diff --git a/api/grpc/events/v1/security_violation.pb.go b/api/grpc/events/v1/security_violation.pb.go
new file mode 100644
index 0000000000..704c2ddd9e
--- /dev/null
+++ b/api/grpc/events/v1/security_violation.pb.go
@@ -0,0 +1,737 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        (unknown)
+// source: events/v1/security_violation.proto
+
+package v1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// SecurityViolationEvent represents the structured NGINX App Protect security violation data
+type SecurityViolationEvent struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Name of the security policy
+	PolicyName string `protobuf:"bytes,1,opt,name=policy_name,json=policyName,proto3" json:"policy_name,omitempty"`
+	// Unique support ID for the violation
+	SupportId string `protobuf:"bytes,2,opt,name=support_id,json=supportId,proto3" json:"support_id,omitempty"`
+	// Outcome of the request (e.g., REJECTED, PASSED)
+	Outcome string `protobuf:"bytes,3,opt,name=outcome,proto3" json:"outcome,omitempty"`
+	// Reason for the outcome
+	OutcomeReason string `protobuf:"bytes,4,opt,name=outcome_reason,json=outcomeReason,proto3" json:"outcome_reason,omitempty"`
+	// Reason for blocking exception if applicable
+	BlockingExceptionReason string `protobuf:"bytes,5,opt,name=blocking_exception_reason,json=blockingExceptionReason,proto3" json:"blocking_exception_reason,omitempty"`
+	// HTTP method used
+	Method string `protobuf:"bytes,6,opt,name=method,proto3" json:"method,omitempty"`
+	// Protocol used (e.g., HTTP/1.1)
+	Protocol string `protobuf:"bytes,7,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	// X-Forwarded-For header value
+	XffHeaderValue string `protobuf:"bytes,8,opt,name=xff_header_value,json=xffHeaderValue,proto3" json:"xff_header_value,omitempty"`
+	// Request URI
+	Uri string `protobuf:"bytes,9,opt,name=uri,proto3" json:"uri,omitempty"`
+	// Full request
+	Request string `protobuf:"bytes,10,opt,name=request,proto3" json:"request,omitempty"`
+	// Indicates if the request was truncated
+	IsTruncated string `protobuf:"bytes,11,opt,name=is_truncated,json=isTruncated,proto3" json:"is_truncated,omitempty"`
+	// Status of the request
+	RequestStatus string `protobuf:"bytes,12,opt,name=request_status,json=requestStatus,proto3" json:"request_status,omitempty"`
+	// HTTP response code
+	ResponseCode string `protobuf:"bytes,13,opt,name=response_code,json=responseCode,proto3" json:"response_code,omitempty"`
+	// Server address
+	ServerAddr string `protobuf:"bytes,14,opt,name=server_addr,json=serverAddr,proto3" json:"server_addr,omitempty"`
+	// Virtual server name
+	VsName string `protobuf:"bytes,15,opt,name=vs_name,json=vsName,proto3" json:"vs_name,omitempty"`
+	// Remote address of the client
+	RemoteAddr string `protobuf:"bytes,16,opt,name=remote_addr,json=remoteAddr,proto3" json:"remote_addr,omitempty"`
+	// Destination port
+	DestinationPort string `protobuf:"bytes,17,opt,name=destination_port,json=destinationPort,proto3" json:"destination_port,omitempty"`
+	// Server port
+	ServerPort string `protobuf:"bytes,18,opt,name=server_port,json=serverPort,proto3" json:"server_port,omitempty"`
+	// List of violations
+	Violations string `protobuf:"bytes,19,opt,name=violations,proto3" json:"violations,omitempty"`
+	// List of sub-violations
+	SubViolations string `protobuf:"bytes,20,opt,name=sub_violations,json=subViolations,proto3" json:"sub_violations,omitempty"`
+	// Violation rating
+	ViolationRating string `protobuf:"bytes,21,opt,name=violation_rating,json=violationRating,proto3" json:"violation_rating,omitempty"`
+	// Signature set names
+	SigSetNames string `protobuf:"bytes,22,opt,name=sig_set_names,json=sigSetNames,proto3" json:"sig_set_names,omitempty"`
+	// Signature CVEs
+	SigCves string `protobuf:"bytes,23,opt,name=sig_cves,json=sigCves,proto3" json:"sig_cves,omitempty"`
+	// Client class
+	ClientClass string `protobuf:"bytes,24,opt,name=client_class,json=clientClass,proto3" json:"client_class,omitempty"`
+	// Client application
+	ClientApplication string `protobuf:"bytes,25,opt,name=client_application,json=clientApplication,proto3" json:"client_application,omitempty"`
+	// Client application version
+	ClientApplicationVersion string `protobuf:"bytes,26,opt,name=client_application_version,json=clientApplicationVersion,proto3" json:"client_application_version,omitempty"`
+	// Severity of the violation
+	Severity string `protobuf:"bytes,27,opt,name=severity,proto3" json:"severity,omitempty"`
+	// Threat campaign names
+	ThreatCampaignNames string `protobuf:"bytes,28,opt,name=threat_campaign_names,json=threatCampaignNames,proto3" json:"threat_campaign_names,omitempty"`
+	// Bot anomalies detected
+	BotAnomalies string `protobuf:"bytes,29,opt,name=bot_anomalies,json=botAnomalies,proto3" json:"bot_anomalies,omitempty"`
+	// Bot category
+	BotCategory string `protobuf:"bytes,30,opt,name=bot_category,json=botCategory,proto3" json:"bot_category,omitempty"`
+	// Enforced bot anomalies
+	EnforcedBotAnomalies string `protobuf:"bytes,31,opt,name=enforced_bot_anomalies,json=enforcedBotAnomalies,proto3" json:"enforced_bot_anomalies,omitempty"`
+	// Bot signature name
+	BotSignatureName string `protobuf:"bytes,32,opt,name=bot_signature_name,json=botSignatureName,proto3" json:"bot_signature_name,omitempty"`
+	// System ID
+	SystemId string `protobuf:"bytes,33,opt,name=system_id,json=systemId,proto3" json:"system_id,omitempty"`
+	// Instance tags
+	InstanceTags string `protobuf:"bytes,34,opt,name=instance_tags,json=instanceTags,proto3" json:"instance_tags,omitempty"`
+	// Instance group
+	InstanceGroup string `protobuf:"bytes,35,opt,name=instance_group,json=instanceGroup,proto3" json:"instance_group,omitempty"`
+	// Parent hostname
+	ParentHostname string `protobuf:"bytes,36,opt,name=parent_hostname,json=parentHostname,proto3" json:"parent_hostname,omitempty"`
+	// Display name
+	DisplayName string `protobuf:"bytes,37,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"`
+	// Detailed violation data
+	ViolationsData []*ViolationData `protobuf:"bytes,38,rep,name=violations_data,json=violationsData,proto3" json:"violations_data,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
+}
+
+func (x *SecurityViolationEvent) Reset() {
+	*x = SecurityViolationEvent{}
+	mi := &file_events_v1_security_violation_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SecurityViolationEvent) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecurityViolationEvent) ProtoMessage() {}
+
+func (x *SecurityViolationEvent) ProtoReflect() protoreflect.Message {
+	mi := &file_events_v1_security_violation_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecurityViolationEvent.ProtoReflect.Descriptor instead.
+func (*SecurityViolationEvent) Descriptor() ([]byte, []int) {
+	return file_events_v1_security_violation_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *SecurityViolationEvent) GetPolicyName() string {
+	if x != nil {
+		return x.PolicyName
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetSupportId() string {
+	if x != nil {
+		return x.SupportId
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetOutcome() string {
+	if x != nil {
+		return x.Outcome
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetOutcomeReason() string {
+	if x != nil {
+		return x.OutcomeReason
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetBlockingExceptionReason() string {
+	if x != nil {
+		return x.BlockingExceptionReason
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetMethod() string {
+	if x != nil {
+		return x.Method
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetXffHeaderValue() string {
+	if x != nil {
+		return x.XffHeaderValue
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetUri() string {
+	if x != nil {
+		return x.Uri
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetRequest() string {
+	if x != nil {
+		return x.Request
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetIsTruncated() string {
+	if x != nil {
+		return x.IsTruncated
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetRequestStatus() string {
+	if x != nil {
+		return x.RequestStatus
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetResponseCode() string {
+	if x != nil {
+		return x.ResponseCode
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetServerAddr() string {
+	if x != nil {
+		return x.ServerAddr
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetVsName() string {
+	if x != nil {
+		return x.VsName
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetRemoteAddr() string {
+	if x != nil {
+		return x.RemoteAddr
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetDestinationPort() string {
+	if x != nil {
+		return x.DestinationPort
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetServerPort() string {
+	if x != nil {
+		return x.ServerPort
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetViolations() string {
+	if x != nil {
+		return x.Violations
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetSubViolations() string {
+	if x != nil {
+		return x.SubViolations
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetViolationRating() string {
+	if x != nil {
+		return x.ViolationRating
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetSigSetNames() string {
+	if x != nil {
+		return x.SigSetNames
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetSigCves() string {
+	if x != nil {
+		return x.SigCves
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetClientClass() string {
+	if x != nil {
+		return x.ClientClass
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetClientApplication() string {
+	if x != nil {
+		return x.ClientApplication
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetClientApplicationVersion() string {
+	if x != nil {
+		return x.ClientApplicationVersion
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetSeverity() string {
+	if x != nil {
+		return x.Severity
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetThreatCampaignNames() string {
+	if x != nil {
+		return x.ThreatCampaignNames
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetBotAnomalies() string {
+	if x != nil {
+		return x.BotAnomalies
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetBotCategory() string {
+	if x != nil {
+		return x.BotCategory
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetEnforcedBotAnomalies() string {
+	if x != nil {
+		return x.EnforcedBotAnomalies
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetBotSignatureName() string {
+	if x != nil {
+		return x.BotSignatureName
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetSystemId() string {
+	if x != nil {
+		return x.SystemId
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetInstanceTags() string {
+	if x != nil {
+		return x.InstanceTags
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetInstanceGroup() string {
+	if x != nil {
+		return x.InstanceGroup
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetParentHostname() string {
+	if x != nil {
+		return x.ParentHostname
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetDisplayName() string {
+	if x != nil {
+		return x.DisplayName
+	}
+	return ""
+}
+
+func (x *SecurityViolationEvent) GetViolationsData() []*ViolationData {
+	if x != nil {
+		return x.ViolationsData
+	}
+	return nil
+}
+
+// ViolationData represents individual violation details
+type ViolationData struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Name of the violation
+	ViolationDataName string `protobuf:"bytes,1,opt,name=violation_data_name,json=violationDataName,proto3" json:"violation_data_name,omitempty"`
+	// Context of the violation
+	ViolationDataContext string `protobuf:"bytes,2,opt,name=violation_data_context,json=violationDataContext,proto3" json:"violation_data_context,omitempty"`
+	// Context data associated with the violation
+	ViolationDataContextData *ContextData `protobuf:"bytes,3,opt,name=violation_data_context_data,json=violationDataContextData,proto3" json:"violation_data_context_data,omitempty"`
+	// Signature data for the violation
+	ViolationDataSignatures []*SignatureData `protobuf:"bytes,4,rep,name=violation_data_signatures,json=violationDataSignatures,proto3" json:"violation_data_signatures,omitempty"`
+	unknownFields           protoimpl.UnknownFields
+	sizeCache               protoimpl.SizeCache
+}
+
+func (x *ViolationData) Reset() {
+	*x = ViolationData{}
+	mi := &file_events_v1_security_violation_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ViolationData) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ViolationData) ProtoMessage() {}
+
+func (x *ViolationData) ProtoReflect() protoreflect.Message {
+	mi := &file_events_v1_security_violation_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ViolationData.ProtoReflect.Descriptor instead.
+func (*ViolationData) Descriptor() ([]byte, []int) {
+	return file_events_v1_security_violation_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *ViolationData) GetViolationDataName() string {
+	if x != nil {
+		return x.ViolationDataName
+	}
+	return ""
+}
+
+func (x *ViolationData) GetViolationDataContext() string {
+	if x != nil {
+		return x.ViolationDataContext
+	}
+	return ""
+}
+
+func (x *ViolationData) GetViolationDataContextData() *ContextData {
+	if x != nil {
+		return x.ViolationDataContextData
+	}
+	return nil
+}
+
+func (x *ViolationData) GetViolationDataSignatures() []*SignatureData {
+	if x != nil {
+		return x.ViolationDataSignatures
+	}
+	return nil
+}
+
+// SignatureData represents signature data contained within each violation
+type SignatureData struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Signature ID
+	SigDataId string `protobuf:"bytes,1,opt,name=sig_data_id,json=sigDataId,proto3" json:"sig_data_id,omitempty"`
+	// Blocking mask
+	SigDataBlockingMask string `protobuf:"bytes,2,opt,name=sig_data_blocking_mask,json=sigDataBlockingMask,proto3" json:"sig_data_blocking_mask,omitempty"`
+	// Buffer information
+	SigDataBuffer string `protobuf:"bytes,3,opt,name=sig_data_buffer,json=sigDataBuffer,proto3" json:"sig_data_buffer,omitempty"`
+	// Offset in the buffer
+	SigDataOffset string `protobuf:"bytes,4,opt,name=sig_data_offset,json=sigDataOffset,proto3" json:"sig_data_offset,omitempty"`
+	// Length of the signature match
+	SigDataLength string `protobuf:"bytes,5,opt,name=sig_data_length,json=sigDataLength,proto3" json:"sig_data_length,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignatureData) Reset() {
+	*x = SignatureData{}
+	mi := &file_events_v1_security_violation_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignatureData) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignatureData) ProtoMessage() {}
+
+func (x *SignatureData) ProtoReflect() protoreflect.Message {
+	mi := &file_events_v1_security_violation_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignatureData.ProtoReflect.Descriptor instead.
+func (*SignatureData) Descriptor() ([]byte, []int) {
+	return file_events_v1_security_violation_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *SignatureData) GetSigDataId() string {
+	if x != nil {
+		return x.SigDataId
+	}
+	return ""
+}
+
+func (x *SignatureData) GetSigDataBlockingMask() string {
+	if x != nil {
+		return x.SigDataBlockingMask
+	}
+	return ""
+}
+
+func (x *SignatureData) GetSigDataBuffer() string {
+	if x != nil {
+		return x.SigDataBuffer
+	}
+	return ""
+}
+
+func (x *SignatureData) GetSigDataOffset() string {
+	if x != nil {
+		return x.SigDataOffset
+	}
+	return ""
+}
+
+func (x *SignatureData) GetSigDataLength() string {
+	if x != nil {
+		return x.SigDataLength
+	}
+	return ""
+}
+
+// ContextData represents the context data of the violation
+type ContextData struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Name of the context
+	ContextDataName string `protobuf:"bytes,1,opt,name=context_data_name,json=contextDataName,proto3" json:"context_data_name,omitempty"`
+	// Value of the context
+	ContextDataValue string `protobuf:"bytes,2,opt,name=context_data_value,json=contextDataValue,proto3" json:"context_data_value,omitempty"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
+}
+
+func (x *ContextData) Reset() {
+	*x = ContextData{}
+	mi := &file_events_v1_security_violation_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ContextData) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ContextData) ProtoMessage() {}
+
+func (x *ContextData) ProtoReflect() protoreflect.Message {
+	mi := &file_events_v1_security_violation_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ContextData.ProtoReflect.Descriptor instead.
+func (*ContextData) Descriptor() ([]byte, []int) {
+	return file_events_v1_security_violation_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *ContextData) GetContextDataName() string {
+	if x != nil {
+		return x.ContextDataName
+	}
+	return ""
+}
+
+func (x *ContextData) GetContextDataValue() string {
+	if x != nil {
+		return x.ContextDataValue
+	}
+	return ""
+}
+
+var File_events_v1_security_violation_proto protoreflect.FileDescriptor
+
+const file_events_v1_security_violation_proto_rawDesc = "" +
+	"\n" +
+	"\"events/v1/security_violation.proto\x12\tevents.v1\"\xaa\v\n" +
+	"\x16SecurityViolationEvent\x12\x1f\n" +
+	"\vpolicy_name\x18\x01 \x01(\tR\n" +
+	"policyName\x12\x1d\n" +
+	"\n" +
+	"support_id\x18\x02 \x01(\tR\tsupportId\x12\x18\n" +
+	"\aoutcome\x18\x03 \x01(\tR\aoutcome\x12%\n" +
+	"\x0eoutcome_reason\x18\x04 \x01(\tR\routcomeReason\x12:\n" +
+	"\x19blocking_exception_reason\x18\x05 \x01(\tR\x17blockingExceptionReason\x12\x16\n" +
+	"\x06method\x18\x06 \x01(\tR\x06method\x12\x1a\n" +
+	"\bprotocol\x18\a \x01(\tR\bprotocol\x12(\n" +
+	"\x10xff_header_value\x18\b \x01(\tR\x0exffHeaderValue\x12\x10\n" +
+	"\x03uri\x18\t \x01(\tR\x03uri\x12\x18\n" +
+	"\arequest\x18\n" +
+	" \x01(\tR\arequest\x12!\n" +
+	"\fis_truncated\x18\v \x01(\tR\visTruncated\x12%\n" +
+	"\x0erequest_status\x18\f \x01(\tR\rrequestStatus\x12#\n" +
+	"\rresponse_code\x18\r \x01(\tR\fresponseCode\x12\x1f\n" +
+	"\vserver_addr\x18\x0e \x01(\tR\n" +
+	"serverAddr\x12\x17\n" +
+	"\avs_name\x18\x0f \x01(\tR\x06vsName\x12\x1f\n" +
+	"\vremote_addr\x18\x10 \x01(\tR\n" +
+	"remoteAddr\x12)\n" +
+	"\x10destination_port\x18\x11 \x01(\tR\x0fdestinationPort\x12\x1f\n" +
+	"\vserver_port\x18\x12 \x01(\tR\n" +
+	"serverPort\x12\x1e\n" +
+	"\n" +
+	"violations\x18\x13 \x01(\tR\n" +
+	"violations\x12%\n" +
+	"\x0esub_violations\x18\x14 \x01(\tR\rsubViolations\x12)\n" +
+	"\x10violation_rating\x18\x15 \x01(\tR\x0fviolationRating\x12\"\n" +
+	"\rsig_set_names\x18\x16 \x01(\tR\vsigSetNames\x12\x19\n" +
+	"\bsig_cves\x18\x17 \x01(\tR\asigCves\x12!\n" +
+	"\fclient_class\x18\x18 \x01(\tR\vclientClass\x12-\n" +
+	"\x12client_application\x18\x19 \x01(\tR\x11clientApplication\x12<\n" +
+	"\x1aclient_application_version\x18\x1a \x01(\tR\x18clientApplicationVersion\x12\x1a\n" +
+	"\bseverity\x18\x1b \x01(\tR\bseverity\x122\n" +
+	"\x15threat_campaign_names\x18\x1c \x01(\tR\x13threatCampaignNames\x12#\n" +
+	"\rbot_anomalies\x18\x1d \x01(\tR\fbotAnomalies\x12!\n" +
+	"\fbot_category\x18\x1e \x01(\tR\vbotCategory\x124\n" +
+	"\x16enforced_bot_anomalies\x18\x1f \x01(\tR\x14enforcedBotAnomalies\x12,\n" +
+	"\x12bot_signature_name\x18  \x01(\tR\x10botSignatureName\x12\x1b\n" +
+	"\tsystem_id\x18! \x01(\tR\bsystemId\x12#\n" +
+	"\rinstance_tags\x18\" \x01(\tR\finstanceTags\x12%\n" +
+	"\x0einstance_group\x18# \x01(\tR\rinstanceGroup\x12'\n" +
+	"\x0fparent_hostname\x18$ \x01(\tR\x0eparentHostname\x12!\n" +
+	"\fdisplay_name\x18% \x01(\tR\vdisplayName\x12A\n" +
+	"\x0fviolations_data\x18& \x03(\v2\x18.events.v1.ViolationDataR\x0eviolationsData\"\xa2\x02\n" +
+	"\rViolationData\x12.\n" +
+	"\x13violation_data_name\x18\x01 \x01(\tR\x11violationDataName\x124\n" +
+	"\x16violation_data_context\x18\x02 \x01(\tR\x14violationDataContext\x12U\n" +
+	"\x1bviolation_data_context_data\x18\x03 \x01(\v2\x16.events.v1.ContextDataR\x18violationDataContextData\x12T\n" +
+	"\x19violation_data_signatures\x18\x04 \x03(\v2\x18.events.v1.SignatureDataR\x17violationDataSignatures\"\xdc\x01\n" +
+	"\rSignatureData\x12\x1e\n" +
+	"\vsig_data_id\x18\x01 \x01(\tR\tsigDataId\x123\n" +
+	"\x16sig_data_blocking_mask\x18\x02 \x01(\tR\x13sigDataBlockingMask\x12&\n" +
+	"\x0fsig_data_buffer\x18\x03 \x01(\tR\rsigDataBuffer\x12&\n" +
+	"\x0fsig_data_offset\x18\x04 \x01(\tR\rsigDataOffset\x12&\n" +
+	"\x0fsig_data_length\x18\x05 \x01(\tR\rsigDataLength\"g\n" +
+	"\vContextData\x12*\n" +
+	"\x11context_data_name\x18\x01 \x01(\tR\x0fcontextDataName\x12,\n" +
