Fix how NAP syslog servers are discovered

Author: dhurley

internal/collector/otel_collector_plugin.go

@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net"
 	"os"
 	"strings"
 	"sync"
@@ -46,11 +47,12 @@ const (
 type (
 	// Collector The OTel collector plugin start an embedded OTel collector for metrics collection in the OTel format.
 	Collector struct {
-		service types.CollectorInterface
-		cancel  context.CancelFunc
-		config  *config.Config
-		mu      *sync.Mutex
-		stopped bool
+		service                 types.CollectorInterface
+		config                  *config.Config
+		mu                      *sync.Mutex
+		cancel                  context.CancelFunc
+		previousNAPSysLogServer string
+		stopped                 bool
 	}
 )
 
@@ -86,10 +88,11 @@ func NewCollector(conf *config.Config) (*Collector, error) {
 	}
 
 	return &Collector{
-		config:  conf,
-		service: oTelCollector,
-		stopped: true,
-		mu:      &sync.Mutex{},
+		config:                  conf,
+		service:                 oTelCollector,
+		stopped:                 true,
+		mu:                      &sync.Mutex{},
+		previousNAPSysLogServer: "",
 	}, nil
 }
 
@@ -550,10 +553,14 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(nginxConfigContext *mo
 		oc.config.Collector.Receivers.TcplogReceivers = make(map[string]*config.TcplogReceiver)
 	}
 
-	if nginxConfigContext.NAPSysLogServer != "" {
-		if !oc.doesTcplogReceiverAlreadyExist(nginxConfigContext.NAPSysLogServer) {
+	napSysLogServer := oc.findAvailableSyslogServers(nginxConfigContext.NAPSysLogServers)
+
+	slog.Error("Updating NAP SysLog Server list", "list", napSysLogServer)
+
+	if napSysLogServer != "" {
+		if !oc.doesTcplogReceiverAlreadyExist(napSysLogServer) {
 			oc.config.Collector.Receivers.TcplogReceivers["nginx_app_protect"] = &config.TcplogReceiver{
-				ListenAddress: nginxConfigContext.NAPSysLogServer,
+				ListenAddress: napSysLogServer,
 				Operators: []config.Operator{
 					// regex captures the priority number from the log line
 					{
@@ -606,13 +613,13 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(nginxConfigContext *mo
 		}
 	}
 
-	tcplogReceiverDeleted := oc.areNapReceiversDeleted(nginxConfigContext)
+	tcplogReceiverDeleted := oc.areNapReceiversDeleted(napSysLogServer)
 
 	return newTcplogReceiverAdded || tcplogReceiverDeleted
 }
 
-func (oc *Collector) areNapReceiversDeleted(nginxConfigContext *model.NginxConfigContext) bool {
-	listenAddressesToBeDeleted := oc.configDeletedNapReceivers(nginxConfigContext)
+func (oc *Collector) areNapReceiversDeleted(napSysLogServer string) bool {
+	listenAddressesToBeDeleted := oc.configDeletedNapReceivers(napSysLogServer)
 	if len(listenAddressesToBeDeleted) != 0 {
 		delete(oc.config.Collector.Receivers.TcplogReceivers, "nginx_app_protect")
 		return true
@@ -621,17 +628,17 @@ func (oc *Collector) areNapReceiversDeleted(nginxConfigContext *model.NginxConfi
 	return false
 }
 
-func (oc *Collector) configDeletedNapReceivers(nginxConfigContext *model.NginxConfigContext) map[string]bool {
+func (oc *Collector) configDeletedNapReceivers(napSysLogServer string) map[string]bool {
 	elements := make(map[string]bool)
 
 	for _, tcplogReceiver := range oc.config.Collector.Receivers.TcplogReceivers {
 		elements[tcplogReceiver.ListenAddress] = true
 	}
 
-	if nginxConfigContext.NAPSysLogServer != "" {
+	if napSysLogServer != "" {
 		addressesToDelete := make(map[string]bool)
-		if !elements[nginxConfigContext.NAPSysLogServer] {
-			addressesToDelete[nginxConfigContext.NAPSysLogServer] = true
+		if !elements[napSysLogServer] {
+			addressesToDelete[napSysLogServer] = true
 		}
 
 		return addressesToDelete
@@ -675,6 +682,39 @@ func (oc *Collector) updateResourceAttributes(
 	return actionUpdated
 }
 
