Add support for SQLSecurityAuditEvents (#78)

* Implement class for SQLSecurityAuditEventsType

* Add SQLSecurityAuditEventsType support to NLFPlugin.syslogMessage

* Check "category" valueType in NLFPlugin.syslogMessage

- Category should always be a String

Author: MoonBow-1

src/main/java/com/teragrep/nlf_01/NLFPlugin.java

@@ -182,6 +182,15 @@ else if (
                 eventTypes.add(new PostgreSQLType(parsedEvent, realHostname, componentNameForPartitions));
             }
         }
+        else if (
+            jsonObject.containsKey("category")
+                    && jsonObject.get("category").getValueType().equals(JsonValue.ValueType.STRING)
+        ) {
+            final String category = jsonObject.getString("category");
+            if (category.equals("SQLSecurityAuditEvents")) {
+                eventTypes.add(new SQLSecurityAuditEventsType(parsedEvent, realHostname, componentNameForPartitions));
+            }
+        }
 
         if (eventTypes.isEmpty()) {
             throw new PluginException(

src/main/java/com/teragrep/nlf_01/types/SQLSecurityAuditEventsType.java

@@ -0,0 +1,161 @@
+/*
+ * Teragrep Neon log format plugin for AKV_01
+ * Copyright (C) 2025 Suomen Kanuuna Oy
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ *
+ * Additional permission under GNU Affero General Public License version 3
+ * section 7
+ *
+ * If you modify this Program, or any covered work, by linking or combining it
+ * with other code, such other code is not for that reason alone subject to any
+ * of the requirements of the GNU Affero GPL version 3 as long as this Program
+ * is the same Program as licensed from Suomen Kanuuna Oy without any additional
+ * modifications.
+ *
+ * Supplemented terms under GNU Affero General Public License version 3
+ * section 7
+ *
+ * Origin of the software must be attributed to Suomen Kanuuna Oy. Any modified
+ * versions must be marked as "Modified version of" The Program.
+ *
+ * Names of the licensors and authors may not be used for publicity purposes.
+ *
+ * No rights are granted for use of trade names, trademarks, or service marks
+ * which are in The Program if any.
+ *
+ * Licensee must indemnify licensors and authors for any liability that these
+ * contractual assumptions impose on licensors and authors.
+ *
+ * To the extent this program is licensed as part of the Commercial versions of
+ * Teragrep, the applicable Commercial License may apply to this file if you as
+ * a licensee so wish it.
+ */
+package com.teragrep.nlf_01.types;
+
+import com.teragrep.akv_01.event.ParsedEvent;
+import com.teragrep.akv_01.plugin.PluginException;
+import com.teragrep.nlf_01.util.ASCIIString;
+import com.teragrep.nlf_01.util.DefaultSDElements;
+import com.teragrep.nlf_01.util.MD5Hash;
+import com.teragrep.nlf_01.util.ResourceId;
+import com.teragrep.nlf_01.util.SDElements;
+import com.teragrep.nlf_01.util.ValidKey;
+import com.teragrep.nlf_01.util.ValidRFC5424AppName;
+import com.teragrep.nlf_01.util.ValidRFC5424Hostname;
+import com.teragrep.nlf_01.util.ValidRFC5424Timestamp;
+import com.teragrep.nlf_01.util.ValidStringKey;
+import com.teragrep.rlo_14.Facility;
+import com.teragrep.rlo_14.SDElement;
+import com.teragrep.rlo_14.Severity;
+import jakarta.json.JsonObject;
+import java.util.Objects;
+import java.util.Set;
+
+public final class SQLSecurityAuditEventsType implements EventType {
+
+    private final ParsedEvent parsedEvent;
+    private final String realHostname;
+    private final String componentNameForPartitions;
+
+    public SQLSecurityAuditEventsType(
+            final ParsedEvent parsedEvent,
+            final String realHostname,
+            final String componentNameForPartitions
+    ) {
+        this.parsedEvent = parsedEvent;
+        this.realHostname = realHostname;
+        this.componentNameForPartitions = componentNameForPartitions;
+    }
+
+    @Override
+    public Severity severity() {
+        return Severity.NOTICE;
+    }
+
+    @Override
+    public Facility facility() {
+        return Facility.AUDIT;
+    }
+
+    @Override
+    public String hostname() throws PluginException {
+        final JsonObject record = parsedEvent.asJsonStructure().asJsonObject();
+
+        final ValidKey<String> validKey = new ValidStringKey(record, "resourceId");
+
+        return new ValidRFC5424Hostname(
+                "md5-".concat(new MD5Hash(validKey.value()).md5().concat("-").concat(new ASCIIString(new ResourceId(validKey.value()).resourceName()).withNonAsciiCharsRemoved()))
+        ).hostnameWithInvalidCharsRemoved();
+    }
+
+    @Override
+    public String appName() throws PluginException {
+        final JsonObject record = parsedEvent.asJsonStructure().asJsonObject();
+
+        return new ValidRFC5424AppName(new ValidStringKey(record, "operationName").value()).appName();
+    }
+
+    @Override
+    public long timestamp() throws PluginException {
+        final JsonObject record = parsedEvent.asJsonStructure().asJsonObject();
+
+        return new ValidRFC5424Timestamp(new ValidStringKey(record, "originalEventTimestamp").value()).validTimestamp();
+    }
+
+    @Override
+    public Set<SDElement> sdElements() throws PluginException {
+        final SDElements defaultSDElements = new DefaultSDElements(
+                parsedEvent,
+                realHostname,
+                this.getClass(),
+                componentNameForPartitions
+        );
+
+        return defaultSDElements.sdElements();
+    }
+
+    @Override
+    public String msgId() throws PluginException {
+        final String sequenceNumber;
+        if (!parsedEvent.systemProperties().isStub()) {
+            sequenceNumber = String.valueOf(parsedEvent.systemProperties().asMap().getOrDefault("SequenceNumber", ""));
+        }
+        else {
+            sequenceNumber = "";
+        }
+        return sequenceNumber;
+    }
+
+    @Override
+    public String msg() throws PluginException {
+        return parsedEvent.asString();
+    }
+
+    @Override
+    public boolean equals(final Object o) {
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        final SQLSecurityAuditEventsType that = (SQLSecurityAuditEventsType) o;
+        return Objects.equals(parsedEvent, that.parsedEvent) && Objects.equals(realHostname, that.realHostname)
+                && Objects.equals(componentNameForPartitions, that.componentNameForPartitions);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(parsedEvent, realHostname, componentNameForPartitions);
+    }
+}

