diff --git a/internal/collector/otel_collector_plugin.go b/internal/collector/otel_collector_plugin.go index d6d452a41..953f1838d 100644 --- a/internal/collector/otel_collector_plugin.go +++ b/internal/collector/otel_collector_plugin.go @@ -554,6 +554,24 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(nginxConfigContext *mo oc.config.Collector.Receivers.TcplogReceivers["nginx_app_protect"] = &config.TcplogReceiver{ ListenAddress: nginxConfigContext.NAPSysLogServer, Operators: []config.Operator{ + // regex captures the priority number from the log line + { + Type: "regex_parser", + Fields: map[string]string{ + "regex": "^<(?P\\d+)>", + "parse_from": "body", + "parse_to": "attributes", + }, + }, + // filter drops all logs that have a severity above 4 + // https://docs.secureauth.com/0902/en/how-to-read-a-syslog-message.html#severity-code-table + { + Type: "filter", + Fields: map[string]string{ + "expr": "'int(attributes.priority) % 8 > 4'", + "drop_ratio": "1.0", + }, + }, { Type: "add", Fields: map[string]string{ diff --git a/internal/collector/otel_collector_plugin_test.go b/internal/collector/otel_collector_plugin_test.go index 2fa51cef4..5623d2eef 100644 --- a/internal/collector/otel_collector_plugin_test.go +++ b/internal/collector/otel_collector_plugin_test.go @@ -173,8 +173,9 @@ func TestCollector_ProcessNginxConfigUpdateTopic(t *testing.T) { }, }, receivers: config.Receivers{ - HostMetrics: nil, - OtlpReceivers: nil, + HostMetrics: nil, + OtlpReceivers: nil, + TcplogReceivers: make(map[string]*config.TcplogReceiver), NginxPlusReceivers: []config.NginxPlusReceiver{ { InstanceID: "123", @@ -213,8 +214,9 @@ func TestCollector_ProcessNginxConfigUpdateTopic(t *testing.T) { }, }, receivers: config.Receivers{ - HostMetrics: nil, - OtlpReceivers: nil, + HostMetrics: nil, + OtlpReceivers: nil, + TcplogReceivers: make(map[string]*config.TcplogReceiver), NginxReceivers: []config.NginxReceiver{ { InstanceID: "123", @@ -747,7 +749,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) { assert.True(tt, tcplogReceiverAdded) assert.Len(tt, conf.Collector.Receivers.TcplogReceivers, 1) assert.Equal(tt, "localhost:151", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress) - assert.Len(tt, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 4) + assert.Len(tt, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6) }) // Calling updateNginxAppProtectTcplogReceivers shouldn't update the TcplogReceivers slice @@ -757,7 +759,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) { assert.False(t, tcplogReceiverAdded) assert.Len(t, conf.Collector.Receivers.TcplogReceivers, 1) assert.Equal(t, "localhost:151", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress) - assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 4) + assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6) }) t.Run("Test 3: TcplogReceiver deleted", func(tt *testing.T) { @@ -776,7 +778,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) { assert.True(t, tcplogReceiverDeleted) assert.Len(t, conf.Collector.Receivers.TcplogReceivers, 1) assert.Equal(t, "localhost:152", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress) - assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 4) + assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6) }) } diff --git a/internal/collector/otelcol.tmpl b/internal/collector/otelcol.tmpl index b331152c0..572e8c222 100644 --- a/internal/collector/otelcol.tmpl +++ b/internal/collector/otelcol.tmpl @@ -296,7 +296,7 @@ service: receivers: {{- range $receiver := $pipeline.Receivers }} {{- if eq $receiver "tcplog/nginx_app_protect" }} - - tcplog/nginx_app_protect: + - tcplog/nginx_app_protect {{- else }} - {{ $receiver }} {{- end }}