+func (oc *Collector) findAvailableSyslogServers(napSyslogServers []string) string {
+	napSyslogServersMap := make(map[string]bool)
+	for _, server := range napSyslogServers {
+		napSyslogServersMap[server] = true
+	}
+
+	if oc.previousNAPSysLogServer != "" {
+		if _, ok := napSyslogServersMap[oc.previousNAPSysLogServer]; ok {
+			return oc.previousNAPSysLogServer
+		}
+	}
+
+	for _, napSyslogServer := range napSyslogServers {
+		ln, err := net.Listen("tcp", napSyslogServer)
+		if err != nil {
+			slog.Debug("NAP syslog server is not reachable", "address", napSyslogServer,
+				"error", err)
+
+			continue
+		}
+		closeError := ln.Close()
+		if closeError != nil {
+			slog.Debug("Failed to close syslog server", "address", napSyslogServer, "error", closeError)
+		}
+
+		slog.Debug("Found valid NAP syslog server", "address", napSyslogServer)
+
+		return napSyslogServer
+	}
+
+	return ""
+}
+
 func isOSSReceiverChanged(nginxReceiver config.NginxReceiver, nginxConfigContext *model.NginxConfigContext) bool {
 	return nginxReceiver.StubStatus.URL != nginxConfigContext.StubStatus.URL ||
 		len(nginxReceiver.AccessLogs) != len(nginxConfigContext.AccessLogs)

internal/collector/otel_collector_plugin_test.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"errors"
+	"net"
 	"path/filepath"
 	"testing"
 
@@ -738,7 +739,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 	require.NoError(t, err)
 
 	nginxConfigContext := &model.NginxConfigContext{
-		NAPSysLogServer: "localhost:151",
+		NAPSysLogServers: []string{"localhost:15632"},
 	}
 
 	assert.Empty(t, conf.Collector.Receivers.TcplogReceivers)
@@ -748,7 +749,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 
 		assert.True(tt, tcplogReceiverAdded)
 		assert.Len(tt, conf.Collector.Receivers.TcplogReceivers, 1)
-		assert.Equal(tt, "localhost:151", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
+		assert.Equal(tt, "localhost:15632", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
 		assert.Len(tt, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6)
 	})
 
@@ -758,7 +759,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 		tcplogReceiverAdded := collector.updateNginxAppProtectTcplogReceivers(nginxConfigContext)
 		assert.False(t, tcplogReceiverAdded)
 		assert.Len(t, conf.Collector.Receivers.TcplogReceivers, 1)
-		assert.Equal(t, "localhost:151", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
+		assert.Equal(t, "localhost:15632", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
 		assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6)
 	})
 
@@ -771,17 +772,85 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 	t.Run("Test 4: NewCollector tcplogReceiver added and deleted another", func(tt *testing.T) {
 		tcplogReceiverDeleted := collector.updateNginxAppProtectTcplogReceivers(
 			&model.NginxConfigContext{
-				NAPSysLogServer: "localhost:152",
+				NAPSysLogServers: []string{"localhost:1555"},
 			},
 		)
 
 		assert.True(t, tcplogReceiverDeleted)
 		assert.Len(t, conf.Collector.Receivers.TcplogReceivers, 1)
-		assert.Equal(t, "localhost:152", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
+		assert.Equal(t, "localhost:1555", conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].ListenAddress)
 		assert.Len(t, conf.Collector.Receivers.TcplogReceivers["nginx_app_protect"].Operators, 6)
 	})
 }
 
