Add log record attributes from category from FrontDoorWebApplicationFirewallLog (#39994)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

Same as done before for Azure CDN Access Log:
#39820.

Remove the fields from category FrontDoorWebApplicationFirewallLog from
the body log record and place them as log record attributes.

See a detailed description in
#39993.

<!-- Issue number (e.g. #1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
Fixes #39993.

<!--Describe what testing was performed and which tests were added.-->
#### Testing

Unit tests added.

<!--Describe the documentation added.-->
#### Documentation

README updated.

<!--Please delete paragraphs that you did not use before submitting.-->

---------

Co-authored-by: Antoine Toulme <[email protected]>

Author: constanca-m

.chloggen/azurelogs-frontdoor-waf.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: breaking
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: pkg
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Remove the fields from category FrontDoorWebApplicationFirewallLog from the body log record and place them as log record attributes.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [39993]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []

pkg/translator/azurelogs/README.md

@@ -32,4 +32,22 @@ The mapping for this category is as follows:
 | `ErrorInfo`             | Same as `errorInfo`                                                                                                                   |
 | `endpoint`              | Either:<br>1. `destination.address` if it is equal to `backendHostname`<br>2. `network.peer.address` otherwise.                       |
 | `isReceivedFromClient`  | `network.io.direction`<br>- If `true`, `receive`<br>- Else, `transmit`                                                                |
-| `backendHostname`       | 1. `destination.address` <br>2. `destination.port`, if any                                                                            |
+| `backendHostname`       | 1. `destination.address` <br>2. `destination.port`, if any                                                                            |
+
+
+### Front Door Web Application Firewall Logs
+
+The mapping for this category is as follows:
+
+| Original Field (JSON) | Log Record Attribute                                                                                                                  |
+|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| `clientIP`            | `client.address`                                                                                                                      |
+| `clientPort`          | `client.port`                                                                                                                         |
+| `socketIP`            | `source.address`                                                                                                                      |
+| `requestUri`          | `url.orginal`<br>Also parses it to get fields:<br>1.`url.scheme`<br>2.`url.fragment`<br>3.`url.query`<br>4.`url.path`<br>5.`url.port` |
+| `ruleName`            | `azure.frontdoor.waf.rule.name`                                                                                                       |
+| `policy`              | `azure.frontdoor.waf.policy.name`                                                                                                     |
+| `action`              | `azure.frontdoor.waf.action`                                                                                                          |
+| `host`                | `http.request.header.host`                                                                                                            |
+| `trackingReference`   | `azure.ref`                                                                                                                           |
+| `policyMode`          | `azure.frontdoor.waf.policy.mode`                                                                                                     |

pkg/translator/azurelogs/category_logs.go

@@ -22,7 +22,7 @@ const (
 	categoryAzureCdnAccessLog                  = "AzureCdnAccessLog"
 	categoryFrontDoorAccessLog                 = "FrontDoorAccessLog"
 	categoryFrontDoorHealthProbeLog            = "FrontDoorHealthProbeLog"
-	categoryFrontdoorWebApplicationFirewallLog = "FrontdoorWebApplicationFirewallLog"
+	categoryFrontdoorWebApplicationFirewallLog = "FrontDoorWebApplicationFirewallLog"
 	categoryAppServiceAppLogs                  = "AppServiceAppLogs"
 	categoryAppServiceAuditLogs                = "AppServiceAuditLogs"
 	categoryAppServiceAuthenticationLogs       = "AppServiceAuthenticationLogs"
@@ -59,6 +59,25 @@ const (
 	missingPort = "missing port in address"
 )
 
+const (
+	// azure front door WAF attributes
+
+	// attributeAzureFrontDoorWAFRuleName holds the name of the WAF rule that
+	// the request matched.
+	attributeAzureFrontDoorWAFRuleName = "azure.frontdoor.waf.rule.name"
+
+	// attributeAzureFrontDoorWAFPolicyName holds the name of the WAF policy
+	// that processed the request.
+	attributeAzureFrontDoorWAFPolicyName = "azure.frontdoor.waf.policy.name"
+
+	// attributeAzureFrontDoorWAFPolicyMode holds the operations mode of the
+	// WAF policy.
+	attributeAzureFrontDoorWAFPolicyMode = "azure.frontdoor.waf.policy.mode"
+
+	// attributeAzureFrontDoorWAFAction holds the action taken on the request.
+	attributeAzureFrontDoorWAFAction = "azure.frontdoor.waf.action"
+)
+
 var (
 	errStillToImplement    = errors.New("still to implement")
 	errUnsupportedCategory = errors.New("category not supported")
@@ -351,11 +370,46 @@ func addFrontDoorHealthProbeLogProperties(_ []byte, _ plog.LogRecord) error {
 	return errStillToImplement
 }
 