+	"\x12context_data_value\x18\x02 \x01(\tR\x10contextDataValueB\vZ\tevents/v1b\x06proto3"
+
+var (
+	file_events_v1_security_violation_proto_rawDescOnce sync.Once
+	file_events_v1_security_violation_proto_rawDescData []byte
+)
+
+func file_events_v1_security_violation_proto_rawDescGZIP() []byte {
+	file_events_v1_security_violation_proto_rawDescOnce.Do(func() {
+		file_events_v1_security_violation_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_events_v1_security_violation_proto_rawDesc), len(file_events_v1_security_violation_proto_rawDesc)))
+	})
+	return file_events_v1_security_violation_proto_rawDescData
+}
+
+var file_events_v1_security_violation_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_events_v1_security_violation_proto_goTypes = []any{
+	(*SecurityViolationEvent)(nil), // 0: events.v1.SecurityViolationEvent
+	(*ViolationData)(nil),          // 1: events.v1.ViolationData
+	(*SignatureData)(nil),          // 2: events.v1.SignatureData
+	(*ContextData)(nil),            // 3: events.v1.ContextData
+}
+var file_events_v1_security_violation_proto_depIdxs = []int32{
+	1, // 0: events.v1.SecurityViolationEvent.violations_data:type_name -> events.v1.ViolationData
+	3, // 1: events.v1.ViolationData.violation_data_context_data:type_name -> events.v1.ContextData
+	2, // 2: events.v1.ViolationData.violation_data_signatures:type_name -> events.v1.SignatureData
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
+}
+
+func init() { file_events_v1_security_violation_proto_init() }
+func file_events_v1_security_violation_proto_init() {
+	if File_events_v1_security_violation_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_events_v1_security_violation_proto_rawDesc), len(file_events_v1_security_violation_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   4,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_events_v1_security_violation_proto_goTypes,
+		DependencyIndexes: file_events_v1_security_violation_proto_depIdxs,
+		MessageInfos:      file_events_v1_security_violation_proto_msgTypes,
+	}.Build()
+	File_events_v1_security_violation_proto = out.File
+	file_events_v1_security_violation_proto_goTypes = nil
+	file_events_v1_security_violation_proto_depIdxs = nil
+}
diff --git a/api/grpc/events/v1/security_violation.pb.validate.go b/api/grpc/events/v1/security_violation.pb.validate.go
new file mode 100644
index 0000000000..2b0a868bad
--- /dev/null
+++ b/api/grpc/events/v1/security_violation.pb.validate.go
@@ -0,0 +1,626 @@
+// Code generated by protoc-gen-validate. DO NOT EDIT.
+// source: events/v1/security_violation.proto
+
+package v1
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"net"
+	"net/mail"
+	"net/url"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+	"unicode/utf8"
+
+	"google.golang.org/protobuf/types/known/anypb"
+)
+
+// ensure the imports are used
+var (
+	_ = bytes.MinRead
+	_ = errors.New("")
+	_ = fmt.Print
+	_ = utf8.UTFMax
+	_ = (*regexp.Regexp)(nil)
+	_ = (*strings.Reader)(nil)
+	_ = net.IPv4len
+	_ = time.Duration(0)
+	_ = (*url.URL)(nil)
+	_ = (*mail.Address)(nil)
+	_ = anypb.Any{}
+	_ = sort.Sort
+)
+
+// Validate checks the field values on SecurityViolationEvent with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the first error encountered is returned, or nil if there are no violations.
+func (m *SecurityViolationEvent) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on SecurityViolationEvent with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the result is a list of violation errors wrapped in
+// SecurityViolationEventMultiError, or nil if none found.
+func (m *SecurityViolationEvent) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *SecurityViolationEvent) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	// no validation rules for PolicyName
+
+	// no validation rules for SupportId
+
+	// no validation rules for Outcome
+
+	// no validation rules for OutcomeReason
+
+	// no validation rules for BlockingExceptionReason
+
+	// no validation rules for Method
+
+	// no validation rules for Protocol
+
+	// no validation rules for XffHeaderValue
+
+	// no validation rules for Uri
+
+	// no validation rules for Request
+
+	// no validation rules for IsTruncated
+
+	// no validation rules for RequestStatus
+
+	// no validation rules for ResponseCode
+
+	// no validation rules for ServerAddr
+
+	// no validation rules for VsName
+
+	// no validation rules for RemoteAddr
+
+	// no validation rules for DestinationPort
+
+	// no validation rules for ServerPort
+
+	// no validation rules for Violations
+
+	// no validation rules for SubViolations
+
+	// no validation rules for ViolationRating
+
+	// no validation rules for SigSetNames
+
+	// no validation rules for SigCves
+
+	// no validation rules for ClientClass
+
+	// no validation rules for ClientApplication
+
+	// no validation rules for ClientApplicationVersion
+
+	// no validation rules for Severity
+
+	// no validation rules for ThreatCampaignNames
+
+	// no validation rules for BotAnomalies
+
+	// no validation rules for BotCategory
+
+	// no validation rules for EnforcedBotAnomalies
+
+	// no validation rules for BotSignatureName
+
+	// no validation rules for SystemId
+
+	// no validation rules for InstanceTags
+
+	// no validation rules for InstanceGroup
+
+	// no validation rules for ParentHostname
+
+	// no validation rules for DisplayName
+
+	for idx, item := range m.GetViolationsData() {
+		_, _ = idx, item
+
+		if all {
+			switch v := interface{}(item).(type) {
+			case interface{ ValidateAll() error }:
+				if err := v.ValidateAll(); err != nil {
+					errors = append(errors, SecurityViolationEventValidationError{
+						field:  fmt.Sprintf("ViolationsData[%v]", idx),
+						reason: "embedded message failed validation",
+						cause:  err,
+					})
+				}
+			case interface{ Validate() error }:
+				if err := v.Validate(); err != nil {
+					errors = append(errors, SecurityViolationEventValidationError{
+						field:  fmt.Sprintf("ViolationsData[%v]", idx),
+						reason: "embedded message failed validation",
+						cause:  err,
+					})
+				}
+			}
+		} else if v, ok := interface{}(item).(interface{ Validate() error }); ok {
+			if err := v.Validate(); err != nil {
+				return SecurityViolationEventValidationError{
+					field:  fmt.Sprintf("ViolationsData[%v]", idx),
+					reason: "embedded message failed validation",
+					cause:  err,
+				}
+			}
+		}
+
+	}
+
+	if len(errors) > 0 {
+		return SecurityViolationEventMultiError(errors)
+	}
+
+	return nil
+}
+
+// SecurityViolationEventMultiError is an error wrapping multiple validation
+// errors returned by SecurityViolationEvent.ValidateAll() if the designated
+// constraints aren't met.
+type SecurityViolationEventMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m SecurityViolationEventMultiError) Error() string {
+	msgs := make([]string, 0, len(m))
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m SecurityViolationEventMultiError) AllErrors() []error { return m }
+
+// SecurityViolationEventValidationError is the validation error returned by
+// SecurityViolationEvent.Validate if the designated constraints aren't met.
+type SecurityViolationEventValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e SecurityViolationEventValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e SecurityViolationEventValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e SecurityViolationEventValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e SecurityViolationEventValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e SecurityViolationEventValidationError) ErrorName() string {
+	return "SecurityViolationEventValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e SecurityViolationEventValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sSecurityViolationEvent.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = SecurityViolationEventValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = SecurityViolationEventValidationError{}
+
+// Validate checks the field values on ViolationData with the rules defined in
+// the proto definition for this message. If any rules are violated, the first
+// error encountered is returned, or nil if there are no violations.
+func (m *ViolationData) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on ViolationData with the rules defined
+// in the proto definition for this message. If any rules are violated, the
+// result is a list of violation errors wrapped in ViolationDataMultiError, or
+// nil if none found.
+func (m *ViolationData) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *ViolationData) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	// no validation rules for ViolationDataName
+
+	// no validation rules for ViolationDataContext
+
+	if all {
+		switch v := interface{}(m.GetViolationDataContextData()).(type) {
+		case interface{ ValidateAll() error }:
+			if err := v.ValidateAll(); err != nil {
+				errors = append(errors, ViolationDataValidationError{
+					field:  "ViolationDataContextData",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		case interface{ Validate() error }:
+			if err := v.Validate(); err != nil {
+				errors = append(errors, ViolationDataValidationError{
+					field:  "ViolationDataContextData",
+					reason: "embedded message failed validation",
+					cause:  err,
+				})
+			}
+		}
+	} else if v, ok := interface{}(m.GetViolationDataContextData()).(interface{ Validate() error }); ok {
+		if err := v.Validate(); err != nil {
+			return ViolationDataValidationError{
+				field:  "ViolationDataContextData",
+				reason: "embedded message failed validation",
+				cause:  err,
+			}
+		}
+	}
+
+	for idx, item := range m.GetViolationDataSignatures() {
+		_, _ = idx, item
+
+		if all {
+			switch v := interface{}(item).(type) {
+			case interface{ ValidateAll() error }:
+				if err := v.ValidateAll(); err != nil {
+					errors = append(errors, ViolationDataValidationError{
+						field:  fmt.Sprintf("ViolationDataSignatures[%v]", idx),
+						reason: "embedded message failed validation",
+						cause:  err,
+					})
+				}
+			case interface{ Validate() error }:
+				if err := v.Validate(); err != nil {
+					errors = append(errors, ViolationDataValidationError{
+						field:  fmt.Sprintf("ViolationDataSignatures[%v]", idx),
+						reason: "embedded message failed validation",
+						cause:  err,
+					})
+				}
+			}
+		} else if v, ok := interface{}(item).(interface{ Validate() error }); ok {
+			if err := v.Validate(); err != nil {
+				return ViolationDataValidationError{
+					field:  fmt.Sprintf("ViolationDataSignatures[%v]", idx),
+					reason: "embedded message failed validation",
+					cause:  err,
+				}
+			}
+		}
+
+	}
+
+	if len(errors) > 0 {
+		return ViolationDataMultiError(errors)
+	}
+
+	return nil
+}
+
+// ViolationDataMultiError is an error wrapping multiple validation errors
+// returned by ViolationData.ValidateAll() if the designated constraints
+// aren't met.
+type ViolationDataMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m ViolationDataMultiError) Error() string {
+	msgs := make([]string, 0, len(m))
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m ViolationDataMultiError) AllErrors() []error { return m }
+
+// ViolationDataValidationError is the validation error returned by
+// ViolationData.Validate if the designated constraints aren't met.
+type ViolationDataValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e ViolationDataValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e ViolationDataValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e ViolationDataValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e ViolationDataValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e ViolationDataValidationError) ErrorName() string { return "ViolationDataValidationError" }
+
+// Error satisfies the builtin error interface
+func (e ViolationDataValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sViolationData.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = ViolationDataValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = ViolationDataValidationError{}
+
+// Validate checks the field values on SignatureData with the rules defined in
+// the proto definition for this message. If any rules are violated, the first
+// error encountered is returned, or nil if there are no violations.
+func (m *SignatureData) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on SignatureData with the rules defined
+// in the proto definition for this message. If any rules are violated, the
+// result is a list of violation errors wrapped in SignatureDataMultiError, or
+// nil if none found.
+func (m *SignatureData) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *SignatureData) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	// no validation rules for SigDataId
+
+	// no validation rules for SigDataBlockingMask
+
+	// no validation rules for SigDataBuffer
+
+	// no validation rules for SigDataOffset
+
+	// no validation rules for SigDataLength
+
+	if len(errors) > 0 {
+		return SignatureDataMultiError(errors)
+	}
+
+	return nil
+}
+
+// SignatureDataMultiError is an error wrapping multiple validation errors
+// returned by SignatureData.ValidateAll() if the designated constraints
+// aren't met.
+type SignatureDataMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m SignatureDataMultiError) Error() string {
+	msgs := make([]string, 0, len(m))
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m SignatureDataMultiError) AllErrors() []error { return m }
+
+// SignatureDataValidationError is the validation error returned by
+// SignatureData.Validate if the designated constraints aren't met.
+type SignatureDataValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e SignatureDataValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e SignatureDataValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e SignatureDataValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e SignatureDataValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e SignatureDataValidationError) ErrorName() string { return "SignatureDataValidationError" }
+
+// Error satisfies the builtin error interface
+func (e SignatureDataValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sSignatureData.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = SignatureDataValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = SignatureDataValidationError{}
+
+// Validate checks the field values on ContextData with the rules defined in
+// the proto definition for this message. If any rules are violated, the first
+// error encountered is returned, or nil if there are no violations.
+func (m *ContextData) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on ContextData with the rules defined in
+// the proto definition for this message. If any rules are violated, the
+// result is a list of violation errors wrapped in ContextDataMultiError, or
+// nil if none found.
+func (m *ContextData) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *ContextData) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	// no validation rules for ContextDataName
+
+	// no validation rules for ContextDataValue
+
+	if len(errors) > 0 {
+		return ContextDataMultiError(errors)
+	}
+
+	return nil
+}
+
+// ContextDataMultiError is an error wrapping multiple validation errors
+// returned by ContextData.ValidateAll() if the designated constraints aren't met.
+type ContextDataMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m ContextDataMultiError) Error() string {
+	msgs := make([]string, 0, len(m))
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m ContextDataMultiError) AllErrors() []error { return m }
+
+// ContextDataValidationError is the validation error returned by
+// ContextData.Validate if the designated constraints aren't met.
+type ContextDataValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e ContextDataValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e ContextDataValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e ContextDataValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e ContextDataValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e ContextDataValidationError) ErrorName() string { return "ContextDataValidationError" }
+
+// Error satisfies the builtin error interface
+func (e ContextDataValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sContextData.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = ContextDataValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = ContextDataValidationError{}
diff --git a/api/grpc/events/v1/security_violation.proto b/api/grpc/events/v1/security_violation.proto
new file mode 100644
index 0000000000..674a0f1e4d
--- /dev/null
+++ b/api/grpc/events/v1/security_violation.proto
@@ -0,0 +1,122 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+syntax = "proto3";
+package events.v1;
+
+option go_package = "events/v1";
+
+// SecurityViolationEvent represents the structured NGINX App Protect security violation data
+message SecurityViolationEvent {
+    // Name of the security policy
+    string policy_name = 1;
+    // Unique support ID for the violation
+    string support_id = 2;
+    // Outcome of the request (e.g., REJECTED, PASSED)
+    string outcome = 3;
+    // Reason for the outcome
+    string outcome_reason = 4;
+    // Reason for blocking exception if applicable
+    string blocking_exception_reason = 5;
+    // HTTP method used
+    string method = 6;
+    // Protocol used (e.g., HTTP/1.1)
+    string protocol = 7;
+    // X-Forwarded-For header value
+    string xff_header_value = 8;
+    // Request URI
+    string uri = 9;
+    // Full request
+    string request = 10;
+    // Indicates if the request was truncated
+    string is_truncated = 11;
+    // Status of the request
+    string request_status = 12;
+    // HTTP response code
+    string response_code = 13;
+    // Server address
+    string server_addr = 14;
+    // Virtual server name
+    string vs_name = 15;
+    // Remote address of the client
+    string remote_addr = 16;
+    // Destination port
+    string destination_port = 17;
+    // Server port
+    string server_port = 18;
+    // List of violations
+    string violations = 19;
+    // List of sub-violations
+    string sub_violations = 20;
+    // Violation rating
+    string violation_rating = 21;
+    // Signature set names
+    string sig_set_names = 22;
+    // Signature CVEs
+    string sig_cves = 23;
+    // Client class
+    string client_class = 24;
+    // Client application
+    string client_application = 25;
+    // Client application version
+    string client_application_version = 26;
+    // Severity of the violation
+    string severity = 27;
+    // Threat campaign names
+    string threat_campaign_names = 28;
+    // Bot anomalies detected
+    string bot_anomalies = 29;
+    // Bot category
+    string bot_category = 30;
+    // Enforced bot anomalies
+    string enforced_bot_anomalies = 31;
+    // Bot signature name
+    string bot_signature_name = 32;
+    // System ID
+    string system_id = 33;
+    // Instance tags
+    string instance_tags = 34;
+    // Instance group
+    string instance_group = 35;
+    // Parent hostname
+    string parent_hostname = 36;
+    // Display name
+    string display_name = 37;
+    // Detailed violation data
+    repeated ViolationData violations_data = 38;
+}
+
+// ViolationData represents individual violation details
+message ViolationData {
+    // Name of the violation
+    string violation_data_name = 1;
+    // Context of the violation
+    string violation_data_context = 2;
+    // Context data associated with the violation
+    ContextData violation_data_context_data = 3;
+    // Signature data for the violation
+    repeated SignatureData violation_data_signatures = 4;
+}
+
+// SignatureData represents signature data contained within each violation
+message SignatureData {
+    // Signature ID
+    string sig_data_id = 1;
+    // Blocking mask
+    string sig_data_blocking_mask = 2;
+    // Buffer information
+    string sig_data_buffer = 3;
+    // Offset in the buffer
+    string sig_data_offset = 4;
+    // Length of the signature match
+    string sig_data_length = 5;
+}
+
+// ContextData represents the context data of the violation
+message ContextData {
+    // Name of the context
+    string context_data_name = 1;
+    // Value of the context
+    string context_data_value = 2;
+}
diff --git a/docs/proto/protos.md b/docs/proto/protos.md
index 18301abd50..1165ad1b9d 100644
--- a/docs/proto/protos.md
+++ b/docs/proto/protos.md
@@ -3,6 +3,12 @@
 
