From 4d208fbe9d0ae4bbc1099e581fed8b5e2226c3af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20=C5=9Awi=C4=85tek?= <mswiatek@sumologic.com>
Date: Thu, 14 Jul 2022 17:58:38 +0200
Subject: [PATCH] feat: refactor OT logging configuration

---
 .../conf/logs/collector/otelcol/config.yaml   | 246 +++++++++++-
 deploy/helm/sumologic/templates/_helpers.tpl  |  26 +-
 .../logs/collector/otelcol/configmap.yaml     |   8 +-
 .../logs/collector/otelcol/daemonset.yaml     |   8 +-
 .../logs/collector/otelcol/service.yaml       |   2 +-
 .../collector/otelcol/serviceaccount.yaml     |   2 +-
 deploy/helm/sumologic/values.yaml             | 355 ++++--------------
 tests/helm/logs_otc/static/basic.input.yaml   |   4 +-
 tests/helm/logs_otc/static/basic.output.yaml  |   1 -
 .../static/basic.input.yaml                   |   4 +-
 .../static/complex.input.yaml                 |   4 +-
 .../values/values_helm_otelcol_logs.yaml      |  27 +-
 12 files changed, 358 insertions(+), 329 deletions(-)

diff --git a/deploy/helm/sumologic/conf/logs/collector/otelcol/config.yaml b/deploy/helm/sumologic/conf/logs/collector/otelcol/config.yaml
index 1df67f5cdf..f9187519e3 100644
--- a/deploy/helm/sumologic/conf/logs/collector/otelcol/config.yaml
+++ b/deploy/helm/sumologic/conf/logs/collector/otelcol/config.yaml
@@ -1 +1,245 @@
-{{ tpl (toYaml .Values.otellogs.config | replace ": '{{" ": {{" | replace "}}'" "}}") . | nindent 2 }}
+extensions:
+  health_check: {}
+{{- if .Values.sumologic.logs.persistence.enabled }}
+  file_storage:
+    directory: {{ .Values.sumologic.logs.persistence.storageDirectory }}
+    timeout: 10s
+{{- end }}
+  pprof: {}
+service:
+  telemetry:
+    logs:
+      level: {{ .Values.otellogs.logLevel | quote }}
+  extensions:
+    - health_check
+{{- if .Values.sumologic.logs.persistence.enabled }}
+    - file_storage
+{{- end }}
+    - pprof
+  pipelines:
+    logs/containers:
+      receivers:
+        - filelog/containers
+      processors:
+        - batch
+      exporters:
+        - otlphttp
+{{- if .Values.sumologic.logs.systemd.enabled }}
+    logs/systemd:
+      receivers:
+        - journald
+      processors:
+        - logstransform/systemd
+        - batch
+      exporters:
+        - otlphttp
+{{- end }}
+receivers:
+  filelog/containers:
+    include:
+      - /var/log/pods/*/*/*.log
+    start_at: beginning
+    ## sets fingerprint_size to 17kb in order to match the longest possible docker line (which by default is 16kb)
+    ## we want to include timestamp, which is at the end of the line
+    fingerprint_size: 17408
+    include_file_path: true
+    include_file_name: false
+    operators:
+      ## Detect the container runtime log format
+      ## Can be: docker-shim, CRI-O and containerd
+      - id: get-format
+        type: router
+        routes:
+          - output: parser-docker
+            expr: 'body matches "^\\{"'
+          - output: parser-crio
+            expr: 'body matches "^[^ Z]+ "'
+          - output: parser-containerd
+            expr: 'body matches "^[^ Z]+Z"'
+      ## Parse CRI-O format
+      - id: parser-crio
+        type: regex_parser
+        regex: '^(?P<time>[^ Z]+) (?P<stream>stdout|stderr) (?P<logtag>[^ ]*)( |)(?P<log>.*)$'
+        output: merge-cri-lines
+        parse_to: body
+        timestamp:
+          parse_from: body.time
+          layout_type: gotime
+          layout: '2006-01-02T15:04:05.000000000-07:00'
+      ## Parse CRI-Containerd format
+      - id: parser-containerd
+        type: regex_parser
+        regex: '^(?P<time>[^ ^Z]+Z) (?P<stream>stdout|stderr) (?P<logtag>[^ ]*)( |)(?P<log>.*)$'
+        output: merge-cri-lines
+        parse_to: body
+        timestamp:
+          parse_from: body.time
+          layout: '%Y-%m-%dT%H:%M:%S.%LZ'
+      ## Parse docker-shim format
+      ## parser-docker interprets the input string as JSON and moves the `time` field from the JSON to Timestamp field in the OTLP log
+      ## record.
+      ## Input Body (string): '{"log":"2001-02-03 04:05:06 first line\n","stream":"stdout","time":"2021-11-25T09:59:13.23887954Z"}'
