added logs

ProcessInfo.cpp

@@ -447,29 +447,29 @@ bool ProcessInfo::read(int pid) {
 
     snprintf(path.data(), path.size(), "/proc/%d/exe", pid);
 
-    int pret = read_and_parse_stat(pid);
+    int pret = read_and_parse_cgroup(pid);
     if (pret != 0) {
         if (pret > 0) {
-            Logger::Warn("Failed to parse /proc/%d/stat", pid);
+            Logger::Warn("Failed to parse /proc/%d/cgroup", pid);
+        }
+        else{
+            Logger::Warn("Wrong cgroup format for /proc/%d/cgroup", pid);
         }
         return false;
     }
 
-    pret = read_and_parse_status(pid);
+    pret = read_and_parse_stat(pid);
     if (pret != 0) {
         if (pret > 0) {
-            Logger::Warn("Failed to parse /proc/%d/status", pid);
+            Logger::Warn("Failed to parse /proc/%d/stat", pid);
         }
         return false;
     }
 
-    pret = read_and_parse_cgroup(pid);
+    pret = read_and_parse_status(pid);
     if (pret != 0) {
         if (pret > 0) {
-            Logger::Warn("Failed to parse /proc/%d/cgroup", pid);
-        }
-        else{
-            Logger::Warn("Wrong cgroup format for /proc/%d/cgroup", pid);
+            Logger::Warn("Failed to parse /proc/%d/status", pid);
         }
         return false;
     }

ProcessTree.cpp

@@ -334,7 +334,12 @@ std::shared_ptr<ProcessTreeItem> ProcessTree::AddProcess(enum ProcessTreeSource
     std::unique_lock<std::mutex> process_write_lock(_process_write_mutex);
     std::shared_ptr<ProcessTreeItem> process;
 
-    std::string containerid = ExtractContainerId(exe, cmdline);
+    std::string containerid = ExtractContainerId(exe, cmdline);         
+    std::string cgroupContainerid;
+
+    if (containerid.empty()) { 
+        cgroupContainerid = ExtractContainerIdFromCgroup(pid);
+    } 
 
     auto it = _processes.find(pid);
     if (it != _processes.end()) {
@@ -442,11 +447,14 @@ std::shared_ptr<ProcessTreeItem> ProcessTree::AddProcess(enum ProcessTreeSource
     // such as when a process is the root process of a container or when the process is
     // started by a web service or another system service that does not pass the container
     // ID through the command line arguments.
-    if (process->_containerid.empty()) {
-        auto p_temp = ReadProcEntry(pid);
-        if (p_temp) {
-            process->_containerid = p_temp->_cgroupContainerId;
-        }
+    Logger::Info("IB Updating containerid %s from cgroup for process %d, _cgroupContainerId %s, temp cgroupContainerid: %s ", process->_containerid.c_str(), pid, process->_cgroupContainerId.c_str(), cgroupContainerid.c_str());
+    auto __cgroupContainerid = ExtractContainerIdFromCgroup(pid);
+    if (process->_containerid.empty()) { 
+        if (!cgroupContainerid.empty()) {
+            process->_containerid = cgroupContainerid;
+        } else if (!(process->_cgroupContainerId).empty()) {
+            process->_containerid = process->_cgroupContainerId;
+        }        
     }
 
     return process;
@@ -498,6 +506,7 @@ void ProcessTree::Clean()
 
 std::shared_ptr<ProcessTreeItem> ProcessTree::GetInfoForPid(int pid)
 {
+    Logger::Debug("IB In GetInfoForPid. pid: %d", pid);
     std::unique_lock<std::mutex> process_write_lock(_process_write_mutex);
     auto it = _processes.find(pid);
     if (it != _processes.end() && it->second->_source != ProcessTreeSource_pnotify) {
@@ -522,6 +531,7 @@ std::shared_ptr<ProcessTreeItem> ProcessTree::GetInfoForPid(int pid)
 
             // If container ID is still empty, set it to be the cgroup container ID
             if (process->_containerid.empty()) {
+                Logger::Debug("IB In GetInfoForPid. Updating containerid from cgroup for process %d", pid);
                 process->_containerid = process->_cgroupContainerId;                
             }
 
@@ -637,6 +647,20 @@ void ProcessTree::SetContainerId(const std::shared_ptr<ProcessTreeItem>& p, cons
     }
 }
 
+std::string ProcessTree::ExtractContainerIdFromCgroup(const int pid)
+{
+    std::string containerid = "";
+    auto pinfo = ProcessInfo::OpenPid(pid, CMDLINE_SIZE_LIMIT);
+    if (!pinfo) {
+        Logger::Error("IB Failed to open proc entry for %d (ExtractContainerIdFromCgroup)", pid);
+        return containerid;
+    }
+
+    containerid = pinfo->container_id();
+    Logger::Debug("IB CGroup container id for %d is %s", pid, containerid.c_str());
+    return containerid;
+}
+
 std::string ProcessTree::ExtractContainerId(const std::string& exe, const std::string& cmdline)
 {
     // cmdline example: 
@@ -679,16 +703,21 @@ std::shared_ptr<ProcessTreeItem> ProcessTree::ReadProcEntry(int pid)
 {
     std::shared_ptr<ProcessTreeItem> process = std::make_shared<ProcessTreeItem>(ProcessTreeSource_procfs, pid);
 