 ## Table of Contents
 
+- [events/v1/security_violation.proto](#events_v1_security_violation-proto)
+    - [ContextData](#events-v1-ContextData)
+    - [SecurityViolationEvent](#events-v1-SecurityViolationEvent)
+    - [SignatureData](#events-v1-SignatureData)
+    - [ViolationData](#events-v1-ViolationData)
+  
 - [mpi/v1/common.proto](#mpi_v1_common-proto)
     - [AuthSettings](#mpi-v1-AuthSettings)
     - [CommandResponse](#mpi-v1-CommandResponse)
@@ -95,6 +101,130 @@
 
 
 
+<a name="events_v1_security_violation-proto"></a>
+<p align="right"><a href="#top">Top</a></p>
+
+## events/v1/security_violation.proto
+Copyright (c) F5, Inc.
+
+This source code is licensed under the Apache License, Version 2.0 license found in the
+LICENSE file in the root directory of this source tree.
+
+
+<a name="events-v1-ContextData"></a>
+
+### ContextData
+ContextData represents the context data of the violation
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| context_data_name | [string](#string) |  | Name of the context |
+| context_data_value | [string](#string) |  | Value of the context |
+
+
+
+
+
+
+<a name="events-v1-SecurityViolationEvent"></a>
+
+### SecurityViolationEvent
+SecurityViolationEvent represents the structured NGINX App Protect security violation data
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| policy_name | [string](#string) |  | Name of the security policy |
+| support_id | [string](#string) |  | Unique support ID for the violation |
+| outcome | [string](#string) |  | Outcome of the request (e.g., REJECTED, PASSED) |
+| outcome_reason | [string](#string) |  | Reason for the outcome |
+| blocking_exception_reason | [string](#string) |  | Reason for blocking exception if applicable |
+| method | [string](#string) |  | HTTP method used |
+| protocol | [string](#string) |  | Protocol used (e.g., HTTP/1.1) |
+| xff_header_value | [string](#string) |  | X-Forwarded-For header value |
+| uri | [string](#string) |  | Request URI |
+| request | [string](#string) |  | Full request |
+| is_truncated | [string](#string) |  | Indicates if the request was truncated |
+| request_status | [string](#string) |  | Status of the request |
+| response_code | [string](#string) |  | HTTP response code |
+| server_addr | [string](#string) |  | Server address |
+| vs_name | [string](#string) |  | Virtual server name |
+| remote_addr | [string](#string) |  | Remote address of the client |
+| destination_port | [string](#string) |  | Destination port |
+| server_port | [string](#string) |  | Server port |
+| violations | [string](#string) |  | List of violations |
+| sub_violations | [string](#string) |  | List of sub-violations |
+| violation_rating | [string](#string) |  | Violation rating |
+| sig_set_names | [string](#string) |  | Signature set names |
+| sig_cves | [string](#string) |  | Signature CVEs |
+| client_class | [string](#string) |  | Client class |
+| client_application | [string](#string) |  | Client application |
+| client_application_version | [string](#string) |  | Client application version |
+| severity | [string](#string) |  | Severity of the violation |
+| threat_campaign_names | [string](#string) |  | Threat campaign names |
+| bot_anomalies | [string](#string) |  | Bot anomalies detected |
+| bot_category | [string](#string) |  | Bot category |
+| enforced_bot_anomalies | [string](#string) |  | Enforced bot anomalies |
+| bot_signature_name | [string](#string) |  | Bot signature name |
+| system_id | [string](#string) |  | System ID |
+| instance_tags | [string](#string) |  | Instance tags |
+| instance_group | [string](#string) |  | Instance group |
+| parent_hostname | [string](#string) |  | Parent hostname |
+| display_name | [string](#string) |  | Display name |
+| violations_data | [ViolationData](#events-v1-ViolationData) | repeated | Detailed violation data |
+
+
+
+
+
+
+<a name="events-v1-SignatureData"></a>
+
+### SignatureData
+SignatureData represents signature data contained within each violation
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| sig_data_id | [string](#string) |  | Signature ID |
+| sig_data_blocking_mask | [string](#string) |  | Blocking mask |
+| sig_data_buffer | [string](#string) |  | Buffer information |
+| sig_data_offset | [string](#string) |  | Offset in the buffer |
+| sig_data_length | [string](#string) |  | Length of the signature match |
+
+
+
+
+
+
+<a name="events-v1-ViolationData"></a>
+
+### ViolationData
+ViolationData represents individual violation details
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| violation_data_name | [string](#string) |  | Name of the violation |
+| violation_data_context | [string](#string) |  | Context of the violation |
+| violation_data_context_data | [ContextData](#events-v1-ContextData) |  | Context data associated with the violation |
+| violation_data_signatures | [SignatureData](#events-v1-SignatureData) | repeated | Signature data for the violation |
+
+
+
+
+
+ 
+
+ 
+
+ 
+
+ 
+
+
+
 <a name="mpi_v1_common-proto"></a>
 <p align="right"><a href="#top">Top</a></p>
 
diff --git a/internal/collector/securityviolationsprocessor/README.md b/internal/collector/securityviolationsprocessor/README.md
index 77a4d05801..8be5d67d33 100644
--- a/internal/collector/securityviolationsprocessor/README.md
+++ b/internal/collector/securityviolationsprocessor/README.md
@@ -1,5 +1,51 @@
-# SecurityViolations Processor
+# Security Violations Processor
 
-Internal component of the NGINX Agent that processes security violation syslog messages. Parses RFC3164 formatted syslog entries from log records and extracts structured attributes. Successfully parsed messages have their body replaced with the clean message content.
+OpenTelemetry Collector processor that transforms NGINX App Protect security violation syslog messages into structured protobuf events.
 
-Part of the NGINX Agent's log collection pipeline.
\ No newline at end of file
+## What It Does
+
+Processes NGINX App Protect WAF syslog messages and transforms them into `SecurityViolationEvent` protobuf messages:
+
+1. Parses RFC3164 syslog messages (best-effort mode)
+2. Extracts CSV formatted data from NAP `secops_dashboard` log profile
+3. Parses XML violation details with context extraction (parameter, header, cookie, uri, request)
+4. Extracts attack signature details
+5. Outputs structured protobuf events for downstream consumption
+
+## Implementation
+
+| File | Purpose |
+|------|---------|
+| [`processor.go`](processor.go) | Main processor implementation, RFC3164 parsing, orchestration |
+| [`csv_parser.go`](csv_parser.go) | CSV parsing and field mapping |
+| [`violations_parser.go`](violations_parser.go) | XML parsing, context extraction, signature parsing |
+| [`xml_structs.go`](xml_structs.go) | XML structure definitions (BADMSG, violation contexts) |
+| [`helpers.go`](helpers.go) | Utility functions |
+
+See individual files for implementation details. Protobuf schema defined in [`api/grpc/events/v1/security_violation.proto`](../../../api/grpc/events/v1/security_violation.proto).
+
+## Requirements
+
+- **Input**: NAP syslog messages with `secops_dashboard` log profile (33 CSV fields)
+- **Output**: `SecurityViolationEvent` protobuf messages
+
+## Testing
+
+```bash
+# Run all tests
+go test ./internal/collector/securityviolationsprocessor -v
+
+# Check coverage
+go test ./internal/collector/securityviolationsprocessor -coverprofile=coverage.out
+go tool cover -html=coverage.out
+```
+
+Test coverage: CSV parsing, XML parsing (5 violation contexts), encoding edge cases, error handling.
+
+## Error Handling
+
+Implements graceful degradation:
+- Malformed XML: Logs warning, continues processing
+- Base64 decode errors: Falls back to raw data
+- Missing fields: Uses empty strings
+- Context inference: Derives from violation names when not explicit
diff --git a/internal/collector/securityviolationsprocessor/csv_parser.go b/internal/collector/securityviolationsprocessor/csv_parser.go
new file mode 100644
index 0000000000..6b13a9a10b
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/csv_parser.go
@@ -0,0 +1,136 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+package securityviolationsprocessor
+
+import (
+	"strings"
+
+	events "github.com/nginx/agent/v3/api/grpc/events/v1"
+)
+
+// parseCSVLog parses comma-separated syslog messages where fields are in a
+// order : blocking_exception_reason,dest_port,ip_client,is_truncated_bool,method,policy_name,protocol,request_status,response_code,severity,sig_cves,sig_set_names,src_port,sub_violations,support_id,threat_campaign_names,violation_rating,vs_name,x_forwarded_for_header_value,outcome,outcome_reason,violations,violation_details,bot_signature_name,bot_category,bot_anomalies,enforced_bot_anomalies,client_class,client_application,client_application_version,transport_protocol,uri,request (secops_dashboard-log profile format).
+// versions when key-value logging isn't enabled.
+//
+//nolint:lll //long test string kept for log profile readability
+func (p *securityViolationsProcessor) parseCSVLog(message string) map[string]string {
+	fieldValueMap := make(map[string]string)
+
+	// Remove the "ASM:" prefix if present so we only process the values
+	message = strings.TrimPrefix(message, "ASM:")
+
+	fields := strings.Split(message, ",")
+
+	// Mapping of CSV field positions to their corresponding keys
+	fieldOrder := []string{
+		"blocking_exception_reason",
+		"dest_port",
+		"ip_client",
+		"is_truncated_bool",
+		"method",
+		"policy_name",
+		"protocol",
+		"request_status",
+		"response_code",
+		"severity",
+		"sig_cves",
+		"sig_set_names",
+		"src_port",
+		"sub_violations",
+		"support_id",
+		"threat_campaign_names",
+		"violation_rating",
+		"vs_name",
+		"x_forwarded_for_header_value",
+		"outcome",
+		"outcome_reason",
+		"violations",
+		"violation_details",
+		"bot_signature_name",
+		"bot_category",
+		"bot_anomalies",
+		"enforced_bot_anomalies",
+		"client_class",
+		"client_application",
+		"client_application_version",
+		"transport_protocol",
+		"uri",
+		"request",
+	}
+
+	for i, field := range fields {
+		if i >= len(fieldOrder) {
+			break
+		}
+		fieldValueMap[fieldOrder[i]] = strings.TrimSpace(field)
+	}
+
+	// combine multiple values separated by '::'
+	if combined, ok := fieldValueMap["sig_cves"]; ok {
+		parts := strings.SplitN(combined, "::", maxSplitParts)
+		fieldValueMap["sig_ids"] = parts[0]
+		if len(parts) > 1 {
+			fieldValueMap["sig_names"] = parts[1]
+		}
+	}
+
+	if combined, ok := fieldValueMap["sig_set_names"]; ok {
+		parts := strings.SplitN(combined, "::", maxSplitParts)
+		fieldValueMap["sig_set_names"] = parts[0]
+		if len(parts) > 1 {
+			fieldValueMap["sig_cves"] = parts[1]
+		}
+	}
+
+	return fieldValueMap
+}
+
+func (p *securityViolationsProcessor) mapKVToSecurityViolationEvent(log *events.SecurityViolationEvent,
+	kvMap map[string]string,
+) {
+	log.PolicyName = kvMap["policy_name"]
+	log.SupportId = kvMap["support_id"]
+	log.Outcome = kvMap["outcome"]
+	log.OutcomeReason = kvMap["outcome_reason"]
+	log.BlockingExceptionReason = kvMap["blocking_exception_reason"]
+	log.Method = kvMap["method"]
+	log.Protocol = kvMap["protocol"]
+	log.XffHeaderValue = kvMap["x_forwarded_for_header_value"]
+	log.Uri = kvMap["uri"]
+	log.Request = kvMap["request"]
+	log.IsTruncated = kvMap["is_truncated_bool"]
+	log.RequestStatus = kvMap["request_status"]
+	log.ResponseCode = kvMap["response_code"]
+	log.ServerAddr = kvMap["server_addr"]
+	log.VsName = kvMap["vs_name"]
+	log.RemoteAddr = kvMap["ip_client"]
+	log.DestinationPort = kvMap["dest_port"]
+	log.ServerPort = kvMap["src_port"]
+	log.Violations = kvMap["violations"]
+	log.SubViolations = kvMap["sub_violations"]
+	log.ViolationRating = kvMap["violation_rating"]
+	log.SigSetNames = kvMap["sig_set_names"]
+	log.SigCves = kvMap["sig_cves"]
+	log.ClientClass = kvMap["client_class"]
+	log.ClientApplication = kvMap["client_application"]
+	log.ClientApplicationVersion = kvMap["client_application_version"]
+	log.Severity = kvMap["severity"]
+	log.ThreatCampaignNames = kvMap["threat_campaign_names"]
+	log.BotAnomalies = kvMap["bot_anomalies"]
+	log.BotCategory = kvMap["bot_category"]
+	log.EnforcedBotAnomalies = kvMap["enforced_bot_anomalies"]
+	log.BotSignatureName = kvMap["bot_signature_name"]
+	log.InstanceTags = kvMap["instance_tags"]
+	log.InstanceGroup = kvMap["instance_group"]
+	log.DisplayName = kvMap["display_name"]
+
+	if log.GetRemoteAddr() == "" {
+		log.RemoteAddr = kvMap["remote_addr"]
+	}
+	if log.GetDestinationPort() == "" {
+		log.DestinationPort = kvMap["remote_port"]
+	}
+}
diff --git a/internal/collector/securityviolationsprocessor/helpers.go b/internal/collector/securityviolationsprocessor/helpers.go
new file mode 100644
index 0000000000..0cddefe25f
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/helpers.go
@@ -0,0 +1,69 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+package securityviolationsprocessor
+
+import (
+	"net"
+	"regexp"
+	"strings"
+
+	events "github.com/nginx/agent/v3/api/grpc/events/v1"
+)
+
+func splitAndTrim(value string) []string {
+	if strings.TrimSpace(value) == "" || value == notAvailable {
+		return nil
+	}
+
+	parts := strings.Split(value, ",")
+
+	var trimmedParts []string
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		if trimmed != "" {
+			trimmedParts = append(trimmedParts, trimmed)
+		}
+	}
+
+	return trimmedParts
+}
+
+func buildSignatures(ids, names []string, mask, offset, length string) []*events.SignatureData {
+	signatures := make([]*events.SignatureData, 0, len(ids))
+	for i, id := range ids {
+		if id == "" || id == notAvailable {
+			continue
+		}
+		signature := &events.SignatureData{
+			SigDataId:           id,
+			SigDataBlockingMask: mask,
+			SigDataOffset:       offset,
+			SigDataLength:       length,
+		}
+		if i < len(names) {
+			signature.SigDataBuffer = names[i]
+		}
+		signatures = append(signatures, signature)
+	}
+
+	return signatures
+}
+
+func extractIPFromHostname(hostname string) string {
+	if ip := net.ParseIP(hostname); ip != nil {
+		return ip.String()
+	}
+
+	re := regexp.MustCompile(`^ip-([0-9-]+)`)
+	if matches := re.FindStringSubmatch(hostname); len(matches) > 1 {
+		candidate := strings.ReplaceAll(matches[1], "-", ".")
+		if net.ParseIP(candidate) != nil {
+			return candidate
+		}
+	}
+
+	return ""
+}
diff --git a/internal/collector/securityviolationsprocessor/model.go b/internal/collector/securityviolationsprocessor/model.go
deleted file mode 100644
index 3ce92c8b8f..0000000000
--- a/internal/collector/securityviolationsprocessor/model.go
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright (c) F5, Inc.
-//
-// This source code is licensed under the Apache License, Version 2.0 license found in the
-// LICENSE file in the root directory of this source tree.
-
-package securityviolationsprocessor
-
-// SecurityViolationEvent represents the structured NGINX App Protect security violation data
-type SecurityViolationEvent struct {
-	PolicyName               string          `json:"policy_name"`
-	SupportID                string          `json:"support_id"`
-	Outcome                  string          `json:"outcome"`
-	OutcomeReason            string          `json:"outcome_reason"`
-	BlockingExceptionReason  string          `json:"blocking_exception_reason"`
-	Method                   string          `json:"method"`
-	Protocol                 string          `json:"protocol"`
-	XForwardedForHeaderValue string          `json:"xff_header_value"`
-	URI                      string          `json:"uri"`
-	Request                  string          `json:"request"`
-	IsTruncated              string          `json:"is_truncated"`
-	RequestStatus            string          `json:"request_status"`
-	ResponseCode             string          `json:"response_code"`
-	ServerAddr               string          `json:"server_addr"`
-	VSName                   string          `json:"vs_name"`
-	RemoteAddr               string          `json:"remote_addr"`
-	RemotePort               string          `json:"destination_port"`
-	ServerPort               string          `json:"server_port"`
-	Violations               string          `json:"violations"`
-	SubViolations            string          `json:"sub_violations"`
-	ViolationRating          string          `json:"violation_rating"`
-	SigSetNames              string          `json:"sig_set_names"`
-	SigCVEs                  string          `json:"sig_cves"`
-	ClientClass              string          `json:"client_class"`
-	ClientApplication        string          `json:"client_application"`
-	ClientApplicationVersion string          `json:"client_application_version"`
-	Severity                 string          `json:"severity"`
-	ThreatCampaignNames      string          `json:"threat_campaign_names"`
-	BotAnomalies             string          `json:"bot_anomalies"`
-	BotCategory              string          `json:"bot_category"`
-	EnforcedBotAnomalies     string          `json:"enforced_bot_anomalies"`
-	BotSignatureName         string          `json:"bot_signature_name"`
-	SystemID                 string          `json:"system_id"`
-	InstanceTags             string          `json:"instance_tags"`
-	InstanceGroup            string          `json:"instance_group"`
-	ParentHostname           string          `json:"parent_hostname"`
-	DisplayName              string          `json:"display_name"`
-	ViolationsData           []ViolationData `json:"violations_data"`
-}
-
-type ViolationData struct {
-	Name        string          `json:"violation_data_name"`
-	Context     string          `json:"violation_data_context"`
-	ContextData ContextData     `json:"violation_data_context_data"`
-	Signatures  []SignatureData `json:"violation_data_signatures"`
-}
-
-// SignatureData represents signature data contained within each violation
-type SignatureData struct {
-	ID           string `json:"sig_data_id"`
-	BlockingMask string `json:"sig_data_blocking_mask"`
-	Buffer       string `json:"sig_data_buffer"`
-	Offset       string `json:"sig_data_offset"`
-	Length       string `json:"sig_data_length"`
-}
-
-// ContextData represents the context data of the violation
-type ContextData struct {
-	Name  string `json:"context_data_name"`
-	Value string `json:"context_data_value"`
-}
diff --git a/internal/collector/securityviolationsprocessor/processor.go b/internal/collector/securityviolationsprocessor/processor.go
index a4dbdaedfa..03c5be6e2d 100644
--- a/internal/collector/securityviolationsprocessor/processor.go
+++ b/internal/collector/securityviolationsprocessor/processor.go
@@ -10,13 +10,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net"
-	"regexp"
-	"strings"
 	"time"
 
 	syslog "github.com/leodido/go-syslog/v4"
 	"github.com/leodido/go-syslog/v4/rfc3164"
+	events "github.com/nginx/agent/v3/api/grpc/events/v1"
 	"go.opentelemetry.io/collector/component"
 	"go.opentelemetry.io/collector/consumer"
 	"go.opentelemetry.io/collector/pdata/pcommon"
@@ -165,16 +163,18 @@ func (p *securityViolationsProcessor) processAppProtectMessage(lr plog.LogRecord
 
 	lr.Body().SetStr(string(jsonData))
 	attrs := lr.Attributes()
-	attrs.PutStr("app_protect.policy_name", appProtectLog.PolicyName)
-	attrs.PutStr("app_protect.support_id", appProtectLog.SupportID)
-	attrs.PutStr("app_protect.outcome", appProtectLog.Outcome)
-	attrs.PutStr("app_protect.remote_addr", appProtectLog.RemoteAddr)
+	attrs.PutStr("app_protect.policy_name", appProtectLog.GetPolicyName())
+	attrs.PutStr("app_protect.support_id", appProtectLog.GetSupportId())
+	attrs.PutStr("app_protect.outcome", appProtectLog.GetOutcome())
+	attrs.PutStr("app_protect.remote_addr", appProtectLog.GetRemoteAddr())
 
 	return nil
 }
 
-func (p *securityViolationsProcessor) parseAppProtectLog(message string, hostname *string) *SecurityViolationEvent {
-	log := &SecurityViolationEvent{}
+func (p *securityViolationsProcessor) parseAppProtectLog(
+	message string, hostname *string,
+) *events.SecurityViolationEvent {
+	log := &events.SecurityViolationEvent{}
 
 	p.assignHostnames(log, hostname)
 
