I'm adding new matcher for add_kubernetes_metadata processor. PR is here:
Problem was that we had no data available in auditbeat events for matching event to right metadata from kubernetes with existing matchers (same time filebeat is working because of having custom matcher implemented). So we founf out that Cgroup file has pid in path and container id in the file and can be used to correlate audit events to container.
New matcher takes pid from event, extracts container id from cgoups file based on regex (configurable) and caches it and returns for metadata index.
As I'm completely new to go and also beats development, then hoping to get feedback here about overall style and also about is use of cache in current form ok.
Also i had problem with labeling PR and choosing correct form of contributor agreement (where i can check existing company agreements? not sure is it already there or not)
Thank you in advance!