fix: remove duplicate attributes

Author: devbgv

internal/collector/syslogprocessor/factory.go

@@ -16,7 +16,8 @@ import (
 const typeStr = "syslog"
 
 // NewFactory creates a factory for the syslog processor.
-// nolint: ireturn
+//
+//nolint:ireturn // factory methods return interfaces by design
 func NewFactory() processor.Factory {
 	return processor.NewFactory(
 		component.MustNewType(typeStr),
@@ -26,7 +27,8 @@ func NewFactory() processor.Factory {
 }
 
 // createSyslogProcessor instantiates the logs processor.
-// nolint: ireturn
+//
+//nolint:ireturn // required to comply with component factory interface
 func createSyslogProcessor(
 	_ context.Context,
 	settings processor.Settings,

internal/collector/syslogprocessor/processor.go

@@ -92,6 +92,7 @@ func (p *syslogProcessor) processLogRecords(lrs plog.LogRecordSlice) error {
 		}
 
 		skipped++
+
 		return true
 	})
 	if skipped > 0 {
@@ -146,9 +147,6 @@ func (p *syslogProcessor) setSyslogAttributes(lr plog.LogRecord, m *rfc3164.Sysl
 	if m.Timestamp != nil {
 		attrs.PutStr("syslog.timestamp", m.Timestamp.Format(time.RFC3339))
 	}
-	if m.Appname != nil {
-		attrs.PutStr("syslog.appname", *m.Appname)
-	}
 	if m.ProcID != nil {
 		attrs.PutStr("syslog.procid", *m.ProcID)
 	}
@@ -216,10 +214,11 @@ func (p *syslogProcessor) assignHostnames(log *SecurityViolationEvent, hostname
 	}
 }
 
-// nolint: lll
 // parseCSVLog parses comma-separated syslog messages where fields are in a
 // order : blocking_exception_reason,dest_port,ip_client,is_truncated_bool,method,policy_name,protocol,request_status,response_code,severity,sig_cves,sig_set_names,src_port,sub_violations,support_id,threat_campaign_names,violation_rating,vs_name,x_forwarded_for_header_value,outcome,outcome_reason,violations,violation_details,bot_signature_name,bot_category,bot_anomalies,enforced_bot_anomalies,client_class,client_application,client_application_version,transport_protocol,uri,request (secops_dashboard-log profile format).
 // versions when key-value logging isn't enabled.
+//
+//nolint:lll //long test string kept for log profile readability
 func (p *syslogProcessor) parseCSVLog(message string) map[string]string {
 	kvMap := make(map[string]string)
 
@@ -438,6 +437,7 @@ func splitAndTrim(value string) []string {
 
 	return trimmedParts
 }
+
 func buildSignatures(ids, names []string, mask, offset, length string) []SignatureData {
 	signatures := make([]SignatureData, 0, len(ids))
 	for i, id := range ids {

internal/collector/syslogprocessor/processor_test.go

@@ -19,7 +19,7 @@ import (
 	"go.uber.org/zap"
 )
 
-// nolint: lll,revive
+//nolint:lll,revive // long test string kept for readability
 func TestSyslogProcessor(t *testing.T) {
 	testCases := []struct {
 		expectAttrs   map[string]string
@@ -32,7 +32,6 @@ func TestSyslogProcessor(t *testing.T) {
 			name: "csv nginx app protect syslog message",
 			body: `<130>Aug 22 03:28:35 ip-172-16-0-213 ASM:N/A,80,127.0.0.1,false,GET,nms_app_protect_default_policy,HTTP,blocked,0,N/A,N/A::N/A,{High Accuracy Signatures;Cross Site Scripting Signatures}::{High Accuracy Signatures; Cross Site Scripting Signatures},56064,N/A,5377540117854870581,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,Illegal meta character in URL::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>414000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>475f0ffcbbd0fea-befbf35cb000007e-f400000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>url</context><sig_data><sig_id>200000099</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>Lzw+PHNjcmlwdD4=</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000093</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>Lzw+PHNjcmlwdD4=</buffer><offset>4</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>Lzw+PHNjcmlwdD4=</uri><metachar_index>60</metachar_index><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>26</viol_index><viol_name>VIOL_URL_METACHAR</viol_name><uri>Lzw+PHNjcmlwdD4=</uri><metachar_index>62</metachar_index><wildcard_entity>*</wildcard_entity><staging>0</staging></violation><violation><viol_index>122</viol_index><viol_name>VIOL_BOT_CLIENT</viol_name></violation><violation><viol_index>93</viol_index><viol_name>VIOL_RATING_THREAT</viol_name></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/<><script>,GET /<><script> HTTP/1.1\\r\\nHost: localhost\\r\\nUser-Agent: curl/7.81.0\\r\\nAccept: */*\\r\\n\\r\\n`,
 			expectAttrs: map[string]string{
-				"syslog.appname":          "ASM",
 				"app_protect.policy_name": "nms_app_protect_default_policy",
 				"app_protect.support_id":  "5377540117854870581",
 				"app_protect.outcome":     "REJECTED",
@@ -44,7 +43,7 @@ func TestSyslogProcessor(t *testing.T) {
 			name: "simple valid syslog message",
 			body: "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8",
 			expectAttrs: map[string]string{
-				"syslog.appname": "su",
+				"syslog.facility": "auth",
 			},
 			expectRecords: 1,
 		},
@@ -91,7 +90,7 @@ func TestSyslogProcessor(t *testing.T) {
 
 			for k, v := range tc.expectAttrs {
 				val, ok := lrOut.Attributes().Get(k)
-				assert.True(t, ok, "attribute %s missing", k)
+				assert.True(t, ok, "attribute %s missing %v", k, v)
 				assert.Equal(t, v, val.Str())
 			}
 
@@ -158,8 +157,8 @@ func TestSyslogProcessor(t *testing.T) {
 
 func TestSyslogProcessorFailure(t *testing.T) {
 	testCases := []struct {
-		name          string
 		body          any
+		name          string
 		expectRecords int
 	}{
 		{