@@ -182,7 +182,7 @@ func (p *securityViolationsProcessor) parseAppProtectLog(message string, hostnam
 
 	p.mapKVToSecurityViolationEvent(log, kvMap)
 
-	if log.ServerAddr == "" && hostname != nil {
+	if log.GetServerAddr() == "" && hostname != nil {
 		if ip := extractIPFromHostname(*hostname); ip != "" {
 			log.ServerAddr = ip
 		}
@@ -194,279 +194,16 @@ func (p *securityViolationsProcessor) parseAppProtectLog(message string, hostnam
 	return log
 }
 
-func (p *securityViolationsProcessor) assignHostnames(log *SecurityViolationEvent, hostname *string) {
+func (p *securityViolationsProcessor) assignHostnames(log *events.SecurityViolationEvent, hostname *string) {
 	if hostname == nil {
 		return
 	}
-	log.SystemID = *hostname
+	log.SystemId = *hostname
 	log.ParentHostname = *hostname
 
-	if log.ServerAddr == "" {
+	if log.GetServerAddr() == "" {
 		if ip := extractIPFromHostname(*hostname); ip != "" {
 			log.ServerAddr = ip
 		}
 	}
 }
-
-// parseCSVLog parses comma-separated syslog messages where fields are in a
-// order : blocking_exception_reason,dest_port,ip_client,is_truncated_bool,method,policy_name,protocol,request_status,response_code,severity,sig_cves,sig_set_names,src_port,sub_violations,support_id,threat_campaign_names,violation_rating,vs_name,x_forwarded_for_header_value,outcome,outcome_reason,violations,violation_details,bot_signature_name,bot_category,bot_anomalies,enforced_bot_anomalies,client_class,client_application,client_application_version,transport_protocol,uri,request (secops_dashboard-log profile format).
-// versions when key-value logging isn't enabled.
-//
-//nolint:lll //long test string kept for log profile readability
-func (p *securityViolationsProcessor) parseCSVLog(message string) map[string]string {
-	fieldValueMap := make(map[string]string)
-
-	// Remove the "ASM:" prefix if present so we only process the values
-	if idx := strings.Index(message, ":"); idx >= 0 {
-		message = message[idx+1:]
-	}
-
-	fields := strings.Split(message, ",")
-
-	// Mapping of CSV field positions to their corresponding keys
-	fieldOrder := []string{
-		"blocking_exception_reason",
-		"dest_port",
-		"ip_client",
-		"is_truncated_bool",
-		"method",
-		"policy_name",
-		"protocol",
-		"request_status",
-		"response_code",
-		"severity",
-		"sig_cves",
-		"sig_set_names",
-		"src_port",
-		"sub_violations",
-		"support_id",
-		"threat_campaign_names",
-		"violation_rating",
-		"vs_name",
-		"x_forwarded_for_header_value",
-		"outcome",
-		"outcome_reason",
-		"violations",
-		"violation_details",
-		"bot_signature_name",
-		"bot_category",
-		"bot_anomalies",
-		"enforced_bot_anomalies",
-		"client_class",
-		"client_application",
-		"client_application_version",
-		"transport_protocol",
-		"uri",
-		"request",
-	}
-
-	for i, field := range fields {
-		if i >= len(fieldOrder) {
-			break
-		}
-		fieldValueMap[fieldOrder[i]] = strings.TrimSpace(field)
-	}
-
-	// combine multiple values separated by '::'
-	if combined, ok := fieldValueMap["sig_cves"]; ok {
-		parts := strings.SplitN(combined, "::", maxSplitParts)
-		fieldValueMap["sig_ids"] = parts[0]
-		if len(parts) > 1 {
-			fieldValueMap["sig_names"] = parts[1]
-		}
-	}
-
-	if combined, ok := fieldValueMap["sig_set_names"]; ok {
-		parts := strings.SplitN(combined, "::", maxSplitParts)
-		fieldValueMap["sig_set_names"] = parts[0]
-		if len(parts) > 1 {
-			fieldValueMap["sig_cves"] = parts[1]
-		}
-	}
-
-	return fieldValueMap
-}
-
-func (p *securityViolationsProcessor) mapKVToSecurityViolationEvent(log *SecurityViolationEvent,
-	kvMap map[string]string,
-) {
-	log.PolicyName = kvMap["policy_name"]
-	log.SupportID = kvMap["support_id"]
-	log.Outcome = kvMap["outcome"]
-	log.OutcomeReason = kvMap["outcome_reason"]
-	log.BlockingExceptionReason = kvMap["blocking_exception_reason"]
-	log.Method = kvMap["method"]
-	log.Protocol = kvMap["protocol"]
-	log.XForwardedForHeaderValue = kvMap["x_forwarded_for_header_value"]
-	log.URI = kvMap["uri"]
-	log.Request = kvMap["request"]
-	log.IsTruncated = kvMap["is_truncated_bool"]
-	log.RequestStatus = kvMap["request_status"]
-	log.ResponseCode = kvMap["response_code"]
-	log.ServerAddr = kvMap["server_addr"]
-	log.VSName = kvMap["vs_name"]
-	log.RemoteAddr = kvMap["ip_client"]
-	log.RemotePort = kvMap["dest_port"]
-	log.ServerPort = kvMap["src_port"]
-	log.Violations = kvMap["violations"]
-	log.SubViolations = kvMap["sub_violations"]
-	log.ViolationRating = kvMap["violation_rating"]
-	log.SigSetNames = kvMap["sig_set_names"]
-	log.SigCVEs = kvMap["sig_cves"]
-	log.ClientClass = kvMap["client_class"]
-	log.ClientApplication = kvMap["client_application"]
-	log.ClientApplicationVersion = kvMap["client_application_version"]
-	log.Severity = kvMap["severity"]
-	log.ThreatCampaignNames = kvMap["threat_campaign_names"]
-	log.BotAnomalies = kvMap["bot_anomalies"]
-	log.BotCategory = kvMap["bot_category"]
-	log.EnforcedBotAnomalies = kvMap["enforced_bot_anomalies"]
-	log.BotSignatureName = kvMap["bot_signature_name"]
-	log.InstanceTags = kvMap["instance_tags"]
-	log.InstanceGroup = kvMap["instance_group"]
-	log.DisplayName = kvMap["display_name"]
-
-	if log.RemoteAddr == "" {
-		log.RemoteAddr = kvMap["remote_addr"]
-	}
-	if log.RemotePort == "" {
-		log.RemotePort = kvMap["remote_port"]
-	}
-}
-
-// parseViolationsData extracts violation data from the syslog key-value map
-func (p *securityViolationsProcessor) parseViolationsData(kvMap map[string]string) []ViolationData {
-	var violationsData []ViolationData
-
-	// Extract violation name from violation_details XML - this is the only source
-	violationName := ""
-	if violationDetails := kvMap["violation_details"]; violationDetails != "" {
-		violNameRegex := regexp.MustCompile(`<viol_name>([^<]+)</viol_name>`)
-		if matches := violNameRegex.FindStringSubmatch(violationDetails); len(matches) > 1 {
-			violationName = matches[1]
-		}
-	}
-
-	// Create violation data if we have violation information
-	if violationName != "" || kvMap["violations"] != "" {
-		signatures := p.extractSignatureData(kvMap)
-		if signatures == nil {
-			signatures = []SignatureData{}
-		}
-
-		violationData := ViolationData{
-			Name:        violationName,
-			Context:     p.extractViolationContext(kvMap),
-			ContextData: p.extractContextData(kvMap),
-			Signatures:  signatures,
-		}
-		violationsData = append(violationsData, violationData)
-	}
-
-	return violationsData
-}
-
-// extractViolationContext extracts the violation context from syslog data
-func (p *securityViolationsProcessor) extractViolationContext(kvMap map[string]string) string {
-	if uri := kvMap["uri"]; uri != "" {
-		return uri
-	}
-	if method := kvMap["method"]; method != "" {
-		return method
-	}
-
-	return ""
-}
-
-// extractContextData extracts context data from syslog
-func (p *securityViolationsProcessor) extractContextData(kvMap map[string]string) ContextData {
-	contextData := ContextData{}
-
-	if paramName := kvMap["parameter_name"]; paramName != "" {
-		contextData.Name = paramName
-		contextData.Value = kvMap["parameter_value"]
-	} else if uri := kvMap["uri"]; uri != "" {
-		// Use URI as context if no specific parameter data
-		contextData.Name = "uri"
-		contextData.Value = uri
-	} else if request := kvMap["request"]; request != "" {
-		// Use request as context if no URI
-		contextData.Name = "request"
-		contextData.Value = request
-	}
-
-	return contextData
-}
-
-// extractSignatureData extracts signature data from syslog
-func (p *securityViolationsProcessor) extractSignatureData(kvMap map[string]string) []SignatureData {
-	sigIDs := kvMap["sig_ids"]
-	sigNames := kvMap["sig_names"]
-	blockingMask := kvMap["blocking_mask"]
-	sigOffset := kvMap["sig_offset"]
-	sigLength := kvMap["sig_length"]
-
-	if sigIDs == "" || sigIDs == notAvailable {
-		return []SignatureData{}
-	}
-
-	ids := splitAndTrim(sigIDs)
-	names := splitAndTrim(sigNames)
-
-	return buildSignatures(ids, names, blockingMask, sigOffset, sigLength)
-}
-
-func splitAndTrim(value string) []string {
-	if strings.TrimSpace(value) == "" || value == notAvailable {
-		return nil
-	}
-
-	parts := strings.Split(value, ",")
-
-	var trimmedParts []string
-	for _, part := range parts {
-		trimmed := strings.TrimSpace(part)
-		if trimmed != "" {
-			trimmedParts = append(trimmedParts, trimmed)
-		}
-	}
-
-	return trimmedParts
-}
-
-func buildSignatures(ids, names []string, mask, offset, length string) []SignatureData {
-	signatures := make([]SignatureData, 0, len(ids))
-	for i, id := range ids {
-		if id == "" || id == notAvailable {
-			continue
-		}
-		signature := SignatureData{
-			ID:           id,
-			BlockingMask: mask,
-			Offset:       offset,
-			Length:       length,
-		}
-		if i < len(names) {
-			signature.Buffer = names[i]
-		}
-		signatures = append(signatures, signature)
-	}
-
-	return signatures
-}
-
-func extractIPFromHostname(hostname string) string {
-	if ip := net.ParseIP(hostname); ip != nil {
-		return ip.String()
-	}
-
-	re := regexp.MustCompile(`^ip-([0-9-]+)`)
-	if matches := re.FindStringSubmatch(hostname); len(matches) > 1 {
-		candidate := strings.ReplaceAll(matches[1], "-", ".")
-		if net.ParseIP(candidate) != nil {
-			return candidate
-		}
-	}
-
-	return ""
-}
diff --git a/internal/collector/securityviolationsprocessor/processor_test.go b/internal/collector/securityviolationsprocessor/processor_test.go
index 13802fb2f6..7eea137ae4 100644
--- a/internal/collector/securityviolationsprocessor/processor_test.go
+++ b/internal/collector/securityviolationsprocessor/processor_test.go
@@ -8,9 +8,12 @@ package securityviolationsprocessor
 import (
 	"context"
 	"encoding/json"
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/leodido/go-syslog/v4/rfc3164"
+	events "github.com/nginx/agent/v3/api/grpc/events/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/collector/consumer/consumertest"
@@ -19,11 +22,40 @@ import (
 	"go.uber.org/zap"
 )
 
-//nolint:lll,revive // long test string kept for readability
+// loadTestData loads test data from testdata folder and wraps it in syslog format
+func loadTestData(t *testing.T, filename string) string {
+	t.Helper()
+	data := loadRawTestData(t, filename)
+	// Wrap in syslog format
+	return "<130>Aug 22 03:28:35 ip-172-16-0-213 ASM:" + data
+}
+
+func loadRawTestData(t *testing.T, filename string) string {
+	t.Helper()
+	data, err := os.ReadFile(filepath.Join("testdata", filename))
+	require.NoError(t, err, "Failed to read test data file: %s", filename)
+
+	return string(data)
+}
+
+// unmarshalEvent is a helper that extracts and unmarshals the security violation event from a log record
+func unmarshalEvent(t *testing.T, lrOut plog.LogRecord) *events.SecurityViolationEvent {
+	t.Helper()
+	processedBody := lrOut.Body().Str()
+
+	var actualEvent events.SecurityViolationEvent
+	jsonErr := json.Unmarshal([]byte(processedBody), &actualEvent)
+	require.NoError(t, jsonErr, "Failed to unmarshal processed log body as SecurityViolationEvent")
+
+	return &actualEvent
+}
+
+//nolint:lll,revive,maintidx // long test string kept for readability, table-driven test with many cases
 func TestSecurityViolationsProcessor(t *testing.T) {
 	testCases := []struct {
 		expectAttrs   map[string]string
 		body          any
+		assertFunc    func(*testing.T, plog.LogRecord)
 		name          string
 		expectJSON    string
 		expectRecords int
@@ -31,7 +63,7 @@ func TestSecurityViolationsProcessor(t *testing.T) {
 	}{
 		{
 			name: "Test 1: CSV NGINX App Protect syslog message",
-			body: `<130>Aug 22 03:28:35 ip-172-16-0-213 ASM:N/A,80,127.0.0.1,false,GET,nms_app_protect_default_policy,HTTP,blocked,0,N/A,N/A::N/A,{High Accuracy Signatures;Cross Site Scripting Signatures}::{High Accuracy Signatures; Cross Site Scripting Signatures},56064,N/A,5377540117854870581,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,Illegal meta character in URL::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>414000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>475f0ffcbbd0fea-befbf35cb000007e-f400000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>url</context><sig_data><sig_id>200000099</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>Lzw+PHNjcmlwdD4=</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000093</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>Lzw+PHNjcmlwdD4=</buffer><offset>4</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>Lzw+PHNjcmlwdD4=</uri><metachar_index>60</metachar_index><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>Lzw+PHNjcmlwdD4=</uri><metachar_index>62</metachar_index><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>122</viol_index><viol_name>VIOL_BOT_CLIENT</viol_name></violation><violation><viol_index>93</viol_index><viol_name>VIOL_RATING_THREAT</viol_name></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/<><script>,GET /<><script> HTTP/1.1\\r\\nHost: localhost\\r\\nUser-Agent: curl/7.81.0\\r\\nAccept: */*\\r\\n\\r\\n`,
+			body: loadTestData(t, "csv_url_violations_bot_client.log.txt"),
 			expectAttrs: map[string]string{
 				"app_protect.policy_name": "nms_app_protect_default_policy",
 				"app_protect.support_id":  "5377540117854870581",
@@ -39,25 +71,282 @@ func TestSecurityViolationsProcessor(t *testing.T) {
 				"app_protect.remote_addr": "127.0.0.1",
 			},
 			expectRecords: 1,
+			assertFunc:    assertTest1Event,
 		},
 		{
-			name: "Test 2: Simple valid syslog message",
-			body: "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8",
+			name: "Test 2: CSV NGINX App Protect with signatures",
+			body: loadTestData(t, "csv_sql_injection_parameter_signatures.log.txt"),
 			expectAttrs: map[string]string{
-				"syslog.facility": "auth",
+				"app_protect.policy_name": "security_policy_01",
+				"app_protect.support_id":  "9876543210123456789",
+				"app_protect.outcome":     "REJECTED",
+				"app_protect.remote_addr": "10.0.1.50",
 			},
 			expectRecords: 1,
+			assertFunc:    assertTest2Event,
+		},
+		{
+			name:          "Test 3: Simple valid syslog message (non-App Protect)",
+			body:          loadRawTestData(t, "syslog_non_app_protect.log.txt"),
+			expectRecords: 1, // Processed successfully even though not App Protect format
 		},
 		{
-			name:          "Test 3: Unsupported body type",
+			name:          "Test 4: Unsupported body type",
 			body:          12345,
 			expectRecords: 0,
 		},
 		{
-			name:          "Test 4: Invalid syslog message",
-			body:          "not a syslog line",
+			name:          "Test 5: Invalid syslog message",
+			body:          loadRawTestData(t, "invalid_syslog_plain_text.log.txt"),
 			expectRecords: 0,
-			expectError:   true,
+			expectError:   true, // Error returned for invalid syslog
+		},
+		{
+			name: "Test 6: Violation name parsing - VIOL_ASM_COOKIE_MODIFIED with cookie_name",
+			body: loadTestData(t, "xml_violation_name.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592519",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest6Event,
+		},
+		{
+			name: "Test 7: Parameter data parsing with empty value_error",
+			body: loadTestData(t, "xml_parameter_data_empty_context.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592517",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest7Event,
+		},
+		{
+			name: "Test 8: Header metachar with base64 text",
+			body: loadTestData(t, "xml_header_text.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "3255056874564592516",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest8Event,
+		},
+		{
+			name: "Test 9: Cookie length violation",
+			body: loadTestData(t, "xml_cookie_length.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "3255056874564592514",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest9Event,
+		},
+		{
+			name: "Test 10: Header length violation",
+			body: loadTestData(t, "xml_header_length.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "3255056874564592515",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest10Event,
+		},
+		{
+			name: "Test 11: URL context with HeaderData",
+			body: loadTestData(t, "xml_url_header_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "3255056874564592517",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest11Event,
+		},
+		{
+			name: "Test 12: Parameter value and name metachar violations",
+			body: loadTestData(t, "xml_violation_parameter_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592511",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest12Event,
+		},
+		{
+			name: "Test 13: Request context violations (max length)",
+			body: loadTestData(t, "xml_request_max_length.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592512",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest13Event,
+		},
+		{
+			name: "Test 14: URL metachar and length violations",
+			body: loadTestData(t, "xml_url_metachar_length.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592513",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest14Event,
+		},
+		{
+			name: "Test 15: Parameter data parsing with signature",
+			body: loadTestData(t, "xml_parameter_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592515",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest15Event,
+		},
+		{
+			name: "Test 16: Header data parsing with signature",
+			body: loadTestData(t, "xml_header_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592514",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest16Event,
+		},
+		{
+			name: "Test 17: Signature data with multiple signatures in request",
+			body: loadTestData(t, "xml_signature_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592518",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest17Event,
+		},
+		{
+			name: "Test 18: Cookie malformed violation",
+			body: loadTestData(t, "xml_cookie_malformed.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592511",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest18Event,
+		},
+		{
+			name: "Test 19: Default context with no explicit context tag but HeaderData present",
+			body: loadTestData(t, "xml_http_protocol_header_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592520",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest19Event,
+		},
+		{
+			name: "Test 20: Cookie violations - malformed, modified, expired",
+			body: loadTestData(t, "xml_violation_cookie_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest20Event,
+		},
+		{
+			name: "Test 21: URL violations - metachar, length, JSON malformed",
+			body: loadTestData(t, "xml_violation_url_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest21Event,
+		},
+		{
+			name: "Test 22: Request violations - max length, length",
+			body: loadTestData(t, "xml_violation_request_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest22Event,
+		},
+		{
+			name: "Test 23: Malformed XML with unclosed tag",
+			body: loadTestData(t, "xml_malformed.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "5543056874564592513",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest23Event,
+		},
+		{
+			name: "Test 24: Parameter data with param_data structure",
+			body: loadTestData(t, "xml_parameter_data_as_param_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592516",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest24Event,
+		},
+		{
+			name: "Test 25: Header violations - metachar and repeated",
+			body: loadTestData(t, "xml_violation_header_data.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592511",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest25Event,
+		},
+		{
+			name: "Test 26: Unmatched XML structure",
+			body: loadTestData(t, "xml_struct_unmatched.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "5543056874564592514",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest26Event,
+		},
+		{
+			name: "Test 27: Syslog with less fields than expected",
+			body: loadTestData(t, "syslog_logline_less_fields.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "5543056874564592516",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest27Event,
+		},
+		{
+			name: "Test 28: Syslog with more fields than expected",
+			body: loadTestData(t, "syslog_logline_more_fields.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "5543056874564592517",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest28Event,
+		},
+		{
+			name: "Test 29: URI and request with escaped commas",
+			body: loadTestData(t, "uri_request_contain_escaped_comma.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592513",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest29Event,
+		},
+		{
+			name: "Test 30: Expanded NAP WAF log",
+			body: loadTestData(t, "expanded_nap_waf.log.txt"),
+			expectAttrs: map[string]string{
+				"app_protect.policy_name": "app_protect_default_policy",
+				"app_protect.support_id":  "4355056874564592513",
+			},
+			expectRecords: 1,
+			assertFunc:    assertTest30Event,
 		},
 	}
 