+func TestCollector_findAvailableSyslogServers(t *testing.T) {
+	conf := types.OTelConfig(t)
+	conf.Collector.Log.Path = ""
+	conf.Collector.Processors.Batch = nil
+	conf.Collector.Processors.Attribute = nil
+	conf.Collector.Processors.Resource = nil
+	conf.Collector.Processors.LogsGzip = nil
+	collector, err := NewCollector(conf)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name                    string
+		expectedSyslogServer    string
+		previousNAPSysLogServer string
+		syslogServers           []string
+		portInUse               bool
+	}{
+		{
+			name:                    "Test 1: port available",
+			expectedSyslogServer:    "localhost:15632",
+			previousNAPSysLogServer: "",
+			syslogServers:           []string{"localhost:15632"},
+			portInUse:               false,
+		},
+		{
+			name:                    "Test 2: port in use",
+			expectedSyslogServer:    "",
+			previousNAPSysLogServer: "",
+			syslogServers:           []string{"localhost:15632"},
+			portInUse:               true,
+		},
+		{
+			name:                    "Test 3: syslog server already configured",
+			expectedSyslogServer:    "localhost:15632",
+			previousNAPSysLogServer: "localhost:15632",
+			syslogServers:           []string{"localhost:15632"},
+			portInUse:               false,
+		},
+		{
+			name:                    "Test 4: new syslog server",
+			expectedSyslogServer:    "localhost:15632",
+			previousNAPSysLogServer: "localhost:1122",
+			syslogServers:           []string{"localhost:15632"},
+			portInUse:               false,
+		},
+		{
+			name:                    "Test 5: port in use find next server",
+			expectedSyslogServer:    "localhost:1122",
+			previousNAPSysLogServer: "",
+			syslogServers:           []string{"localhost:15632", "localhost:1122"},
+			portInUse:               true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(tt *testing.T) {
+			if test.portInUse {
+				ln, listenError := net.Listen("tcp", "localhost:15632")
+				require.NoError(t, listenError)
+				defer ln.Close()
+			}
+
+			actual := collector.findAvailableSyslogServers(test.syslogServers)
+			assert.Equal(tt, test.expectedSyslogServer, actual)
+		})
+	}
+}
+
 func createFakeCollector() *typesfakes.FakeCollectorInterface {
 	fakeCollector := &typesfakes.FakeCollectorInterface{}
 	fakeCollector.RunStub = func(ctx context.Context) error { return nil }

internal/datasource/config/nginx_config_parser.go

@@ -49,8 +49,7 @@ const (
 
 type (
 	NginxConfigParser struct {
-		agentConfig             *config.Config
-		previousNAPSysLogServer string
+		agentConfig *config.Config
 	}
 )
 
@@ -68,8 +67,7 @@ type (
 
 func NewNginxConfigParser(agentConfig *config.Config) *NginxConfigParser {
 	return &NginxConfigParser{
-		agentConfig:             agentConfig,
-		previousNAPSysLogServer: "",
+		agentConfig: agentConfig,
 	}
 }
 
@@ -125,6 +123,7 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 			Listen:   "",
 			Location: "",
 		},
+		NAPSysLogServers: make([]string, 0),
 	}
 
 	rootDir := filepath.Dir(instance.GetInstanceRuntime().GetConfigPath())
@@ -205,11 +204,11 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 		}
 
 		if len(napSyslogServersFound) > 0 {
-			syslogServer := ncp.findAvailableSyslogServers(ctx, napSyslogServersFound)
-			if syslogServer != "" {
-				nginxConfigContext.NAPSysLogServer = syslogServer
-				ncp.previousNAPSysLogServer = syslogServer
+			var napSyslogServer []string
+			for server := range napSyslogServersFound {
+				napSyslogServer = append(napSyslogServer, server)
 			}
+			nginxConfigContext.NAPSysLogServers = napSyslogServer
 		} else if napEnabled {
 			slog.WarnContext(ctx, "Could not find available local NGINX App Protect syslog server. "+
 				"Security violations will not be collected.")
@@ -226,31 +225,6 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 	return nginxConfigContext, nil
 }
 
-func (ncp *NginxConfigParser) findAvailableSyslogServers(ctx context.Context, napSyslogServers map[string]bool) string {
-	if ncp.previousNAPSysLogServer != "" {
-		if _, ok := napSyslogServers[ncp.previousNAPSysLogServer]; ok {
-			return ncp.previousNAPSysLogServer
-		}
-	}
-
-	for napSyslogServer := range napSyslogServers {
-		ln, err := net.Listen("tcp", napSyslogServer)
-		if err != nil {
-			slog.DebugContext(ctx, "NAP syslog server is not reachable", "address", napSyslogServer,
-				"error", err)
-
-			continue
-		}
-		ln.Close()
-
-		slog.DebugContext(ctx, "Found valid NAP syslog server", "address", napSyslogServer)
-
-		return napSyslogServer
-	}
-
-	return ""
-}
-
 func (ncp *NginxConfigParser) findLocalSysLogServers(sysLogServer string) string {
 	re := regexp.MustCompile(`syslog:server=([\S]+)`)
 	matches := re.FindStringSubmatch(sysLogServer)