src/test/java/com/teragrep/nlf_01/NLFPluginTest.java

@@ -77,6 +77,7 @@
 import com.teragrep.nlf_01.types.PostgreSQLType;
 import com.teragrep.nlf_01.types.PowerAutomateActivityType;
 import com.teragrep.nlf_01.types.PowerPlatformAdminActivityType;
+import com.teragrep.nlf_01.types.SQLSecurityAuditEventsType;
 import com.teragrep.nlf_01.types.SyslogType;
 import com.teragrep.nlf_01.util.Sourceable;
 import com.teragrep.rlo_14.SDElement;
@@ -1017,6 +1018,45 @@ void testPowerPlatformAdminActivityType() {
         Assertions.assertTrue(sdElementMap.get("aer_event@48577").containsKey("properties"));
     }
 
+    @Test
+    void sqlSecurityAuditEventsTypeTest() {
+        final String json = Assertions
+                .assertDoesNotThrow(() -> Files.readString(Paths.get("src/test/resources/sqlsecurityauditevents.json")));
+        final ParsedEvent parsedEvent = new ParsedEventFactory(
+                new UnparsedEventImpl(json, new EventPartitionContextImpl(new HashMap<>()), new EventPropertiesImpl(new HashMap<>()), new EventSystemPropertiesImpl(new HashMap<>()), new EnqueuedTimeImpl("2020-01-01T00:00:00"), new EventOffsetImpl("0"))
+        ).parsedEvent();
+
+        final NLFPlugin plugin = new NLFPlugin(new FakeSourceable());
+        final List<SyslogMessage> syslogMessages = Assertions
+                .assertDoesNotThrow(() -> plugin.syslogMessage(parsedEvent));
+        Assertions.assertEquals(1, syslogMessages.size());
+
+        final SyslogMessage syslogMessage = syslogMessages.get(0);
+        Assertions
+                .assertEquals(
+                        "{\n" + "  \"category\": \"SQLSecurityAuditEvents\",\n"
+                                + "  \"operationName\": \"Operation-1\",\n"
+                                + "  \"originalEventTimestamp\": \"2025-10-06T00:00:00.0000000Z\",\n"
+                                + "  \"resourceId\": \"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}\"\n"
+                                + "}",
+                        syslogMessage.getMsg()
+                );
+        Assertions.assertEquals("md5-0ded52ef915af563e25778bf26b0f129-resourceName", syslogMessage.getHostname());
+        Assertions.assertEquals("Operation-1", syslogMessage.getAppName());
+        Assertions.assertEquals("2025-10-06T00:00:00Z", syslogMessage.getTimestamp());
+
+        final Map<String, Map<String, String>> sdElementMap = syslogMessage
+                .getSDElements()
+                .stream()
+                .collect(Collectors.toMap((SDElement::getSdID), (sdElem) -> sdElem.getSdParams().stream().collect(Collectors.toMap(SDParam::getParamName, SDParam::getParamValue))));
+
+        Assertions.assertEquals(1, sdElementMap.get("nlf_01@48577").size());
+        Assertions
+                .assertEquals(SQLSecurityAuditEventsType.class.getSimpleName(), sdElementMap.get("nlf_01@48577").get("eventType"));
+
+        Assertions.assertTrue(sdElementMap.get("aer_event@48577").containsKey("properties"));
+    }
+
     @Test
     void unexpectedType() {
         final String json = Assertions