@@ -105,67 +394,607 @@ func TestSecurityViolationsProcessor(t *testing.T) {
 				assert.Equal(t, v, val.Str())
 			}
 
-			if tc.name == "Test 1: CSV NGINX App Protect syslog message" {
-				processedBody := lrOut.Body().Str()
-
-				var actualEvent SecurityViolationEvent
-				jsonErr := json.Unmarshal([]byte(processedBody), &actualEvent)
-				require.NoError(t, jsonErr, "Failed to unmarshal processed log body as SecurityViolationEvent")
-
-				assert.Equal(t, "nms_app_protect_default_policy", actualEvent.PolicyName)
-				assert.Equal(t, "5377540117854870581", actualEvent.SupportID)
-				assert.Equal(t, "REJECTED", actualEvent.Outcome)
-				assert.Equal(t, "SECURITY_WAF_VIOLATION", actualEvent.OutcomeReason)
-				assert.Equal(t, "GET", actualEvent.Method)
-				assert.Equal(t, "HTTP", actualEvent.Protocol)
-				assert.Equal(t, "N/A", actualEvent.XForwardedForHeaderValue)
-				assert.Equal(t, "/<><script>", actualEvent.URI)
-				assert.Equal(t, "false", actualEvent.IsTruncated)
-				assert.Equal(t, "blocked", actualEvent.RequestStatus)
-				assert.Equal(t, "0", actualEvent.ResponseCode)
-				assert.Equal(t, "172.16.0.213", actualEvent.ServerAddr)
-				assert.Equal(t, "1-localhost:1-/", actualEvent.VSName)
-				assert.Equal(t, "127.0.0.1", actualEvent.RemoteAddr)
-				assert.Equal(t, "80", actualEvent.RemotePort)
-				assert.Equal(t, "56064", actualEvent.ServerPort)
-				assert.Equal(t, "Illegal meta character in URL::Attack signature detected::Violation Rating Threat detected::Bot Client Detected", actualEvent.Violations)
-				assert.Equal(t, "N/A", actualEvent.SubViolations)
-				assert.Equal(t, "5", actualEvent.ViolationRating)
-				assert.Equal(t, "{High Accuracy Signatures;Cross Site Scripting Signatures}", actualEvent.SigSetNames)
-				assert.Equal(t, "{High Accuracy Signatures; Cross Site Scripting Signatures}", actualEvent.SigCVEs)
-				assert.Equal(t, "Untrusted Bot", actualEvent.ClientClass)
-				assert.Equal(t, "N/A", actualEvent.ClientApplication)
-				assert.Equal(t, "N/A", actualEvent.ClientApplicationVersion)
-				assert.Equal(t, "N/A", actualEvent.Severity)
-				assert.Equal(t, "N/A", actualEvent.ThreatCampaignNames)
-				assert.Equal(t, "N/A", actualEvent.BotAnomalies)
-				assert.Equal(t, "HTTP Library", actualEvent.BotCategory)
-				assert.Equal(t, "N/A", actualEvent.EnforcedBotAnomalies)
-				assert.Equal(t, "curl", actualEvent.BotSignatureName)
-				assert.Equal(t, "ip-172-16-0-213", actualEvent.SystemID)
-				assert.Empty(t, actualEvent.InstanceTags)
-				assert.Empty(t, actualEvent.InstanceGroup)
-				assert.Empty(t, actualEvent.DisplayName)
-				assert.Equal(t, "ip-172-16-0-213", actualEvent.ParentHostname)
-
-				require.Len(t, actualEvent.ViolationsData, 1)
-				assert.Equal(t, "VIOL_ATTACK_SIGNATURE", actualEvent.ViolationsData[0].Name)
-				assert.Equal(t, "/<><script>", actualEvent.ViolationsData[0].Context)
-				assert.Equal(t, "uri", actualEvent.ViolationsData[0].ContextData.Name)
-				assert.Equal(t, "/<><script>", actualEvent.ViolationsData[0].ContextData.Value)
-
-				assert.NotNil(t, actualEvent.ViolationsData[0].Signatures)
-				assert.Empty(t, actualEvent.ViolationsData[0].Signatures)
-				assert.IsType(t, []SignatureData{}, actualEvent.ViolationsData[0].Signatures)
-
-				actualJSON, _ := json.MarshalIndent(actualEvent, "", "  ")
-				t.Logf("Actual JSON output:\n%s", string(actualJSON))
+			if tc.assertFunc != nil {
+				tc.assertFunc(t, lrOut)
 			}
+
 			require.NoError(t, p.Shutdown(ctx))
 		})
 	}
 }
 