+      ## Output Body (JSON): { "log": "2001-02-03 04:05:06 first line\n", "stream": "stdout" }
+      ## Input Timestamp: _empty_
+      ## Output Timestamp: 2021-11-25 09:59:13.23887954 +0000 UTC
+      - id: parser-docker
+        type: json_parser
+        parse_to: body
+        output: merge-docker-lines
+        timestamp:
+          parse_from: body.time
+          layout: '%Y-%m-%dT%H:%M:%S.%LZ'
+
+      ## merge-docker-lines stitches back together log lines split by Docker logging driver.
+      ## Input Body (JSON): { "log": "2001-02-03 04:05:06 very long li", "stream": "stdout" }
+      ## Input Body (JSON): { "log": "ne that was split by the logging driver\n", "stream": "stdout" }
+      ## Output Body (JSON): { "log": "2001-02-03 04:05:06 very long line that was split by the logging driver\n","stream":"stdout"}
+      - id: merge-docker-lines
+        type: recombine
+        source_identifier: attributes["log.file.path"]
+        output: {{ .Values.sumologic.logs.multiline.enabled | ternary "merge-multiline-logs" "extract-metadata-from-filepath" }}
+        combine_field: body.log
+        combine_with: ""
+        is_last_entry: body.log matches "\n$"
+
+      ## merge-cri-lines stitches back together log lines split by CRI logging drivers.
+      ## Input Body (JSON): { "log": "2001-02-03 04:05:06 very long li", "logtag": "P" }
+      ## Input Body (JSON): { "log": "ne that was split by the logging driver", "logtag": "F" }
+      ## Output Body (JSON): { "log": "2001-02-03 04:05:06 very long line that was split by the logging driver\n", "stream": "stdout" }
+      - id: merge-cri-lines
+        type: recombine
+        source_identifier: attributes["log.file.path"]
+        output: {{ .Values.sumologic.logs.multiline.enabled | ternary "merge-multiline-logs" "extract-metadata-from-filepath" }}
+        combine_field: body.log
+        combine_with: ""
+        is_last_entry: body.logtag == "F"
+        overwrite_with: newest
+
+      ## merge-multiline-logs merges incoming log records into multiline logs.
+      ## Input Body (JSON): { "log": "2001-02-03 04:05:06 first line\n", "stream": "stdout" }
+      ## Input Body (JSON): { "log": "  second line\n", "stream": "stdout" }
+      ## Input Body (JSON): { "log": "  third line\n", "stream": "stdout" }
+      ## Output Body (JSON): { "log": "2001-02-03 04:05:06 first line\n  second line\n  third line\n", "stream": "stdout" }
+{{- if .Values.sumologic.logs.multiline.enabled }}
+      - id: merge-multiline-logs
+        type: recombine
+        output: extract-metadata-from-filepath
+        source_identifier: attributes["log.file.path"]
+        combine_field: body.log
+        combine_with: ""
+        is_first_entry: body.log matches {{ .Values.sumologic.logs.multiline.start_regex | quote }}
+{{- end }}
+
+      ## extract-metadata-from-filepath extracts data from the `log.file.path` Attribute into the Attributes
+      ## Input Attributes:
+      ## - log.file.path: '/var/log/pods/default_logger-multiline-4nvg4_aed49747-b541-4a07-8663-f7e1febc47d5/loggercontainer/0.log'
+      ## Output Attributes:
+      ## - log.file.path: '/var/log/pods/default_logger-multiline-4nvg4_aed49747-b541-4a07-8663-f7e1febc47d5/loggercontainer/0.log'
+      ## - container_name: "loggercontainer",
+      ## - namespace: "default",
+      ## - pod_name: "logger-multiline-4nvg4",
+      ## - run_id: "0",
+      ## - uid: "aed49747-b541-4a07-8663-f7e1febc47d5"
+      ## }
+      - id: extract-metadata-from-filepath
+        type: regex_parser
+        regex: '^.*\/(?P<namespace>[^_]+)_(?P<pod_name>[^_]+)_(?P<uid>[a-f0-9\-]+)\/(?P<container_name>[^\._]+)\/(?P<run_id>\d+)\.log$'
+        parse_from: attributes["log.file.path"]
+
+      ## The following actions are being performed:
+      ## - renaming attributes
+      ## - moving stream from body to attribtues
+      ## - using body.log as body
+      ## - create fluent.tag attribute in order to route in metadata pods
+      ## Input Body (JSON): {