+// See https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium#waf-logs
+type frontDoorWAFLogProperties struct {
+	ClientIP          string `json:"clientIP"`
+	ClientPort        string `json:"clientPort"`
+	SocketIP          string `json:"socketIP"`
+	RequestURI        string `json:"requestUri"`
+	RuleName          string `json:"ruleName"`
+	Policy            string `json:"policy"`
+	Action            string `json:"action"`
+	Host              string `json:"host"`
+	TrackingReference string `json:"trackingReference"`
+	PolicyMode        string `json:"policyMode"`
+}
+
 // addFrontDoorWAFLogProperties parses the Front Door access log, and adds
 // the relevant attributes to the record
-func addFrontDoorWAFLogProperties(_ []byte, _ plog.LogRecord) error {
-	// TODO @constanca-m implement this the same way as addAzureCdnAccessLogProperties
-	return errStillToImplement
+func addFrontDoorWAFLogProperties(data []byte, record plog.LogRecord) error {
+	var properties frontDoorWAFLogProperties
+	if err := gojson.Unmarshal(data, &properties); err != nil {
+		return fmt.Errorf("failed to parse AzureCdnAccessLog properties: %w", err)
+	}
+
+	if err := putInt(string(conventions.ClientPortKey), properties.ClientPort, record); err != nil {
+		return err
+	}
+
+	if err := addRequestURIProperties(properties.RequestURI, record); err != nil {
+		return fmt.Errorf(`failed to handle "requestUri" field: %w`, err)
+	}
+
+	putStr(string(conventions.ClientAddressKey), properties.ClientIP, record)
+	putStr(string(conventions.SourceAddressKey), properties.SocketIP, record)
+	putStr(attributeAzureRef, properties.TrackingReference, record)
+	putStr("http.request.header.host", properties.Host, record)
+	putStr(attributeAzureFrontDoorWAFPolicyName, properties.Policy, record)
+	putStr(attributeAzureFrontDoorWAFPolicyMode, properties.PolicyMode, record)
+	putStr(attributeAzureFrontDoorWAFRuleName, properties.RuleName, record)
+	putStr(attributeAzureFrontDoorWAFAction, properties.Action, record)
+
+	return nil
 }
 
 // addAppServiceAppLogsProperties parses the App Service access log, and adds

pkg/translator/azurelogs/property_names.go

@@ -102,25 +102,6 @@ func handleFrontDoorHealthProbeLog(field string, value any, attrs map[string]any
 	}
 }
 
-func handleFrontdoorWebApplicationFirewallLog(field string, value any, attrs map[string]any, attrsProps map[string]any) {
-	switch field {
-	case "clientIP":
-		attrs["client.address"] = value
-	case "clientPort":
-		attrs["client.port"] = value
-	case "socketIP":
-		attrs[string(conventions.NetworkPeerAddressKey)] = value
-	case "requestUri":
-		attrs[string(conventions.URLFullKey)] = value
-	case "host":
-		attrs[string(conventions.ServerAddressKey)] = value
-	case "trackingReference":
-		attrs[string(conventions.AzServiceRequestIDKey)] = value
-	default:
-		attrsProps[field] = value
-	}
-}
-
 func handleAppServiceAppLogs(field string, value any, attrs map[string]any, attrsProps map[string]any) {
 	switch field {
 	case "ContainerId":

pkg/translator/azurelogs/resourcelogs_to_logs.go

@@ -282,8 +282,6 @@ func copyPropertiesAndApplySemanticConventions(category string, properties []byt
 		handleFunc = handleFrontDoorAccessLog
 	case categoryFrontDoorHealthProbeLog:
 		handleFunc = handleFrontDoorHealthProbeLog
-	case categoryFrontdoorWebApplicationFirewallLog:
-		handleFunc = handleFrontdoorWebApplicationFirewallLog
 	case categoryAppServiceAppLogs:
 		handleFunc = handleAppServiceAppLogs
 	case categoryAppServiceAuditLogs:

pkg/translator/azurelogs/resourcelogs_to_logs_test.go

@@ -318,6 +318,47 @@ func TestUnmarshalLogs_AzureCdnAccessLog(t *testing.T) {
 	}
 }
 
+func TestUnmarshalLogs_FrontDoorWebApplicationFirewallLog(t *testing.T) {
+	t.Parallel()
+
+	dir := "testdata/frontdoorwebapplicationfirewalllog"
+	tests := map[string]struct {
+		logFilename      string
+		expectedFilename string
+		expectsErr       string
+	}{
+		"valid_1": {
+			logFilename:      "valid_1.json",
+			expectedFilename: "valid_1_expected.yaml",
+		},
+	}
+
+	u := &ResourceLogsUnmarshaler{
+		Version: testBuildInfo.Version,
+		Logger:  zap.NewNop(),
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			data, err := os.ReadFile(filepath.Join(dir, test.logFilename))
+			require.NoError(t, err)
+
+			logs, err := u.UnmarshalLogs(data)
+
+			if test.expectsErr != "" {
+				require.ErrorContains(t, err, test.expectsErr)
+				return
+			}
+
+			require.NoError(t, err)
+
+			expectedLogs, err := golden.ReadLogs(filepath.Join(dir, test.expectedFilename))
+			require.NoError(t, err)
+			require.NoError(t, plogtest.CompareLogs(expectedLogs, logs, plogtest.IgnoreResourceLogsOrder()))
+		})
+	}
+}
+
 func TestUnmarshalLogs_Files(t *testing.T) {
 	// TODO @constanca-m Eventually this test function will be fully
 	// replaced with TestUnmarshalLogs_<category>, once all the currently supported
@@ -363,10 +404,6 @@ func TestUnmarshalLogs_Files(t *testing.T) {
 			logFilename:      "log-frontdoorhealthprobelog.json",
 			expectedFilename: "front-door-health-probe-log-expected.yaml",
 		},
-		"front_door_way_logs": {
-			logFilename:      "log-frontdoorwaflog.json",
-			expectedFilename: "front-door-waf-log-expected.yaml",
-		},
 		"log_bad_time": {
 			logFilename:      "log-bad-time.json",
 			expectedFilename: "log-bad-time-expected.yaml",