+func assertTest1Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	assert.Equal(t, "nms_app_protect_default_policy", actualEvent.GetPolicyName())
+	assert.Equal(t, "5377540117854870581", actualEvent.GetSupportId())
+	assert.Equal(t, "REJECTED", actualEvent.GetOutcome())
+	assert.Equal(t, "SECURITY_WAF_VIOLATION", actualEvent.GetOutcomeReason())
+	assert.Equal(t, "GET", actualEvent.GetMethod())
+	assert.Equal(t, "HTTP", actualEvent.GetProtocol())
+	assert.Equal(t, "N/A", actualEvent.GetXffHeaderValue())
+	assert.Equal(t, "/<><script>", actualEvent.GetUri())
+	assert.Equal(t, "false", actualEvent.GetIsTruncated())
+	assert.Equal(t, "blocked", actualEvent.GetRequestStatus())
+	assert.Equal(t, "0", actualEvent.GetResponseCode())
+	assert.Equal(t, "172.16.0.213", actualEvent.GetServerAddr())
+	assert.Equal(t, "1-localhost:1-/", actualEvent.GetVsName())
+	assert.Equal(t, "127.0.0.1", actualEvent.GetRemoteAddr())
+	assert.Equal(t, "80", actualEvent.GetDestinationPort())
+	assert.Equal(t, "56064", actualEvent.GetServerPort())
+	assert.Equal(t,
+		"Illegal meta character in URL::Attack signature detected::"+
+			"Violation Rating Threat detected::Bot Client Detected",
+		actualEvent.GetViolations())
+	assert.Equal(t, "N/A", actualEvent.GetSubViolations())
+	assert.Equal(t, "5", actualEvent.GetViolationRating())
+	assert.Equal(t, "{High Accuracy Signatures;Cross Site Scripting Signatures}",
+		actualEvent.GetSigSetNames())
+	assert.Equal(t, "{High Accuracy Signatures; Cross Site Scripting Signatures}",
+		actualEvent.GetSigCves())
+	assert.Equal(t, "Untrusted Bot", actualEvent.GetClientClass())
+	assert.Equal(t, "N/A", actualEvent.GetClientApplication())
+	assert.Equal(t, "N/A", actualEvent.GetClientApplicationVersion())
+	assert.Equal(t, "N/A", actualEvent.GetSeverity())
+	assert.Equal(t, "N/A", actualEvent.GetThreatCampaignNames())
+	assert.Equal(t, "N/A", actualEvent.GetBotAnomalies())
+	assert.Equal(t, "HTTP Library", actualEvent.GetBotCategory())
+	assert.Equal(t, "N/A", actualEvent.GetEnforcedBotAnomalies())
+	assert.Equal(t, "curl", actualEvent.GetBotSignatureName())
+	assert.Equal(t, "ip-172-16-0-213", actualEvent.GetSystemId())
+	assert.Empty(t, actualEvent.GetInstanceTags())
+	assert.Empty(t, actualEvent.GetInstanceGroup())
+	assert.Empty(t, actualEvent.GetDisplayName())
+	assert.Equal(t, "ip-172-16-0-213", actualEvent.GetParentHostname())
+
+	// Test 1 has 5 violations in the XML:
+	// VIOL_ATTACK_SIGNATURE, 2x VIOL_URL_METACHAR, VIOL_BOT_CLIENT, VIOL_RATING_THREAT
+	require.Len(t, actualEvent.GetViolationsData(), 5)
+
+	// First violation: VIOL_ATTACK_SIGNATURE with signatures
+	assert.Equal(t, "VIOL_ATTACK_SIGNATURE", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "uri", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "uri",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "/<><script>",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	// Verify signatures from XML
+	require.Len(t, actualEvent.GetViolationsData()[0].GetViolationDataSignatures(), 2)
+	assert.Equal(t, "200000099",
+		actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataId())
+	assert.Equal(t, "/<><script>",
+		actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataBuffer())
+	assert.Equal(t, "200000093", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataId())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Actual JSON output:\n%s", string(actualJSON))
+}
+
+func assertTest2Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	assert.Equal(t, "security_policy_01", actualEvent.GetPolicyName())
+	assert.Equal(t, "9876543210123456789", actualEvent.GetSupportId())
+	assert.Equal(t, "REJECTED", actualEvent.GetOutcome())
+	assert.Equal(t, "SECURITY_WAF_VIOLATION", actualEvent.GetOutcomeReason())
+	assert.Equal(t, "POST", actualEvent.GetMethod())
+	assert.Equal(t, "HTTPS", actualEvent.GetProtocol())
+	assert.Equal(t, "/api/users", actualEvent.GetUri())
+	assert.Equal(t, "10.0.1.50", actualEvent.GetRemoteAddr())
+	assert.Equal(t, "443", actualEvent.GetDestinationPort())
+	assert.Equal(t, "8080", actualEvent.GetServerPort())
+
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+	assert.Equal(t, "VIOL_ATTACK_SIGNATURE", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "parameter", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+
+	// Context data should be extracted from XML parameter_data
+	assert.Equal(t, "id",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "1' OR '1'='1",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	// Signatures array should be extracted from XML sig_data blocks
+	require.NotNil(t, actualEvent.GetViolationsData()[0].GetViolationDataSignatures())
+	require.Len(t, actualEvent.GetViolationsData()[0].GetViolationDataSignatures(), 2)
+
+	// Verify first signature
+	assert.Equal(t, "200001475", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataId())
+	assert.Equal(t, "7",
+		actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataBlockingMask())
+	assert.Equal(t, "1' OR '1'='1",
+		actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataBuffer())
+	assert.Equal(t, "0", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataOffset())
+	assert.Equal(t, "15", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataLength())
+
+	// Verify second signature
+	assert.Equal(t, "200001476", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataId())
+	assert.Equal(t, "7",
+		actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataBlockingMask())
+	assert.Equal(t, "1' OR '1'='1",
+		actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataBuffer())
+	assert.Equal(t, "5", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataOffset())
+	assert.Equal(t, "10", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataLength())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Actual JSON output with signatures:\n%s", string(actualJSON))
+}
+
+func assertTest6Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Verify we have 4 violations of type VIOL_ASM_COOKIE_MODIFIED
+	require.Len(t, actualEvent.GetViolationsData(), 4)
+
+	// Verify first violation has cookie name decoded from base64
+	assert.Equal(t, "VIOL_ASM_COOKIE_MODIFIED", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "cookie", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "Asm Cookie Modified",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "TS0144e914_1",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	// Verify second violation
+	assert.Equal(t, "TS0144e914_31",
+		actualEvent.GetViolationsData()[1].GetViolationDataContextData().GetContextDataValue())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Test 6 JSON output:\n%s", string(actualJSON))
+}
+
+func assertTest7Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Verify we have 2 violations of type VIOL_PARAMETER
+	require.Len(t, actualEvent.GetViolationsData(), 2)
+
+	// Verify first parameter violation with empty value_error field
+	assert.Equal(t, "VIOL_PARAMETER", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "parameter", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "x", actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "1", actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	// Verify second parameter violation
+	assert.Equal(t, "y", actualEvent.GetViolationsData()[1].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "%", actualEvent.GetViolationsData()[1].GetViolationDataContextData().GetContextDataValue())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Test 7 JSON output:\n%s", string(actualJSON))
+}
+
+func assertTest8Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Verify we have 1 violation of type VIOL_HEADER_METACHAR
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+
+	// Verify header violation with base64 decoded text
+	assert.Equal(t, "VIOL_HEADER_METACHAR", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "header", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "Header Metachar",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "Referer: aa'bbb'",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Test 8 JSON output:\n%s", string(actualJSON))
+}
+
+func assertTest9Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Verify we have 1 violation of type VIOL_COOKIE_LENGTH
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+
+	// Verify cookie length violation
+	assert.Equal(t, "VIOL_COOKIE_LENGTH", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "cookie", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "Cookie length: 28, exceeds Cookie length limit: 10",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "Cookie: dfdfdfdfdf=dfdfdfdf;",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Test 9 JSON output:\n%s", string(actualJSON))
+}
+
+func assertTest10Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Verify we have 1 violation of type VIOL_HEADER_LENGTH
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+
+	// Verify header length violation
+	assert.Equal(t, "VIOL_HEADER_LENGTH", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "header", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "Host: dflkdjfldkfldkfldkflkdflkdflkdlfkdlf",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "Header length: 42, exceeds Header length limit: 10",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Test 10 JSON output:\n%s", string(actualJSON))
+}
+
+func assertTest11Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Verify we have 1 violation of type VIOL_URL_CONTENT_TYPE
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+
+	// Verify URL violation with HeaderData
+	assert.Equal(t, "VIOL_URL_CONTENT_TYPE", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "uri", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "$", actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "actual header value: beni. matched header value: beni",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	actualJSON, _ := json.MarshalIndent(&actualEvent, "", "  ")
+	t.Logf("Test 11 JSON output:\n%s", string(actualJSON))
+}
+
+func assertTest12Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	require.GreaterOrEqual(t, len(actualEvent.GetViolationsData()), 2)
+	// xml_violation_parameter_data.log.txt has: VIOL_PARAMETER_VALUE_METACHAR, VIOL_PARAMETER_NAME_METACHAR,
+	// VIOL_PARAMETER_VALUE_LENGTH, VIOL_PARAMETER_VALUE_BASE64
+	assert.Equal(t, "VIOL_PARAMETER_VALUE_METACHAR", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "parameter", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "VIOL_PARAMETER_NAME_METACHAR", actualEvent.GetViolationsData()[1].GetViolationDataName())
+	assert.Equal(t, "parameter", actualEvent.GetViolationsData()[1].GetViolationDataContext())
+}
+
+func assertTest13Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	require.Len(t, actualEvent.GetViolationsData(), 2)
+	assert.Equal(t, "VIOL_REQUEST_MAX_LENGTH", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "request", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "Defined length: 10000000",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "Detected length: 11000125",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	assert.Equal(t, "VIOL_REQUEST_LENGTH", actualEvent.GetViolationsData()[1].GetViolationDataName())
+	assert.Equal(t, "Total length: 11000000",
+		actualEvent.GetViolationsData()[1].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "Total length limit: 10000000",
+		actualEvent.GetViolationsData()[1].GetViolationDataContextData().GetContextDataValue())
+}
+
+func assertTest14Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	require.GreaterOrEqual(t, len(actualEvent.GetViolationsData()), 2)
+	assert.Equal(t, "VIOL_URL_METACHAR", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "uri", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	// URI field is not decoded in this case
+	uriValue := actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue()
+	assert.Contains(t, []string{"LztzaHV0ZG93bg==", "/;shutdown"}, uriValue)
+
+	assert.Equal(t, "VIOL_URL_LENGTH", actualEvent.GetViolationsData()[1].GetViolationDataName())
+	assert.Equal(t, "URI length: 30",
+		actualEvent.GetViolationsData()[1].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "URI length limit: 20",
+		actualEvent.GetViolationsData()[1].GetViolationDataContextData().GetContextDataValue())
+}
+
+func assertTest15Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Expected violations from xml_parameter_data.log.txt
+	expectedViolations := []string{
+		"VIOL_ATTACK_SIGNATURE",
+		"VIOL_PARAMETER_REPEATED",
+		"VIOL_PARAMETER_MULTIPART_NULL_VALUE",
+		"VIOL_PARAMETER_EMPTY_VALUE",
+		"VIOL_PARAMETER_VALUE_REGEXP",
+		"VIOL_PARAMETER_NUMERIC_VALUE",
+		"VIOL_PARAMETER_DATA_TYPE",
+		"VIOL_PARAMETER_VALUE_LENGTH",
+		"VIOL_PARAMETER_DYNAMIC_VALUE",
+		"VIOL_PARAMETER_STATIC_VALUE",
+		"VIOL_PARAMETER_ARRAY_VALUE",
+		"VIOL_PARAMETER_LOCATION",
+	}
+
+	require.Len(t, actualEvent.GetViolationsData(), len(expectedViolations),
+		"Should have all violations from test data")
+
+	// Verify we have exactly the expected number of violations
+	assert.Len(t, actualEvent.GetViolationsData(), len(expectedViolations), "Should have all expected violations")
+
+	// Check all violations are present
+	actualViolationNames := make([]string, len(actualEvent.GetViolationsData()))
+	for i, v := range actualEvent.GetViolationsData() {
+		actualViolationNames[i] = v.GetViolationDataName()
+	}
+	assert.ElementsMatch(t, expectedViolations, actualViolationNames, "All expected violations should be present")
+
+	// Verify first violation details
+	assert.Equal(t, "VIOL_ATTACK_SIGNATURE", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "parameter", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "Attack Signature",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "f5paramautotest>",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	require.GreaterOrEqual(t, len(actualEvent.GetViolationsData()[0].GetViolationDataSignatures()), 1,
+		"Should have at least one signature")
+	assert.Equal(t, "300000110", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataId())
+	assert.Equal(t, "7", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataBlockingMask())
+}
+
+func assertTest16Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Verify we have exactly 1 violation
+	require.Len(t, actualEvent.GetViolationsData(), 1, "Should have exactly 1 violation")
+
+	// Verify all expected violations are present
+	expectedViolations := []string{"VIOL_ATTACK_SIGNATURE"}
+	actualViolationNames := []string{actualEvent.GetViolationsData()[0].GetViolationDataName()}
+	assert.ElementsMatch(t, expectedViolations, actualViolationNames, "All expected violations should be present")
+
+	assert.Equal(t, "VIOL_ATTACK_SIGNATURE", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "header", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	assert.Equal(t, "Foo", actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "echo<!-- #echo",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+}
+
+func assertTest17Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+	assert.Equal(t, "VIOL_ATTACK_SIGNATURE", actualEvent.GetViolationsData()[0].GetViolationDataName())
+
+	// xml_signature_data.log.txt has 4 signatures
+	require.GreaterOrEqual(t, len(actualEvent.GetViolationsData()[0].GetViolationDataSignatures()), 2)
+	assert.Equal(t, "200021094", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataId())
+	assert.Equal(t, "4", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[0].GetSigDataBlockingMask())
+	assert.Equal(t, "200011034", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataId())
+	assert.Equal(t, "2", actualEvent.GetViolationsData()[0].GetViolationDataSignatures()[1].GetSigDataBlockingMask())
+}
+
+func assertTest18Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+	assert.Equal(t, "VIOL_COOKIE_MALFORMED", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "cookie", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	// Cookie malformed uses buffer and specific_desc which are decoded
+	assert.NotEmpty(t, actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.NotEmpty(t, actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+}
+
+func assertTest19Event(t *testing.T, record plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, record)
+
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+	assert.Equal(t, "VIOL_HTTP_PROTOCOL", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	// Context should be empty (default case)
+	assert.Empty(t, actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	// Context data should be extracted from HeaderData fields
+	assert.Equal(t, "Content-Type",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Equal(t, "actual header value: application/json. matched header value: text/html",
+		actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+}
+
+func assertTest20Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Expected violations from xml_violation_cookie_data.log.txt
+	expectedViolations := []string{
+		"VIOL_COOKIE_MALFORMED",
+		"VIOL_COOKIE_MODIFIED",
+		"VIOL_COOKIE_EXPIRED",
+	}
+
+	// Verify we have exactly the expected number of violations
+	assert.Len(t, actualEvent.GetViolationsData(), len(expectedViolations),
+		"Should have all expected cookie violations")
+
+	// Check all violations are present
+	actualViolationNames := make([]string, len(actualEvent.GetViolationsData()))
+	for i, v := range actualEvent.GetViolationsData() {
+		actualViolationNames[i] = v.GetViolationDataName()
+		assert.Equal(t, "cookie", v.GetViolationDataContext(),
+			"All violations should have cookie context")
+	}
+	assert.ElementsMatch(t, expectedViolations, actualViolationNames,
+		"All expected cookie violations should be present")
+}
+
+func assertTest21Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Expected violations from xml_violation_url_data.log.txt
+	expectedViolations := []string{
+		"VIOL_URL_METACHAR",
+		"VIOL_URL_LENGTH",
+		"VIOL_JSON_MALFORMED",
+		"VIOL_URL",
+	}
+
+	// Verify we have exactly the expected number of violations
+	assert.Len(t, actualEvent.GetViolationsData(), len(expectedViolations), "Should have all expected URL violations")
+
+	// Check all violations are present
+	actualViolationNames := make([]string, len(actualEvent.GetViolationsData()))
+	for i, v := range actualEvent.GetViolationsData() {
+		actualViolationNames[i] = v.GetViolationDataName()
+	}
+	assert.ElementsMatch(t, expectedViolations, actualViolationNames, "All expected URL violations should be present")
+}
+
+func assertTest22Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// Expected violations from xml_violation_request_data.log.txt
+	expectedViolations := []string{
+		"VIOL_REQUEST_MAX_LENGTH",
+		"VIOL_REQUEST_LENGTH",
+	}
+
+	// Verify we have exactly the expected number of violations
+	assert.Len(t, actualEvent.GetViolationsData(), len(expectedViolations),
+		"Should have all expected request violations")
+
+	// Check all violations are present
+	actualViolationNames := make([]string, len(actualEvent.GetViolationsData()))
+	for i, v := range actualEvent.GetViolationsData() {
+		actualViolationNames[i] = v.GetViolationDataName()
+		assert.Equal(t, "request", v.GetViolationDataContext(),
+			"All violations should have request context")
+	}
+	assert.ElementsMatch(t, expectedViolations, actualViolationNames,
+		"All expected request violations should be present")
+}
+
+func assertTest23Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// xml_malformed.log.txt has malformed XML with unclosed sig_id tag
+	// Processor handles malformed XML gracefully by logging warning and returning empty violations_data
+	assert.Empty(t, actualEvent.GetViolationsData(), "Malformed XML should result in empty violations_data")
+	// But other fields should still be populated from CSV
+	assert.Equal(t, "app_protect_default_policy", actualEvent.GetPolicyName())
+	assert.Equal(t, "5543056874564592513", actualEvent.GetSupportId())
+	assert.Equal(t, "blocked", actualEvent.GetRequestStatus())
+}
+
+func assertTest24Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// xml_parameter_data_as_param_data.log.txt uses param_data with param_name/param_value tags
+	// Parser successfully parses the violation but doesn't extract context_data
+	// because ParamData struct expects name/value tags, not param_name/param_value
+	require.Len(t, actualEvent.GetViolationsData(), 1)
+	assert.Equal(t, "VIOL_JSON_MALFORMED", actualEvent.GetViolationsData()[0].GetViolationDataName())
+	assert.Equal(t, "parameter", actualEvent.GetViolationsData()[0].GetViolationDataContext())
+	// Context data is empty because param_name/param_value tags aren't mapped in ParamData struct
+	assert.NotNil(t, actualEvent.GetViolationsData()[0].GetViolationDataContextData())
+	assert.Empty(t, actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataName())
+	assert.Empty(t, actualEvent.GetViolationsData()[0].GetViolationDataContextData().GetContextDataValue())
+
+	// Basic fields should still be populated from CSV
+	assert.Equal(t, "app_protect_default_policy", actualEvent.GetPolicyName())
+	assert.Equal(t, "4355056874564592516", actualEvent.GetSupportId())
+}
+
+func assertTest25Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// xml_violation_header_data.log.txt has header violations
+	expectedViolations := []string{
+		"VIOL_HEADER_METACHAR",
+		"VIOL_HEADER_REPEATED",
+	}
+
+	assert.Len(t, actualEvent.GetViolationsData(), len(expectedViolations),
+		"Should have all expected header violations")
+
+	actualViolationNames := make([]string, len(actualEvent.GetViolationsData()))
+	for i, v := range actualEvent.GetViolationsData() {
+		actualViolationNames[i] = v.GetViolationDataName()
+		assert.Equal(t, "header", v.GetViolationDataContext(),
+			"All violations should have header context")
+	}
+	assert.ElementsMatch(t, expectedViolations, actualViolationNames,
+		"All expected header violations should be present")
+}
+
+func assertTest26Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// xml_struct_unmatched.log.txt has <UNMATCHED_STRUCT> instead of <BAD_MSG>
+	// Should still process the CSV fields but violations_data should be empty
+	assert.Equal(t, "app_protect_default_policy", actualEvent.GetPolicyName())
+	assert.Equal(t, "5543056874564592514", actualEvent.GetSupportId())
+	// Violations data may be empty or minimal since XML structure is unmatched
+}
+
+func assertTest27Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// syslog_logline_less_fields.log.txt has fewer fields (missing last field)
+	assert.Equal(t, "app_protect_default_policy", actualEvent.GetPolicyName())
+	assert.Equal(t, "5543056874564592516", actualEvent.GetSupportId())
+	// Should still parse violations successfully
+	require.GreaterOrEqual(t, len(actualEvent.GetViolationsData()), 1, "Should have at least one violation")
+}
+
+func assertTest28Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// syslog_logline_more_fields.log.txt has extra field at the end
+	assert.Equal(t, "app_protect_default_policy", actualEvent.GetPolicyName())
+	assert.Equal(t, "5543056874564592517", actualEvent.GetSupportId())
+	// Should still parse violations successfully, ignoring extra field
+	require.GreaterOrEqual(t, len(actualEvent.GetViolationsData()), 1, "Should have at least one violation")
+}
+
+func assertTest29Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// uri_request_contain_escaped_comma.log.txt has %2C (escaped comma) in URI and request
+	assert.Equal(t, "app_protect_default_policy", actualEvent.GetPolicyName())
+	assert.Equal(t, "4355056874564592513", actualEvent.GetSupportId())
+	assert.Contains(t, actualEvent.GetUri(), "comma", "URI should contain 'comma'")
+	assert.Contains(t, actualEvent.GetRequest(), "%2C", "Request should contain escaped comma")
+	require.GreaterOrEqual(t, len(actualEvent.GetViolationsData()), 1, "Should have at least one violation")
+}
+
+func assertTest30Event(t *testing.T, lrOut plog.LogRecord) {
+	t.Helper()
+	actualEvent := unmarshalEvent(t, lrOut)
+
+	// expanded_nap_waf.log.txt is standard format, similar to other tests
+	expectedViolations := []string{
+		"VIOL_ATTACK_SIGNATURE",
+		"VIOL_HTTP_PROTOCOL",
+		"VIOL_PARAMETER_VALUE_METACHAR",
+	}
+
+	assert.Len(t, actualEvent.GetViolationsData(), len(expectedViolations), "Should have all expected violations")
+
+	actualViolationNames := make([]string, len(actualEvent.GetViolationsData()))
+	for i, v := range actualEvent.GetViolationsData() {
+		actualViolationNames[i] = v.GetViolationDataName()
+	}
+	assert.ElementsMatch(t, expectedViolations, actualViolationNames, "All expected violations should be present")
+}
+
 func TestSecurityViolationsProcessor_ExtractIPFromHostname(t *testing.T) {
 	assert.Equal(t, "127.0.0.1", extractIPFromHostname("127.0.0.1"))
 	assert.Equal(t, "172.16.0.213", extractIPFromHostname("ip-172-16-0-213"))
@@ -183,9 +1012,9 @@ func TestBuildSignatures(t *testing.T) {
 	names := []string{"buf1", "buf2"}
 	sigs := buildSignatures(ids, names, "mask", "off", "len")
 	assert.Len(t, sigs, 2)
-	assert.Equal(t, "1", sigs[0].ID)
-	assert.Equal(t, "buf1", sigs[0].Buffer)
-	assert.Equal(t, "mask", sigs[0].BlockingMask)
+	assert.Equal(t, "1", sigs[0].GetSigDataId())
+	assert.Equal(t, "buf1", sigs[0].GetSigDataBuffer())
+	assert.Equal(t, "mask", sigs[0].GetSigDataBlockingMask())
 }
 
