,protocol,request_status,response_code,severity,sig_cves,sig_set_names,src_port,sub_violations,support_id,threat_campaign_names,violation_rating,vs_name,x_forwarded_for_header_value,outcome,outcome_reason,violations,violation_details,bot_signature_name,bot_category,bot_anomalies,enforced_bot_anomalies,client_class,client_application,client_application_version,transport_protocol,uri,request (secops_dashboard-log profile format).
+// versions when key-value logging isn't enabled.
+//
+//nolint:lll //long test string kept for log profile readability
+func (p *securityViolationsProcessor) parseCSVLog(message string) map[string]string {
+	fieldValueMap := make(map[string]string)
+
+	// Remove the "ASM:" prefix if present so we only process the values
+	message = strings.TrimPrefix(message, "ASM:")
+
+	fields := strings.Split(message, ",")
+
+	// Mapping of CSV field positions to their corresponding keys
+	fieldOrder := []string{
+		"blocking_exception_reason",
+		"dest_port",
+		"ip_client",
+		"is_truncated_bool",
+		"method",
+		"policy_name",
+		"protocol",
+		"request_status",
+		"response_code",
+		"severity",
+		"sig_cves",
+		"sig_set_names",
+		"src_port",
+		"sub_violations",
+		"support_id",
+		"threat_campaign_names",
+		"violation_rating",
+		"vs_name",
+		"x_forwarded_for_header_value",
+		"outcome",
+		"outcome_reason",
+		"violations",
+		"violation_details",
+		"bot_signature_name",
+		"bot_category",
+		"bot_anomalies",
+		"enforced_bot_anomalies",
+		"client_class",
+		"client_application",
+		"client_application_version",
+		"transport_protocol",
+		"uri",
+		"request",
+	}
+
+	for i, field := range fields {
+		if i >= len(fieldOrder) {
+			break
+		}
+		fieldValueMap[fieldOrder[i]] = strings.TrimSpace(field)
+	}
+
+	// combine multiple values separated by '::'
+	if combined, ok := fieldValueMap["sig_cves"]; ok {
+		parts := strings.SplitN(combined, "::", maxSplitParts)
+		fieldValueMap["sig_ids"] = parts[0]
+		if len(parts) > 1 {
+			fieldValueMap["sig_names"] = parts[1]
+		}
+	}
+
+	if combined, ok := fieldValueMap["sig_set_names"]; ok {
+		parts := strings.SplitN(combined, "::", maxSplitParts)
+		fieldValueMap["sig_set_names"] = parts[0]
+		if len(parts) > 1 {
+			fieldValueMap["sig_cves"] = parts[1]
+		}
+	}
+
+	return fieldValueMap
+}
+
+func (p *securityViolationsProcessor) mapKVToSecurityViolationEvent(log *events.SecurityViolationEvent,
+	kvMap map[string]string,
+) {
+	log.PolicyName = kvMap["policy_name"]
+	log.SupportId = kvMap["support_id"]
+	log.Outcome = kvMap["outcome"]
+	log.OutcomeReason = kvMap["outcome_reason"]
+	log.BlockingExceptionReason = kvMap["blocking_exception_reason"]
+	log.Method = kvMap["method"]
+	log.Protocol = kvMap["protocol"]
+	log.XffHeaderValue = kvMap["x_forwarded_for_header_value"]
+	log.Uri = kvMap["uri"]
+	log.Request = kvMap["request"]
+	log.IsTruncated = kvMap["is_truncated_bool"]
+	log.RequestStatus = kvMap["request_status"]
+	log.ResponseCode = kvMap["response_code"]
+	log.ServerAddr = kvMap["server_addr"]
+	log.VsName = kvMap["vs_name"]
+	log.RemoteAddr = kvMap["ip_client"]
+	log.DestinationPort = kvMap["dest_port"]
+	log.ServerPort = kvMap["src_port"]
+	log.Violations = kvMap["violations"]
+	log.SubViolations = kvMap["sub_violations"]
+	log.ViolationRating = kvMap["violation_rating"]
+	log.SigSetNames = kvMap["sig_set_names"]
+	log.SigCves = kvMap["sig_cves"]
+	log.ClientClass = kvMap["client_class"]
+	log.ClientApplication = kvMap["client_application"]
+	log.ClientApplicationVersion = kvMap["client_application_version"]
+	log.Severity = kvMap["severity"]
+	log.ThreatCampaignNames = kvMap["threat_campaign_names"]
+	log.BotAnomalies = kvMap["bot_anomalies"]
+	log.BotCategory = kvMap["bot_category"]
+	log.EnforcedBotAnomalies = kvMap["enforced_bot_anomalies"]
+	log.BotSignatureName = kvMap["bot_signature_name"]
+	log.InstanceTags = kvMap["instance_tags"]
+	log.InstanceGroup = kvMap["instance_group"]
+	log.DisplayName = kvMap["display_name"]
+
+	if log.GetRemoteAddr() == "" {
+		log.RemoteAddr = kvMap["remote_addr"]
+	}
+	if log.GetDestinationPort() == "" {
+		log.DestinationPort = kvMap["remote_port"]
+	}
+}
@@ -0,0 +1,69 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+package securityviolationsprocessor
+
+import (
+	"net"
+	"regexp"
+	"strings"
+
+	events "github.com/nginx/agent/v3/api/grpc/events/v1"
+)
+
+func splitAndTrim(value string) []string {
+	if strings.TrimSpace(value) == "" || value == notAvailable {
+		return nil
+	}
+
+	parts := strings.Split(value, ",")
+
+	var trimmedParts []string
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		if trimmed != "" {
+			trimmedParts = append(trimmedParts, trimmed)
+		}
+	}
+
+	return trimmedParts
+}
+
+func buildSignatures(ids, names []string, mask, offset, length string) []*events.SignatureData {
+	signatures := make([]*events.SignatureData, 0, len(ids))
+	for i, id := range ids {
+		if id == "" || id == notAvailable {
+			continue
+		}
+		signature := &events.SignatureData{
+			SigDataId:           id,
+			SigDataBlockingMask: mask,
+			SigDataOffset:       offset,
+			SigDataLength:       length,
+		}
+		if i < len(names) {
+			signature.SigDataBuffer = names[i]
+		}
+		signatures = append(signatures, signature)
+	}
+
+	return signatures
+}
+
+func extractIPFromHostname(hostname string) string {
+	if ip := net.ParseIP(hostname); ip != nil {
+		return ip.String()
+	}
+
+	re := regexp.MustCompile(`^ip-([0-9-]+)`)
+	if matches := re.FindStringSubmatch(hostname); len(matches) > 1 {
+		candidate := strings.ReplaceAll(matches[1], "-", ".")
+		if net.ParseIP(candidate) != nil {
+			return candidate
+		}
+	}
+
+	return ""
+}