pkg/translator/azurelogs/testdata/expected/front-door-waf-log-expected.yaml

@@ -0,0 +1,32 @@
+{
+  "records":[
+    {
+      "time":"2025-04-24T15:35:06.0000000Z",
+      "resourceId":"/SUBSCRIPTIONS/OPENTELEMETRY-AZURE-SUB/RESOURCEGROUPS/OPENTELEMETRY-FRONTDOOR/PROVIDERS/MICROSOFT.CDN/PROFILES/OPENTELEMETRY-FRONTDOOR-PROFILE",
+      "category":"FrontDoorWebApplicationFirewallLog",
+      "operationName":"Microsoft.Cdn/Profiles/WebApplicationFirewallLog/Write",
+      "properties":{
+        "clientIP":"2001:1c00:3280:6700:fbfa:bf04:1296:ebfc",
+        "clientPort":"57660",
+        "socketIP":"2001:1c00:3280:6700:fbfa:bf04:1296:ebfc",
+        "requestUri":"http://opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net:80/",
+        "ruleName":"Rule1",
+        "policy":"policy",
+        "action":"Block",
+        "host":"opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net",
+        "trackingReference":"20250424T153506Z-1756f49cc78nldhvhC1DUS3dhw000000080000000000d207",
+        "policyMode":"prevention",
+        "details":{
+          "matches":[
+            {
+              "matchVariableName":"Method",
+              "matchVariableValue":"GET"
+            }
+          ],
+          "msg":"",
+          "data":""
+        }
+      }
+    }
+  ]
+}

pkg/translator/azurelogs/testdata/frontdoorwebapplicationfirewalllog/valid_1.json

@@ -0,0 +1,67 @@
+resourceLogs:
+  - resource:
+      attributes:
+        - key: cloud.provider
+          value:
+            stringValue: azure
+        - key: cloud.resource_id
+          value:
+            stringValue: /SUBSCRIPTIONS/OPENTELEMETRY-AZURE-SUB/RESOURCEGROUPS/OPENTELEMETRY-FRONTDOOR/PROVIDERS/MICROSOFT.CDN/PROFILES/OPENTELEMETRY-FRONTDOOR-PROFILE
+        - key: event.name
+          value:
+            stringValue: az.resource.log
+    scopeLogs:
+      - logRecords:
+          - attributes:
+              - key: client.port
+                value:
+                  intValue: "57660"
+              - key: url.original
+                value:
+                  stringValue: http://opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net:80/
+              - key: url.port
+                value:
+                  intValue: "80"
+              - key: url.scheme
+                value:
+                  stringValue: http
+              - key: url.path
+                value:
+                  stringValue: /
+              - key: client.address
+                value:
+                  stringValue: 2001:1c00:3280:6700:fbfa:bf04:1296:ebfc
+              - key: source.address
+                value:
+                  stringValue: 2001:1c00:3280:6700:fbfa:bf04:1296:ebfc
+              - key: azure.ref
+                value:
+                  stringValue: 20250424T153506Z-1756f49cc78nldhvhC1DUS3dhw000000080000000000d207
+              - key: http.request.header.host
+                value:
+                  stringValue: opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net
+              - key: azure.frontdoor.waf.policy.name
+                value:
+                  stringValue: policy
+              - key: azure.frontdoor.waf.policy.mode
+                value:
+                  stringValue: prevention
+              - key: azure.frontdoor.waf.rule.name
+                value:
+                  stringValue: Rule1
+              - key: azure.frontdoor.waf.action
+                value:
+                  stringValue: Block
+              - key: azure.category
+                value:
+                  stringValue: FrontDoorWebApplicationFirewallLog
+              - key: azure.operation.name
+                value:
+                  stringValue: Microsoft.Cdn/Profiles/WebApplicationFirewallLog/Write
+            body: {}
+            spanId: ""
+            timeUnixNano: "1745508906000000000"
+            traceId: ""
+        scope:
+          name: otelcol/azureresourcelogs
+          version: 1.2.3