 func TestSetSyslogAttributesNilFields(t *testing.T) {
diff --git a/internal/collector/securityviolationsprocessor/testdata/csv_sql_injection_parameter_signatures.log.txt b/internal/collector/securityviolationsprocessor/testdata/csv_sql_injection_parameter_signatures.log.txt
new file mode 100644
index 0000000000..33197fea72
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/csv_sql_injection_parameter_signatures.log.txt
@@ -0,0 +1 @@
+N/A,443,10.0.1.50,false,POST,security_policy_01,HTTPS,blocked,403,N/A,N/A::N/A,{SQL Injection Signatures}::{SQL Injection CVE-2021-1234},8080,N/A,9876543210123456789,N/A,4,2-api.example.com:2-/api/users,N/A,REJECTED,SECURITY_WAF_VIOLATION,Attack signature detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>414000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>475f0ffcbbd0fea-befbf35cb000007e-f400000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><context_data><param_data><name>id</name><value>MScgT1IgJzEnPScx</value></param_data></context_data><sig_data><sig_id>200001475</sig_id><blocking_mask>7</blocking_mask><kw_data><buffer>MScgT1IgJzEnPScx</buffer><offset>0</offset><length>15</length></kw_data></sig_data><sig_data><sig_id>200001476</sig_id><blocking_mask>7</blocking_mask><kw_data><buffer>MScgT1IgJzEnPScx</buffer><offset>5</offset><length>10</length></kw_data></sig_data></violation></request-violations></BAD_MSG>,PostmanRuntime,HTTP Library,7.29.0,N/A,Trusted Bot,N/A,N/A,HTTP/2.0,/api/users,POST /api/users HTTP/2.0\\r\\nHost: api.example.com\\r\\nContent-Type: application/json\\r\\n\\r\\n{"id":"1' OR '1'='1"}
diff --git a/internal/collector/securityviolationsprocessor/testdata/csv_url_violations_bot_client.log.txt b/internal/collector/securityviolationsprocessor/testdata/csv_url_violations_bot_client.log.txt
new file mode 100644
index 0000000000..ef35ff38cc
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/csv_url_violations_bot_client.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,false,GET,nms_app_protect_default_policy,HTTP,blocked,0,N/A,N/A::N/A,{High Accuracy Signatures;Cross Site Scripting Signatures}::{High Accuracy Signatures; Cross Site Scripting Signatures},56064,N/A,5377540117854870581,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,Illegal meta character in URL::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>414000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>475f0ffcbbd0fea-befbf35cb000007e-f400000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>url</context><sig_data><sig_id>200000099</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>Lzw+PHNjcmlwdD4=</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000093</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>Lzw+PHNjcmlwdD4=</buffer><offset>4</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>Lzw+PHNjcmlwdD4=</uri><metachar_index>60</metachar_index><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>Lzw+PHNjcmlwdD4=</uri><metachar_index>62</metachar_index><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>122</viol_index><viol_name>VIOL_BOT_CLIENT</viol_name></violation><violation><viol_index>93</viol_index><viol_name>VIOL_RATING_THREAT</viol_name></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/<><script>,GET /<><script> HTTP/1.1\\r\\nHost: localhost\\r\\nUser-Agent: curl/7.81.0\\r\\nAccept: */*\\r\\n\\r\\n
diff --git a/internal/collector/securityviolationsprocessor/testdata/expanded_nap_waf.log.txt b/internal/collector/securityviolationsprocessor/testdata/expanded_nap_waf.log.txt
new file mode 100644
index 0000000000..10c6b85f96
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/expanded_nap_waf.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592513,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm><learn>0-20-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>2</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTAuMTQ2LjE3OS4xMTk=</http_sub_violation></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>60</metachar_index><metachar_index>62</metachar_index></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/invalid_syslog_plain_text.log.txt b/internal/collector/securityviolationsprocessor/testdata/invalid_syslog_plain_text.log.txt
new file mode 100644
index 0000000000..4287fa0f86
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/invalid_syslog_plain_text.log.txt
@@ -0,0 +1 @@
+not a syslog line
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/syslog_logline_less_fields.log.txt b/internal/collector/securityviolationsprocessor/testdata/syslog_logline_less_fields.log.txt
new file mode 100644
index 0000000000..eacdfcf18d
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/syslog_logline_less_fields.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,5543056874564592516,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm><learn>0-20-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>2</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTAuMTQ2LjE3OS4xMTk=</http_sub_violation></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>60</metachar_index><metachar_index>62</metachar_index></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/syslog_logline_more_fields.log.txt b/internal/collector/securityviolationsprocessor/testdata/syslog_logline_more_fields.log.txt
new file mode 100644
index 0000000000..3caf1373fe
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/syslog_logline_more_fields.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,5543056874564592517,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm><learn>0-20-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>2</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTAuMTQ2LjE3OS4xMTk=</http_sub_violation></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>60</metachar_index><metachar_index>62</metachar_index></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n,extra_field
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/syslog_non_app_protect.log.txt b/internal/collector/securityviolationsprocessor/testdata/syslog_non_app_protect.log.txt
new file mode 100644
index 0000000000..78dc60fdb9
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/syslog_non_app_protect.log.txt
@@ -0,0 +1 @@
+<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/uri_request_contain_escaped_comma.log.txt b/internal/collector/securityviolationsprocessor/testdata/uri_request_contain_escaped_comma.log.txt
new file mode 100644
index 0000000000..44e255900c
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/uri_request_contain_escaped_comma.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592513,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm><learn>0-20-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>2</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTAuMTQ2LjE3OS4xMTk=</http_sub_violation></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>60</metachar_index><metachar_index>62</metachar_index></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/with%2Ccomma,GET /with%2Ccomma HTTP/1.1\r\nHost: 10.146.183.68\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML%2C like Gecko) Chrome/104.0.0.0 Safari/537.36\r\nAccept: text/html%2Capplication/xhtml+xml%2Capplication/xml;q=0.9%2Cimage/avif%2Cimage/webp%2Cimage/apng%2C*/*;q=0.8%2Capplication/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip%2C deflate\r\nAccept-Language: en-US%2Cen;q=0.9\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_cookie_length.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_cookie_length.log.txt
new file mode 100644
index 0000000000..cab1c48d22
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_cookie_length.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,3255056874564592514,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations><violation><viol_index>18</viol_index><viol_name>VIOL_COOKIE_LENGTH</viol_name><cookie_len>28</cookie_len><cookie_len_limit>10</cookie_len_limit><cookie>Q29va2llOiBkZmRmZGZkZmRmPWRmZGZkZmRmOw==</cookie></violation></request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_cookie_malformed.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_cookie_malformed.log.txt
new file mode 100644
index 0000000000..6c85ddaeba
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_cookie_malformed.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592511,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>53</viol_index><viol_name>VIOL_COOKIE_MALFORMED</viol_name><buffer>b3N0DQpDb29raWU6IFRTMCIxYzYwZTdiPTAxMzA1OWQ=</buffer><offset>16</offset><specific_desc>Invalid quotation mark sign</specific_desc></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_header_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_header_data.log.txt
new file mode 100644
index 0000000000..958c0acb7e
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_header_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592514,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations> <violation> <viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>header</context> <header> <header_name>Rm9v</header_name> <header_value>ZWNobzwhLS0gI2VjaG8=</header_value> <header_pattern>*</header_pattern> <staging>0</staging> </header> <staging>0</staging> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_header_length.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_header_length.log.txt
new file mode 100644
index 0000000000..a879a33df0
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_header_length.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,3255056874564592515,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations><violation><viol_index>29</viol_index><viol_name>VIOL_HEADER_LENGTH</viol_name><header_len>42</header_len><header_len_limit>10</header_len_limit><header_name>SG9zdDogZGZsa2RqZmxka2ZsZGtmbGRrZmxrZGZsa2RmbGtkbGZrZGxm</header_name></violation></request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_header_text.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_header_text.log.txt
new file mode 100644
index 0000000000..82039aaf9e
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_header_text.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,3255056874564592516,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations><violation><viol_index>58</viol_index><viol_name>VIOL_HEADER_METACHAR</viol_name><header>UmVmZXJlcjogYWEnYmJiJw==</header><metachar_index>39</metachar_index><is_base64_decoded>false</is_base64_decoded></violation></request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_http_protocol_header_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_http_protocol_header_data.log.txt
new file mode 100644
index 0000000000..0f55d05a1f
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_http_protocol_header_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592520,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations><violation><viol_index>60</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><header_data><header_name>Q29udGVudC1UeXBl</header_name><header_actual_value>YXBwbGljYXRpb24vanNvbg==</header_actual_value><header_matched_value>dGV4dC9odG1s</header_matched_value></header_data></violation></request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET / HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Type: application/json\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_malformed.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_malformed.log.txt
new file mode 100644
index 0000000000..c3b54dbee0
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_malformed.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,5543056874564592513,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm><learn>0-20-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_ifset>2</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTAuMTQ2LjE3OS4xMTk=</http_sub_violation></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>60</metachar_index><metachar_index>62</metachar_index></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data.log.txt
new file mode 100644
index 0000000000..c61aa38aa7
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592515,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <request-violations> <violation> <viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>parameter</context> <parameter_data> <value_error/> <enforcement_level>global</enforcement_level> <name/> <value>ZjVwYXJhbWF1dG90ZXN0Pg==</value> <param_name_pattern>*</param_name_pattern> <staging>0</staging> </parameter_data> <staging>0</staging> <sig_data> <sig_id>300000110</sig_id> <blocking_mask>7</blocking_mask> <kw_data> <buffer>PWY1cGFyYW1hdXRvdGVzdD4=</buffer> <offset>1</offset> <length>15</length> </kw_data> </sig_data> </violation><violation><viol_index>27</viol_index><viol_name>VIOL_PARAMETER_REPEATED</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>YQ==</name><value>Mg==</value></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>30</viol_index><viol_name>VIOL_PARAMETER_MULTIPART_NULL_VALUE</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>cGFyYW1ldGVy</name><value>AA==</value></parameter_data><wildcard_entity>*</wildcard_entity></violation><violation><viol_index>32</viol_index><viol_name>VIOL_PARAMETER_EMPTY_VALUE</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>YQ==</name><value></value></parameter_data><wildcard_entity>*</wildcard_entity><staging>1</staging></violation><violation><viol_index>40</viol_index><viol_name>VIOL_PARAMETER_VALUE_REGEXP</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>cg==</name><value>Mg==</value></parameter_data><staging>0</staging><reg_exp>L153Lw==</reg_exp></violation><violation><viol_index>43</viol_index><viol_name>VIOL_PARAMETER_NUMERIC_VALUE</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>YQ==</name><value>Mg==</value></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><expected_min_range>4.000000</expected_min_range><expected_exclusive_minimum>NO</expected_exclusive_minimum></violation><violation><viol_index>44</viol_index><viol_name>VIOL_PARAMETER_DATA_TYPE</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>YQ==</name><value>Zg==</value></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><expected_data_type>4</expected_data_type></violation><violation><viol_index>45</viol_index><viol_name>VIOL_PARAMETER_VALUE_LENGTH</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>cg==</name><value>Mzk0ODM5NDgzOTQ4OTg5OA==</value></parameter_data><staging>0</staging><expected_value_length>10</expected_value_length><actual_value_length>16</actual_value_length><value_length_type>max length</value_length_type></violation><violation><viol_index>46</viol_index><viol_name>VIOL_PARAMETER_DYNAMIC_VALUE</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>cg==</name><value>Mg==</value></parameter_data><staging>0</staging></violation><violation><viol_index>47</viol_index><viol_name>VIOL_PARAMETER_STATIC_VALUE</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>YQ==</name><value>Zg==</value></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>80</viol_index><viol_name>VIOL_PARAMETER_ARRAY_VALUE</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>cg==</name><value>MW0I</value></parameter_data><staging>0</staging><array_reason>array must have at most max items</array_reason><array_num_items>4</array_num_items><array_max_items>3</array_max_items></violation><violation><viol_index>83</viol_index><viol_name>VIOL_PARAMETER_LOCATION</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>YQ==</name><value>MTI=</value></parameter_data></violation></request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data_as_param_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data_as_param_data.log.txt
new file mode 100644
index 0000000000..908315ee75
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data_as_param_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592516,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <request-violations> <violation> <viol_index>52</viol_index> <viol_name>VIOL_JSON_MALFORMED</viol_name> <context>parameter</context> <param_data> <param_name>anNvbg==</param_name> <staging>0</staging> <param_value>eyAiYSI6ICLW1iJ9</param_value> </param_data> <staging>0</staging> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data_empty_context.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data_empty_context.log.txt
new file mode 100644
index 0000000000..6a1b5f506c
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_parameter_data_empty_context.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592517,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <request-violations> <violation> <viol_index>33</viol_index> <viol_name>VIOL_PARAMETER</viol_name> <parameter_data> <value_error/> <enforcement_level>unknown level</enforcement_level> <name>eA==</name> <value>MQ==</value> </parameter_data> </violation> <violation> <viol_index>33</viol_index> <viol_name>VIOL_PARAMETER</viol_name> <parameter_data> <value_error/> <enforcement_level>unknown level</enforcement_level> <name>eQ==</name> <value>JQ==</value> </parameter_data> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_request_max_length.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_request_max_length.log.txt
new file mode 100644
index 0000000000..3b6a69c728
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_request_max_length.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592512,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>5</viol_index><viol_name>VIOL_REQUEST_MAX_LENGTH</viol_name><defined_length>10000000</defined_length><detected_length>11000125</detected_length></violation><violation><viol_index>4</viol_index><viol_name>VIOL_REQUEST_LENGTH</viol_name><total_len>11000000</total_len><total_len_limit>10000000</total_len_limit></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_signature_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_signature_data.log.txt
new file mode 100644
index 0000000000..775367ba29
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_signature_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592518,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <request-violations> <violation> <viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <sig_data> <sig_id>200021094</sig_id> <blocking_mask>4</blocking_mask> <kw_data> <buffer>Q29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KSG9zdDogYS5jb20NClVzZXItQWdlbnQ6IEphdmEvMS43LjBfNTENCkFjY2VwdDogdGV4dC9odG1sLCBpbWFnZS9naWYsIGltYWdlL2pwZWcsICo7IHE9LjIsICovKjsgcT0uMg0KDQo=</buffer> <offset>37</offset> <length>16</length> </kw_data> </sig_data> <sig_data> <sig_id>200011034</sig_id> <blocking_mask>2</blocking_mask> <kw_data> <buffer>cHQ6ICovKg0KRm9vOiBBdXRob3JpemF0aW9uOiAlbiVuJW4lbg0KRm9vOiBlY2hvPCEtLSAjZWNobw0KWDE4</buffer> <offset>29</offset> <length>6</length> </kw_data> </sig_data> <sig_data> <sig_id>200000179</sig_id> <blocking_mask>3</blocking_mask> <kw_data> <buffer>Nw0KQWNjZXB0OiAqLyoNCkZvbzogQXV0aG9yaXphdGlvbjogJW4lbiVuJW4NCkZvbzogZWNobzwhLS0gI2Vj</buffer> <offset>21</offset> <length>23</length> </kw_data> </sig_data> <sig_data> <sig_id>200004106</sig_id> <blocking_mask>2</blocking_mask> <kw_data> <buffer>emF0aW9uOiAlbiVuJW4lbg0KRm9vOiBlY2hvPCEtLSAjZWNobw0KWDE4OTI6IGVjaG8NClgxODkzOiAnPCEt</buffer> <offset>27</offset> <length>10</length> </kw_data> </sig_data> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_struct_unmatched.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_struct_unmatched.log.txt
new file mode 100644
index 0000000000..3aa084423c
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_struct_unmatched.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,5543056874564592514,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><UNMATCHED_STRUCT>some text</UNMATCHED_STRUCT>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_url_header_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_url_header_data.log.txt
new file mode 100644
index 0000000000..aa2d604bf2
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_url_header_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,3255056874564592517,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations><violation><viol_index>57</viol_index><viol_name>VIOL_URL_CONTENT_TYPE</viol_name><header_data><header_name>JA==</header_name><header_actual_value>YmVuaQ==</header_actual_value><header_matched_value>YmVuaQ==</header_matched_value></header_data></violation></request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_url_metachar_length.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_url_metachar_length.log.txt
new file mode 100644
index 0000000000..8b9186bb09
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_url_metachar_length.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592513,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>LztzaHV0ZG93bg==</uri></violation><violation><viol_index>53</viol_index><viol_name>VIOL_URL_LENGTH</viol_name><uri_len>30</uri_len><uri_len_limit>20</uri_len_limit></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/;shutdown,GET /;shutdown HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_violation_cookie_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_violation_cookie_data.log.txt
new file mode 100644
index 0000000000..0aef84c743
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_violation_cookie_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592511,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>53</viol_index><viol_name>VIOL_COOKIE_MALFORMED</viol_name><buffer>b3N0DQpDb29raWU6IFRTMCIxYzYwZTdiPTAxMzA1OWQ=</buffer><offset>16</offset><specific_desc>Invalid quotation mark sign</specific_desc></violation><violation><viol_index>54</viol_index><viol_name>VIOL_COOKIE_MODIFIED</viol_name><referrer_obj>0</referrer_obj><cookie><cookie_name>eXVtbXlfY29va2ll</cookie_name><cookie_value>Y2hvY28=</cookie_value><is_new_cookie>1</is_new_cookie><staging>0</staging><is_base64_decoded>false</is_base64_decoded></cookie></violation><violation><viol_index>48</viol_index><viol_name>VIOL_COOKIE_EXPIRED</viol_name><cookie_name>VFMwMTQyZmYxMQ==</cookie_name><expiration_period>600</expiration_period><time_passed>11188</time_passed></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_violation_header_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_violation_header_data.log.txt
new file mode 100644
index 0000000000..5d6177dbc8
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_violation_header_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592511,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>58</viol_index><viol_name>VIOL_HEADER_METACHAR</viol_name><header>WDE4OTM6ICc8IS0tICNlY2hv</header><metachar_index>39</metachar_index></violation><violation><viol_index>92</viol_index><viol_name>VIOL_HEADER_REPEATED</viol_name><header_data><header_name>Q29va2ll</header_name></header_data></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_violation_name.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_violation_name.log.txt
new file mode 100644
index 0000000000..2278c55bd6
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_violation_name.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592519,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?><BAD_MSG><request-violations><violation><viol_index>55</viol_index><viol_name>VIOL_ASM_COOKIE_MODIFIED</viol_name><cookie_name>VFMwMTQ0ZTkxNF8x</cookie_name></violation><violation><viol_index>55</viol_index><viol_name>VIOL_ASM_COOKIE_MODIFIED</viol_name><cookie_name>VFMwMTQ0ZTkxNF8zMQ==</cookie_name></violation><violation><viol_index>55</viol_index><viol_name>VIOL_ASM_COOKIE_MODIFIED</viol_name><cookie_name>VFMwMTQ0ZTkxNF8x</cookie_name></violation><violation><viol_index>55</viol_index><viol_name>VIOL_ASM_COOKIE_MODIFIED</viol_name><cookie_name>VFMwMTQ0ZTkxNF8zMQ==</cookie_name></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_violation_parameter_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_violation_parameter_data.log.txt
new file mode 100644
index 0000000000..771d61fb9b