+    Logger::Debug("IB Reading proc entry for %d before OpenPid", pid);
     auto pinfo = ProcessInfo::OpenPid(pid, CMDLINE_SIZE_LIMIT);
     if (!pinfo) {
+        Logger::Error("IB Failed to open proc entry for %d (ReadProcEntry)", pid);
         return nullptr;
     }
+    Logger::Info("IB Reading proc entry for %d after OpenPid", pid);
 
     process->_uid = pinfo->uid();
     process->_gid = pinfo->gid();
     process->_ppid = pinfo->ppid();
     process->_exe = pinfo->exe();
     process->_cgroupContainerId = pinfo->container_id();
+    Logger::Debug("IB CGroup container id for %d is %s", pid, process->_cgroupContainerId.c_str());
+
     pinfo->format_cmdline(process->_cmdline);
     process->_containeridfromhostprocess = ExtractContainerId(process->_exe, process->_cmdline);
     return process;

ProcessTree.h

@@ -224,12 +224,13 @@ class ProcessTree: public RunBase {
     std::shared_ptr<ProcessTreeItem> AddProcess(enum ProcessTreeSource source, int pid, int ppid, int uid, int gid, const std::string& exe, const std::string& cmdline);
     void Clean();
     std::shared_ptr<ProcessTreeItem> GetInfoForPid(int pid);
+
     void PopulateTree();
     void UpdateFlags();
     void ShowTree();
     void ShowProcess(std::shared_ptr<ProcessTreeItem> p);
     static std::string ExtractContainerId(const std::string& exe, const std::string& cmdline);
-
+    std::string ExtractContainerIdFromCgroup(const int pid);
 
 protected:
     void on_stopping() override;
@@ -239,9 +240,9 @@ class ProcessTree: public RunBase {
     void AddPid(int pid, int ppid);
     void AddPid(int pid);
     void RemovePid(int pid);
-    std::shared_ptr<ProcessTreeItem> ReadProcEntry(int pid);
     void ApplyFlags(const std::shared_ptr<ProcessTreeItem>& process);
     void SetContainerId(const std::shared_ptr<ProcessTreeItem>& p, const std::string& containerid);
+    std::shared_ptr<ProcessTreeItem> ReadProcEntry(int pid);
 
     std::shared_ptr<UserDB> _user_db;
     std::shared_ptr<FiltersEngine> _filtersEngine;

RawEventProcessor.cpp

@@ -50,10 +50,17 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) {
     }
 
     auto rec = event.begin();
-    auto rtype = static_cast<RecordType>(rec.RecordType());
+    auto rtype = static_cast<RecordType>(rec.RecordType());    
 
     if (rtype == RecordType::SYSCALL || rtype == RecordType::EXECVE || rtype == RecordType::CWD || rtype == RecordType::PATH ||
                 rtype == RecordType::SOCKADDR || rtype == RecordType::INTEGRITY_RULE) {
+        _pid = get_pid_from_event(event);
+        if (_pid != -1) {
+            if (_processTree) {  
+                auto contId = _processTree->ExtractContainerIdFromCgroup(_pid);                
+            }
+        }
+
         if (!process_syscall_event(event)) {
             process_event(event);
         }
@@ -62,6 +69,21 @@ void RawEventProcessor::ProcessData(const void* data, size_t data_len) {
     }
 }
 
+int RawEventProcessor::get_pid_from_event(const Event& event) {
+    for (auto& rec : event) {
+        auto pid_field = rec.FieldByName("pid");
+        if (pid_field) {
+            const char* pid_value = pid_field.RawValuePtr();
+            if (pid_value) {
+                Logger::Debug("IB RawEventProcessor: get_pid_from_event: pid_value: %s", pid_value);
+                return atoi(pid_value);
+            }
+        }
+    }
+    // Return -1 if PID is not found
+    return -1;
+}
+
 void RawEventProcessor::process_event(const Event& event) {
 
     using namespace std::string_view_literals;

RawEventProcessor.h

@@ -50,6 +50,7 @@ class RawEventProcessor {
     bool add_gid_field(const std::string_view& name, int gid, field_type_t ft);
     bool add_str_field(const std::string_view& name, const std::string_view& val, field_type_t ft);
     bool generate_proc_event(ProcessInfo* pinfo, uint64_t sec, uint32_t nsec);
+    int get_pid_from_event(const Event& event);
 
     std::shared_ptr<EventBuilder> _builder;
     std::shared_ptr<UserDB> _user_db;