elastic · tetianakravchenko · Nov 10, 2021 · Nov 8, 2021 · Nov 8, 2021 · Nov 8, 2021
diff --git a/filebeat/processor/add_kubernetes_metadata/matchers.go b/filebeat/processor/add_kubernetes_metadata/matchers.go
@@ -78,59 +78,79 @@ func newLogsPathMatcher(cfg common.Config) (add_kubernetes_metadata.Matcher, err
 // Docker container ID is a 64-character-long hexadecimal string
 const containerIdLen = 64
 
-// Pod UID is on the 5th index of the path directories
-const podUIDPos = 5
-
 func (f *LogPathMatcher) MetadataIndex(event common.MapStr) string {
 	value, err := event.GetValue("log.file.path")
-	if err == nil {
-		source := value.(string)
-		f.logger.Debugf("Incoming log.file.path value: %s", source)
+	if err != nil {
+		f.logger.Errorf("Error extracting log.file.path from the event")
+		return ""
+	}
 
-		if !strings.Contains(source, f.LogsPath) {
-			f.logger.Errorf("Error extracting container id - source value does not contain matcher's logs_path '%s'.", f.LogsPath)
-			return ""
-		}
+	source := value.(string)
+	f.logger.Debugf("Incoming log.file.path value: %s", source)
+
+	if !strings.Contains(source, f.LogsPath) {
+		f.logger.Errorf("Error extracting container id - source value does not contain matcher's logs_path '%s'.", f.LogsPath)
+		return ""
+	}
 
-		sourceLen := len(source)
-		logsPathLen := len(f.LogsPath)
+	sourceLen := len(source)
+	logsPathLen := len(f.LogsPath)
 
-		if f.ResourceType == "pod" {
-			// Specify a pod resource type when manually mounting log volumes and they end up under "/var/lib/kubelet/pods/"
-			// This will extract only the pod UID, which offers less granularity of metadata when compared to the container ID
-			if strings.HasPrefix(f.LogsPath, podLogsPath()) && strings.HasSuffix(source, ".log") {
+	if f.ResourceType == "pod" {
+		// Pod resource type will extract only the pod UID, which offers less granularity of metadata when compared to the container ID
+		if strings.HasSuffix(source, ".log") {
+			// Specify a pod resource type when writting logs into manually mounted log volume,
+			// those logs apper under under "/var/lib/kubelet/pods/<pod_id>/volumes/..."
+			if strings.HasPrefix(f.LogsPath, podKubeletLogsPath()) {
 				pathDirs := strings.Split(source, pathSeparator)
+				podUIDPos := 5
 				if len(pathDirs) > podUIDPos {
 					podUID := strings.Split(source, pathSeparator)[podUIDPos]
-
 					f.logger.Debugf("Using pod uid: %s", podUID)
 					return podUID
 				}
-
-				f.logger.Error("Error extracting pod uid - source value contains matcher's logs_path, however it is too short to contain a Pod UID.")
-			}
-		} else {
-			// In case of the Kubernetes log path "/var/log/containers/",
-			// the container ID will be located right before the ".log" extension.
-			if strings.HasPrefix(f.LogsPath, containerLogsPath()) && strings.HasSuffix(source, ".log") && sourceLen >= containerIdLen+4 {
-				containerIDEnd := sourceLen - 4
-				cid := source[containerIDEnd-containerIdLen : containerIDEnd]
-				f.logger.Debugf("Using container id: %s", cid)
-				return cid
 			}
-
-			// In any other case, we assume the container ID will follow right after the log path.
-			// However we need to check the length to prevent "slice bound out of range" runtime errors.
-			if sourceLen >= logsPathLen+containerIdLen {
-				cid := source[logsPathLen : logsPathLen+containerIdLen]
-				f.logger.Debugf("Using container id: %s", cid)
-				return cid
+			// In case of the Kubernetes log path "/var/log/pods/",
+			// the pod ID will be extracted from the directory name,
+			// file name example: "/var/log/pods/'<namespace>_<pod_name>_<pod_uid>'/container_name/0.log".
+			if strings.HasPrefix(f.LogsPath, podLogsPath()) {
+				pathDirs := strings.Split(source, pathSeparator)
+				podUIDPos := 4
+				if len(pathDirs) > podUIDPos {
+					podUID := strings.Split(pathDirs[podUIDPos], "_")
+					if len(podUID) > 2 {
+						f.logger.Debugf("Using pod uid: %s", podUID)
+						return podUID[2]
+					}
+				}
 			}
 
-			f.logger.Error("Error extracting container id - source value contains matcher's logs_path, however it is too short to contain a Docker container ID.")
+			f.logger.Error(`Error extracting pod uid - source value does not contains matcher's logs_path,
 func (k *kubeAnnotatorConfig) Validate() error { 
 func (k *kubeAnnotatorConfig) Validate() error { 
+				supported log_path for 'pod' resource_type: '/var/lib/kubelet/pods/', '/var/log/pods/'.`)
+			return ""
 		}
 	}
+	// In case of the Kubernetes log path "/var/log/containers/",
+	// the container ID will be located right before the ".log" extension.
+	// file name example: /var/log/containers/<pod_name>_<namespace>_<container_name>-<continer_id>.log
+	if strings.HasPrefix(f.LogsPath, containerLogsPath()) && strings.HasSuffix(source, ".log") && sourceLen >= containerIdLen+4 {
+		containerIDEnd := sourceLen - 4
+		cid := source[containerIDEnd-containerIdLen : containerIDEnd]
+		f.logger.Debugf("Using container id: %s", cid)
+		return cid
+	}
 