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_violation_parameter_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592511,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error /><enforcement_level>global</enforcement_level><name>eQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>JWdnYg==</value><location>query</location><is_base64_decoded>false</is_base64_decoded></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>37</metachar_index></violation><violation><viol_index>25</viol_index><viol_name>VIOL_PARAMETER_NAME_METACHAR</viol_name><param_name>eEA=</param_name><wildcard_entity>*</wildcard_entity><enforcement_level>global</enforcement_level><metachar_index>64</metachar_index><staging>0</staging><is_base64_decoded>false</is_base64_decoded></violation><violation><viol_index>45</viol_index><viol_name>VIOL_PARAMETER_VALUE_LENGTH</viol_name><parameter_data><value_error></value_error><enforcement_level>global</enforcement_level><name>YXR5cGVfMg==</name><value>TG9vcDI8c2NyaXB0Pg==</value><location>form-data</location><is_base_64_decoded>false</is_base_64_decoded></parameter_data><wildcard_identity>*</wildcard_identity><staging>0</staging><expected_value_length>10</expected_value_length><actual_value_length>13</actual_value_length><value_length_type>max length</value_length_type></violation><violation><viol_index>62</viol_index><viol_name>VIOL_PARAMETER_VALUE_BASE64</viol_name><context>header</context><header><header_name>aXNiYXNlNjQtdGVzdC1iaW4=</header_name><header_value>cGxhaW50ZXh0</header_value><header_pattern>isbase64-*-bin</header_pattern><is_base64_decoded>false</is_base64_decoded></header><staging>0</staging></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_violation_request_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_violation_request_data.log.txt
new file mode 100644
index 0000000000..a9dbd0bfbd
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_violation_request_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592511,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>5</viol_index><viol_name>VIOL_REQUEST_MAX_LENGTH</viol_name><defined_length>10000000</defined_length><detected_length>11000125</detected_length></violation><violation><viol_index>17</viol_index><viol_name>VIOL_REQUEST_LENGTH</viol_name><total_len>316</total_len><total_len_limit>0</total_len_limit><extension>aHRtbA==</extension><staging>0</staging></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/testdata/xml_violation_url_data.log.txt b/internal/collector/securityviolationsprocessor/testdata/xml_violation_url_data.log.txt
new file mode 100644
index 0000000000..add28d607b
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/testdata/xml_violation_url_data.log.txt
@@ -0,0 +1 @@
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address::HTTP protocol compliance failed:Evasion technique,4355056874564592511,campaign1::campaign2,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>0-0-0-0</block><alarm>475f0ffcb9d0f6a-befbf358b000007e-8000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>LztzaHV0ZG93bg==</uri><metachar_index>59</metachar_index><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>19</viol_index><viol_name>VIOL_URL_LENGTH</viol_name><uri_len>18</uri_len><uri_len_limit>0</uri_len_limit><extension>aHRtbA==</extension><staging>0</staging></violation><violation><viol_index>52</viol_index><viol_name>VIOL_JSON_MALFORMED</viol_name><context>URL</context><object_data><object>Lw==</object><object_pattern>*</object_pattern></object_data><staging>0</staging><content_profile_data><type>JSON</type><content_id>2</content_id><content_profile_id>5</content_profile_id><content_profile_name>Default</content_profile_name><buffer>Ig==</buffer><index>10</index><location>element value</location><error_code>12</error_code><specific_desc>Malformed document</specific_desc><fault_detail>Illegal character encountered - json syntax error</fault_detail></content_profile_data></violation><violation><viol_index>38</viol_index><viol_name>VIOL_URL</viol_name></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
\ No newline at end of file
diff --git a/internal/collector/securityviolationsprocessor/violations_parser.go b/internal/collector/securityviolationsprocessor/violations_parser.go
new file mode 100644
index 0000000000..91ae86a4ac
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/violations_parser.go
@@ -0,0 +1,472 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+package securityviolationsprocessor
+
+import (
+	"encoding/base64"
+	"encoding/xml"
+	"fmt"
+	"strings"
+
+	events "github.com/nginx/agent/v3/api/grpc/events/v1"
+	"go.uber.org/zap"
+)
+
+const (
+	violationContextRequest   = "request"
+	violationContextHeader    = "header"
+	violationContextParameter = "parameter"
+	violationContextCookie    = "cookie"
+	violationContextUrl       = "url"
+	violationContextUri       = "uri"
+)
+
+// parseViolationsData extracts violation data from the syslog key-value map
+func (p *securityViolationsProcessor) parseViolationsData(kvMap map[string]string) []*events.ViolationData {
+	violationDetails := kvMap["violation_details"]
+	if violationDetails == "" {
+		return nil
+	}
+
+	// Parse XML violation details
+	var xmlData BADMSG
+	if err := xml.Unmarshal([]byte(violationDetails), &xmlData); err != nil {
+		p.settings.Logger.Warn("Failed to parse XML violation details", zap.Error(err))
+		return nil
+	}
+
+	// Extract context from violation names if not present
+	p.extractViolationContext(&xmlData)
+
+	// Process each violation
+	violationsData := make([]*events.ViolationData, 0, len(xmlData.RequestViolations.Violations))
+	for _, v := range xmlData.RequestViolations.Violations {
+		violation := &events.ViolationData{
+			ViolationDataName:    v.ViolName,
+			ViolationDataContext: strings.ToLower(v.Context),
+		}
+
+		// Extract context data based on context type
+		violation.ViolationDataContextData = p.extractContextDataFromXML(v, kvMap)
+
+		// Extract signatures from XML
+		violation.ViolationDataSignatures = p.extractSignaturesFromXML(v)
+
+		violationsData = append(violationsData, violation)
+	}
+
+	return violationsData
+}
+
+// extractViolationContext extracts context from violation names if context is empty
+func (p *securityViolationsProcessor) extractViolationContext(xmlData *BADMSG) {
+	for i, v := range xmlData.RequestViolations.Violations {
+		if strings.ToLower(v.Context) == violationContextUrl {
+			xmlData.RequestViolations.Violations[i].Context = violationContextUri
+		}
+		if v.Context != "" {
+			continue
+		}
+		// Extract context from violation name
+		if v.ViolName != "" {
+			xmlData.RequestViolations.Violations[i].Context = extractContextFromViolationName(v.ViolName)
+		}
+	}
+}
+
+// extractContextFromViolationName derives context from violation name
+func extractContextFromViolationName(violationName string) string {
+	lowerName := strings.ToLower(violationName)
+	if strings.Contains(lowerName, violationContextParameter) {
+		return violationContextParameter
+	}
+	if strings.Contains(lowerName, violationContextHeader) {
+		return violationContextHeader
+	}
+	if strings.Contains(lowerName, violationContextCookie) {
+		return violationContextCookie
+	}
+	if strings.Contains(lowerName, violationContextRequest) {
+		return violationContextRequest
+	}
+	if strings.Contains(lowerName, violationContextUri) || strings.Contains(lowerName, violationContextUrl) {
+		return violationContextUri
+	}
+
+	return ""
+}
+
+// contextExtractResult holds the extracted context data before final processing
+type contextExtractResult struct {
+	name         string
+	value        string
+	isB64Decoded bool
+}
+
+// extractContextDataFromXML extracts context data from XML based on violation context type
+func (p *securityViolationsProcessor) extractContextDataFromXML(
+	v *Violation, kvMap map[string]string,
+) *events.ContextData {
+	var result contextExtractResult
+
+	switch strings.ToLower(v.Context) {
+	case violationContextParameter:
+		result = p.extractParameterContext(v)
+	case violationContextHeader:
+		result = p.extractHeaderContext(v)
+	case violationContextCookie:
+		result = p.extractCookieContext(v)
+	case violationContextUri:
+		result = p.extractUriContext(v)
+	case violationContextRequest:
+		result = p.extractRequestContext(v)
+	default:
+		result = p.extractDefaultContext(v)
+	}
+
+	return p.buildContextData(result, v, kvMap)
+}
+
+// extractParameterContext extracts parameter context data from violation
+func (p *securityViolationsProcessor) extractParameterContext(v *Violation) contextExtractResult {
+	if v.ContextDataWrap != nil && v.ContextDataWrap.ParamData != nil && v.ContextDataWrap.ParamData.Name != "" {
+		return contextExtractResult{
+			name:         v.ContextDataWrap.ParamData.Name,
+			value:        v.ContextDataWrap.ParamData.Value,
+			isB64Decoded: v.ContextDataWrap.ParamData.IsBase64Decoded,
+		}
+	}
+	if v.ParameterData != nil {
+		return contextExtractResult{
+			name:         v.ParameterData.Name,
+			value:        v.ParameterData.Value,
+			isB64Decoded: v.ParameterData.IsBase64Decoded,
+		}
+	}
+	if v.ParamData != nil {
+		return contextExtractResult{
+			name:         v.ParamData.Name,
+			value:        v.ParamData.Value,
+			isB64Decoded: v.ParamData.IsBase64Decoded,
+		}
+	}
+	if v.ParamName != "" {
+		return contextExtractResult{
+			name:         v.ParamName,
+			isB64Decoded: v.IsBase64Decoded,
+		}
+	}
+
+	return contextExtractResult{}
+}
+
+// extractHeaderContext extracts header context data from violation
+func (p *securityViolationsProcessor) extractHeaderContext(v *Violation) contextExtractResult {
+	if v.Header != nil {
+		if v.Header.Name != "" || v.Header.Value != "" {
+			return contextExtractResult{
+				name:         v.Header.Name,
+				value:        v.Header.Value,
+				isB64Decoded: v.Header.IsBase64Decoded,
+			}
+		}
+		// Fallback to Header.Text when Name and Value are empty
+		return contextExtractResult{
+			value:        v.Header.Text,
+			isB64Decoded: v.Header.IsBase64Decoded,
+		}
+	}
+	if v.HeaderData != nil {
+		return contextExtractResult{
+			name:         v.HeaderData.Name,
+			value:        v.HeaderData.Value,
+			isB64Decoded: v.HeaderData.IsBase64Decoded,
+		}
+	}
+	if v.HeaderLength != "" {
+		decodedName := v.HeaderName
+		if decoded, err := p.tryDecodeBase64(v.HeaderName); err == nil {
+			decodedName = decoded
+		} else {
+			p.settings.Logger.Warn("Failed to decode header name",
+				zap.String("header_name", v.HeaderName), zap.Error(err))
+		}
+
+		return contextExtractResult{
+			name: decodedName,
+			value: fmt.Sprintf("Header length: %s, exceeds Header length limit: %s",
+				v.HeaderLength, v.HeaderLengthLimit),
+			isB64Decoded: true,
+		}
+	}
+
+	return contextExtractResult{}
+}
+
+// extractCookieContext extracts cookie context data from violation
+func (p *securityViolationsProcessor) extractCookieContext(v *Violation) contextExtractResult {
+	if v.Cookie != nil && v.CookieLength == "" {
+		return contextExtractResult{
+			name:         v.Cookie.Name,
+			value:        v.Cookie.Value,
+			isB64Decoded: v.Cookie.IsBase64Decoded,
+		}
+	}
+	if v.CookieName != "" {
+		return contextExtractResult{
+			name:         v.CookieName,
+			isB64Decoded: v.IsBase64Decoded,
+		}
+	}
+	if v.Buffer != "" {
+		decodedBuffer, bufferErr := p.tryDecodeBase64(v.Buffer)
+		if bufferErr == nil {
+			return contextExtractResult{
+				name:         v.SpecificDesc,
+				value:        decodedBuffer,
+				isB64Decoded: true,
+			}
+		}
+		p.settings.Logger.Warn("Failed to decode cookie buffer", zap.String("buffer", v.Buffer), zap.Error(bufferErr))
+	}
+	if v.CookieLength != "" && v.Cookie != nil {
+		decodedValue, valueErr := p.tryDecodeBase64(v.Cookie.Text)
+		if valueErr == nil {
+			return contextExtractResult{
+				name: fmt.Sprintf("Cookie length: %s, exceeds Cookie length limit: %s",
+					v.CookieLength, v.CookieLengthLimit),
+				value:        decodedValue,
+				isB64Decoded: true,
+			}
+		}
+		p.settings.Logger.Warn("Failed to decode cookie text",
+			zap.String("cookie_text", v.Cookie.Text), zap.Error(valueErr))
+	}
+
+	return contextExtractResult{}
+}
+
+// extractUriContext extracts URI context data from violation
+func (p *securityViolationsProcessor) extractUriContext(v *Violation) contextExtractResult {
+	if v.Uri != "" {
+		return contextExtractResult{
+			name:         violationContextUri,
+			value:        v.Uri,
+			isB64Decoded: true,
+		}
+	}
+	if v.UriObjectData != nil {
+		return contextExtractResult{
+			name:         violationContextUri,
+			value:        v.UriObjectData.Object,
+			isB64Decoded: true,
+		}
+	}
+	if v.UriLength != "" {
+		return contextExtractResult{
+			name:         "URI length: " + v.UriLength,
+			value:        "URI length limit: " + v.UriLengthLimit,
+			isB64Decoded: true,
+		}
+	}
+	if v.HeaderData != nil &&
+		(v.HeaderData.Name != "" || v.HeaderData.ActualValue != "" || v.HeaderData.MatchedValue != "") {
+		return p.extractHeaderDataWithValues(v.HeaderData, "URI context")
+	}
+
+	return contextExtractResult{}
+}
+
+// extractRequestContext extracts request context data from violation
+func (p *securityViolationsProcessor) extractRequestContext(v *Violation) contextExtractResult {
+	if v.DefinedLength != "" {
+		return contextExtractResult{
+			name:         "Defined length: " + v.DefinedLength,
+			value:        "Detected length: " + v.DetectedLength,
+			isB64Decoded: true,
+		}
+	}
+	if v.TotalLen != "" {
+		return contextExtractResult{
+			name:         "Total length: " + v.TotalLen,
+			value:        "Total length limit: " + v.TotalLenLimit,
+			isB64Decoded: true,
+		}
+	}
+
+	return contextExtractResult{isB64Decoded: true}
+}
+
+// extractDefaultContext handles cases where context is empty but HeaderData exists
+func (p *securityViolationsProcessor) extractDefaultContext(v *Violation) contextExtractResult {
+	if v.HeaderData != nil &&
+		(v.HeaderData.Name != "" || v.HeaderData.ActualValue != "" || v.HeaderData.MatchedValue != "") {
+		return p.extractHeaderDataWithValues(v.HeaderData, "Default context")
+	}
+
+	return contextExtractResult{}
+}
+
+// extractHeaderDataWithValues extracts and decodes header data with actual/matched values
+func (p *securityViolationsProcessor) extractHeaderDataWithValues(
+	headerData *Header, contextLabel string,
+) contextExtractResult {
+	decodedName, err := p.tryDecodeBase64(headerData.Name)
+	if err != nil {
+		p.settings.Logger.Warn(contextLabel+": failed to decode header name",
+			zap.String("header_name", headerData.Name), zap.Error(err))
+	}
+	decodedActualValue, err := p.tryDecodeBase64(headerData.ActualValue)
+	if err != nil {
+		p.settings.Logger.Warn(contextLabel+": failed to decode actual header value",
+			zap.String("actual_value", headerData.ActualValue), zap.Error(err))
+	}
+	decodedMatchedValue, err := p.tryDecodeBase64(headerData.MatchedValue)
+	if err != nil {
+		p.settings.Logger.Warn(contextLabel+": failed to decode matched header value",
+			zap.String("matched_value", headerData.MatchedValue), zap.Error(err))
+	}
+
+	return contextExtractResult{
+		name: decodedName,
+		value: fmt.Sprintf("actual header value: %s. matched header value: %s",
+			decodedActualValue, decodedMatchedValue),
+		isB64Decoded: true,
+	}
+}
+
+// buildContextData constructs the final ContextData from extracted result
+func (p *securityViolationsProcessor) buildContextData(
+	result contextExtractResult, v *Violation, kvMap map[string]string,
+) *events.ContextData {
+	ctxData := &events.ContextData{}
+
+	// Handle already decoded data
+	if result.isB64Decoded {
+		name, value := populateNameValue(v.ViolName, result.name, result.value)
+		ctxData.ContextDataName = name
+		ctxData.ContextDataValue = value
+
+		return ctxData
+	}
+
+	// Decode base64 if not already decoded
+	if result.name != "" || result.value != "" {
+		decodedName := p.decodeStringOrWarn(result.name, v.Context, "name")
+		decodedValue := p.decodeStringOrWarn(result.value, v.Context, "value")
+		name, value := populateNameValue(v.ViolName, decodedName, decodedValue)
+		ctxData.ContextDataName = name
+		ctxData.ContextDataValue = value
+
+		return ctxData
+	}
+
+	// Fallback: use CSV URI for URI context
+	if strings.ToLower(v.Context) == violationContextUri || strings.ToLower(v.Context) == violationContextUrl {
+		if uri := kvMap["uri"]; uri != "" {
+			ctxData.ContextDataName = violationContextUri
+			ctxData.ContextDataValue = uri
+		}
+	}
+
+	return ctxData
+}
+
+// tryDecodeBase64 attempts to decode a base64 string, returning the decoded string or error
+func (p *securityViolationsProcessor) tryDecodeBase64(encoded string) (string, error) {
+	if encoded == "" {
+		return "", nil
+	}
+	decoded, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return "", err
+	}
+
+	return string(decoded), nil
+}
+
+// decodeStringOrWarn decodes a base64 string or logs a warning and returns the original
+func (p *securityViolationsProcessor) decodeStringOrWarn(encoded, context, fieldType string) string {
+	if encoded == "" {
+		return ""
+	}
+	decoded, err := p.tryDecodeBase64(encoded)
+	if err != nil {
+		p.settings.Logger.Warn("Failed to decode context "+fieldType,
+			zap.String("context", context), zap.String(fieldType, encoded), zap.Error(err))
+
+		return encoded
+	}
+
+	return decoded
+}
+
+// extractSignaturesFromXML extracts signature data from XML violation
+func (p *securityViolationsProcessor) extractSignaturesFromXML(v *Violation) []*events.SignatureData {
+	signatures := make([]*events.SignatureData, 0, len(v.SigData))
+
+	for _, s := range v.SigData {
+		// Decode base64 buffer
+		buf, err := base64.StdEncoding.DecodeString(s.KwData.Buffer)
+		if err != nil {
+			p.settings.Logger.Warn("Failed to decode signature buffer",
+				zap.String("buffer", s.KwData.Buffer), zap.Error(err))
+
+			continue
+		}
+
+		signature := &events.SignatureData{
+			SigDataId:           s.SigID,
+			SigDataBlockingMask: s.BlockingMask,
+			SigDataBuffer:       string(buf),
+			SigDataOffset:       s.KwData.Offset,
+			SigDataLength:       s.KwData.Length,
+		}
+		signatures = append(signatures, signature)
+	}
+
+	return signatures
+}
+
+// populateNameValue provides smart fallback logic for name and value extraction
+// matching the behavior from dev-v2 implementation
+func populateNameValue(violationName, dataName, dataValue string) (name, value string) {
+	if dataName != "" && dataValue != "" {
+		name = dataName
+		value = dataValue
+
+		return name, value
+	}
+	name = violationNameToDataName(violationName)
+	if dataName == "" && dataValue != "" {
+		value = dataValue
+		return name, value
+	}
+	if dataName != "" && dataValue == "" {
+		value = dataName
+		return name, value
+	}
+
+	return name, value
+}
+
+// violationNameToDataName converts a violation name (e.g., "VIOL_ATTACK_SIGNATURE")
+// to a readable data name (e.g., "Attack Signature")
+func violationNameToDataName(violationName string) string {
+	parts := strings.Split(strings.ToLower(violationName), "_")
+	if len(parts) > 0 && parts[0] == "viol" {
+		parts = parts[1:]
+	}
+
+	// Capitalize each word
+	for i, part := range parts {
+		if len(part) > 0 {
+			parts[i] = strings.ToUpper(part[:1]) + part[1:]
+		}
+	}
+
+	return strings.Join(parts, " ")
+}
diff --git a/internal/collector/securityviolationsprocessor/xml_structs.go b/internal/collector/securityviolationsprocessor/xml_structs.go
new file mode 100644
index 0000000000..72b7cf71e5
--- /dev/null
+++ b/internal/collector/securityviolationsprocessor/xml_structs.go
@@ -0,0 +1,134 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+package securityviolationsprocessor
+
+import "encoding/xml"
+
+// XML struct definitions for parsing violation_details
+
+// ParameterData represents parameter data in violation XML
+type ParameterData struct {
+	Text            string `xml:",chardata"`
+	Name            string `xml:"name"`
+	Value           string `xml:"value"`
+	IsBase64Decoded bool   `xml:"is_base64_decoded"`
+}
+
+// ParamData represents alternate parameter data format in violation XML
+type ParamData struct {
+	Text            string `xml:",chardata"`
+	Name            string `xml:"name"`
+	Value           string `xml:"value"`
+	IsBase64Decoded bool   `xml:"is_base64_decoded"`
+}
+
+// ContextDataWrapper wraps context-specific data in XML
+//
+//nolint:govet // fieldalignment: XML struct field order matters for unmarshaling
+type ContextDataWrapper struct {
+	Text      string     `xml:",chardata"`
+	ParamData *ParamData `xml:"param_data"`
+}
+
+// Header represents HTTP header data in violation XML
+type Header struct {
+	Text            string `xml:",chardata"`
+	Name            string `xml:"header_name"`
+	Value           string `xml:"header_value"`
+	ActualValue     string `xml:"header_actual_value"`
+	MatchedValue    string `xml:"header_matched_value"`
+	IsBase64Decoded bool   `xml:"is_base64_decoded"`
+}
+
+// Cookie represents cookie data in violation XML
+type Cookie struct {
+	Text            string `xml:",chardata"`
+	Name            string `xml:"cookie_name"`
+	Value           string `xml:"cookie_value"`
+	IsBase64Decoded bool   `xml:"is_base64_decoded"`
+}
+
+// UriObjectData represents URI object data in violation XML
+type UriObjectData struct {
+	Text   string `xml:",chardata"`
+	Object string `xml:"object"`
+}
+
+// SigData represents signature data in violation XML
+//
+//nolint:revive // nested struct for XML unmarshaling
+type SigData struct {
+	Text         string `xml:",chardata"`
+	SigID        string `xml:"sig_id"`
+	BlockingMask string `xml:"blocking_mask"`
+	KwData       struct {
+		Text   string `xml:",chardata"`
+		Buffer string `xml:"buffer"`
+		Offset string `xml:"offset"`
+		Length string `xml:"length"`
+	} `xml:"kw_data"`
+}
+
+// Violation represents an individual violation in the XML structure
+//
+//nolint:govet // fieldalignment: XML struct field order matters for unmarshaling
+type Violation struct {
+	Text                   string              `xml:",chardata"`
+	ViolIndex              string              `xml:"viol_index"`
+	ViolName               string              `xml:"viol_name"`
+	Context                string              `xml:"context"`
+	ContextDataWrap        *ContextDataWrapper `xml:"context_data"`
+	ParameterData          *ParameterData      `xml:"parameter_data"`
+	ParamData              *ParamData          `xml:"param_data"`
+	ParamName              string              `xml:"param_name"`
+	IsBase64Decoded        bool                `xml:"is_base64_decoded"`
+	Header                 *Header             `xml:"header"`
+	HeaderData             *Header             `xml:"header_data"`
+	HeaderName             string              `xml:"header_name"`
+	HeaderLength           string              `xml:"header_len"`
+	HeaderLengthLimit      string              `xml:"header_len_limit"`
+	Cookie                 *Cookie             `xml:"cookie"`
+	CookieName             string              `xml:"cookie_name"`
+	CookieLength           string              `xml:"cookie_len"`
+	CookieLengthLimit      string              `xml:"cookie_len_limit"`
+	Buffer                 string              `xml:"buffer"`
+	SpecificDesc           string              `xml:"specific_desc"`
+	Uri                    string              `xml:"uri"`
+	UriObjectData          *UriObjectData      `xml:"object_data"`
+	UriLength              string              `xml:"uri_len"`
+	UriLengthLimit         string              `xml:"uri_len_limit"`
+	DefinedLength          string              `xml:"defined_length"`
+	DetectedLength         string              `xml:"detected_length"`
+	TotalLen               string              `xml:"total_len"`
+	TotalLenLimit          string              `xml:"total_len_limit"`
+	Staging                string              `xml:"staging"`
+	HTTPSanityChecksStatus string              `xml:"http_sanity_checks_status"`
+	HTTPSubViolationStatus string              `xml:"http_sub_violation_status"`
+	HTTPSubViolation       string              `xml:"http_sub_violation"`
+	WildcardEntity         string              `xml:"wildcard_entity"`
+	LanguageType           string              `xml:"language_type"`
+	MetacharIndex          []string            `xml:"metachar_index"`
+	SigData                []*SigData          `xml:"sig_data"`
+}
+
+// BADMSG represents the root structure of NGINX App Protect violation XML
+//
+//nolint:revive // nested structs for XML unmarshaling
+type BADMSG struct {
+	XMLName        xml.Name `xml:"BAD_MSG"`
+	Text           string   `xml:",chardata"`
+	ViolationMasks struct {
+		Text    string `xml:",chardata"`
+		Block   string `xml:"block"`
+		Alarm   string `xml:"alarm"`
+		Learn   string `xml:"learn"`
+		Staging string `xml:"staging"`
+	} `xml:"violation_masks"`
+	RequestViolations struct {
+		Text       string       `xml:",chardata"`
+		Violations []*Violation `xml:"violation"`
+	} `xml:"request-violations"`
+}