+	// In any other case, we assume the container ID will follow right after the log path.
+	// However we need to check the length to prevent "slice bound out of range" runtime errors.
+	// for the default log path /var/lib/docker/containers/ container ID will follow right after the log path.
+	// file name example: /var/lib/docker/containers/<container_id>/<container_id>-json.log
+	if sourceLen >= logsPathLen+containerIdLen {
+		cid := source[logsPathLen : logsPathLen+containerIdLen]
+		f.logger.Debugf("Using container id: %s", cid)
+		return cid
+	}
+
+	f.logger.Error("Error extracting container id - source value contains matcher's logs_path, however it is too short to contain a Docker container ID.")
 	return ""
 }
 
@@ -141,13 +161,20 @@ func defaultLogPath() string {
 	return "/var/lib/docker/containers/"
 }
 
-func podLogsPath() string {
+func podKubeletLogsPath() string {
 	if runtime.GOOS == "windows" {
 		return "C:\\var\\lib\\kubelet\\pods\\"
 	}
 	return "/var/lib/kubelet/pods/"
 }
 
+func podLogsPath() string {
+	if runtime.GOOS == "windows" {
+		return "C:\\var\\log\\pods\\"
+	}
+	return "/var/log/pods/"
+}
+
 func containerLogsPath() string {
 	if runtime.GOOS == "windows" {
 		return "C:\\var\\log\\containers\\"

diff --git a/filebeat/processor/add_kubernetes_metadata/matchers_test.go b/filebeat/processor/add_kubernetes_metadata/matchers_test.go
@@ -117,6 +117,30 @@ func TestLogsPathMatcher_InvalidSource4(t *testing.T) {
 	executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
 }
 
+func TestLogsPathMatcher_InvalidVarLogPodSource(t *testing.T) {
+	cfgLogsPath := "/var/log/pods/"
+	cfgResourceType := "pod"
+	source := fmt.Sprintf("/invalid/dir/namespace_pod-name_%s/container/0.log", puid)
+	expectedResult := ""
+	executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
+}
+
+func TestLogsPathMatcher_InvalidVarLogPodIDFormat(t *testing.T) {
+	cfgLogsPath := "/var/log/pods/"
+	cfgResourceType := "pod"
+	source := fmt.Sprintf("/var/log/pods/%s/container/0.log", puid)
+	expectedResult := ""
+	executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
+}
+
+func TestLogsPathMatcher_ValidVarLogPod(t *testing.T) {
+	cfgLogsPath := "/var/log/pods/"
+	cfgResourceType := "pod"
+	source := fmt.Sprintf("/var/log/pods/namespace_pod-name_%s/container/0.log", puid)
+	expectedResult := puid
+	executeTestWithResourceType(t, cfgLogsPath, cfgResourceType, source, expectedResult)
+}
+
 func executeTest(t *testing.T, cfgLogsPath string, source string, expectedResult string) {
 	executeTestWithResourceType(t, cfgLogsPath, "", source, expectedResult)
 }

@@ -83,10 +83,29 @@ the `log.file.path` field.
 This matcher has the following configuration settings:
 
 `logs_path`:: (Optional) Base path of container logs. If not specified, it uses
-the default logs path of the platform where {beatname_uc} is running.
-`resource_type`:: (Optional) Type of the resource to obtain the ID of. It can be
-`pod`, to make the lookup based on the pod UID, or `container`, to make the
-lookup based on the container ID. It defaults to `container`.
+the default logs path of the platform where {beatname_uc} is running: for Linux -
+`/var/lib/docker/containers/`, Windowd - `C:\\ProgramData\\Docker\\containers`.
+To change the default value: container ID must follow right after the `logs_path` -
+`<log_path>/<container_id>`, where `container_id` is a 64-character-long
+hexadecimal string.
+
+`resource_type`:: (Optional) Type of the resource to obtain the ID of.
+Valid `resource_type`:
+* `pod`: to make the lookup based on the pod UID. When `resource_type` is set to
+`pod`, `logs_path` must be set as well, supported path in this case:
+** `/var/lib/kubelet/pods/` used to read logs from mounted into the pod volumes,
+those logs end up under `/var/lib/kubelet/pods/<pod UID>/volumes/<volume name>/...`
+To use `/var/lib/kubelet/pods/` as a `log_path`, `/var/lib/kubelet/pods` must be
+mounted into the filebear pods.
+** `/var/log/pods/`
+Note: when using `resource_type: 'pod'` logs will be enriched only with pod
+metadata: pod id, pod name, etc., not container metadata.
+*`container`: to make the lookup based on the container ID, `logs_path` must
+be set to `/var/log/containers/`.
+It defaults to `container`.
+
+To be able to use `logs_path` matcher filebeat input path must be a subdirectory
+of directory defined in `logs_path` configuration setting.
 
 The default configuration is able to lookup the metadata using the container ID
 when the logs are collected from the default docker logs path