+      ##   "log": "2001-02-03 04:05:06 loggerlog 1 first line\n",
+      ##   "stream": "stdout",
+      ## }
+      ## Output Body (String): "2001-02-03 04:05:06 loggerlog 1 first line\n"
+      ## Input Attributes:
+      ## - log.file.path: '/var/log/pods/default_logger-multiline-4nvg4_aed49747-b541-4a07-8663-f7e1febc47d5/loggercontainer/0.log'
+      ## - container_name: "loggercontainer",
+      ## - namespace: "default",
+      ## - pod_name: "logger-multiline-4nvg4",
+      ## - run_id: "0",
+      ## - uid: "aed49747-b541-4a07-8663-f7e1febc47d5"
+      ## Output Attributes:
+      ## - k8s.container.name: "loggercontainer"
+      ## - k8s.namespace.name: "default"
+      ## - k8s.pod.name: "logger-multiline-4nvg4"
+      ## - k8s.pod.uid: "aed49747-b541-4a07-8663-f7e1febc47d5"
+      ## - run_id: "0"
+      ## - stream: "stdout"
+      ## - fluent.tag: "containers.loggercontainer"
+      - id: move-attributes
+        type: move
+        from: body.stream
+        to: attributes["stream"]
+      - type: move
+        from: attributes.container_name
+        to: attributes["k8s.container.name"]
+      - type: move
+        from: attributes.namespace
+        to: attributes["k8s.namespace.name"]
+      - type: move
+        from: attributes.pod_name
+        to: attributes["k8s.pod.name"]
+      - type: move
+        from: attributes.run_id
+        to: attributes["run_id"]
+      - type: move
+        from: attributes.uid
+        to: attributes["k8s.pod.uid"]
+      - type: add
+        field: attributes["fluent.tag"]
+        value: EXPR("containers." + attributes["k8s.container.name"])
+      ## Use remove operator when available in opentelemetry collector:
+      ## https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/9524
+      - type: move
+        from: attributes["log.file.path"]
+        to: body["log.file.path"]
+      - type: move
+        from: body.log
+        to: body
+{{- if .Values.sumologic.logs.systemd.enabled }}
+  journald:
+    directory: /var/log/journal
+    ## This is not a full equivalent of fluent-bit filtering as fluent-bit filters by `_SYSTEMD_UNIT`
+    ## Here is filtering by `UNIT`
+    units:
+{{ toYaml .Values.sumologic.logs.systemd.units | nindent 6 }}
+{{- end }}
+exporters:
+  otlphttp:
+    endpoint: http://${LOGS_METADATA_SVC}.${NAMESPACE}.svc.cluster.local:4318
+processors:
+  batch:
+    send_batch_size: 10_240
+    timeout: 1s
+  ## copy _SYSTEMD_UNIT, SYSLOG_FACILITY, _HOSTNAME and PRIORITY from body to attributes
+  ## so they can be used by metadata processors same way like for fluentd
+  ## build fluent.tag attribute as `host.{_SYSTEMD_UNIT}`
+{{- if .Values.sumologic.logs.systemd.enabled }}
+  logstransform/systemd:
+    operators:
+      - type: copy
+        from: body._SYSTEMD_UNIT
+        to: attributes._SYSTEMD_UNIT
+      - type: copy
+        from: body.SYSLOG_FACILITY
+        to: attributes.SYSLOG_FACILITY
+      - type: copy
+        from: body._HOSTNAME
+        to: attributes._HOSTNAME
+      - type: copy
+        from: body.PRIORITY
+        to: attributes.PRIORITY
+      - type: add
+        field: attributes["fluent.tag"]
+        value: EXPR("host." + attributes["_SYSTEMD_UNIT"])
+      ## Removes __CURSOR and __MONOTONIC_TIMESTAMP keys from body
+      - type: remove
+        field: body.__CURSOR
+      - type: remove
+        field: body.__MONOTONIC_TIMESTAMP
+{{- end }}
diff --git a/deploy/helm/sumologic/templates/_helpers.tpl b/deploy/helm/sumologic/templates/_helpers.tpl
index 5d1b054459..0dbca579da 100644
--- a/deploy/helm/sumologic/templates/_helpers.tpl
+++ b/deploy/helm/sumologic/templates/_helpers.tpl
@@ -1298,7 +1298,7 @@ Example Usage:
 {{- end -}}
 
 {{/*
-Check if any logs provider is enabled
+Check if any logs metadata provider is enabled
 
 Example Usage:
 {{- if eq (include "logs.enabled" .) "true" }}
@@ -1317,7 +1317,7 @@ Example Usage:
 
 
 {{/*
-Check if otelcol logs provider is enabled
+Check if otelcol logs metadata provider is enabled
 
 Example Usage:
 {{- if eq (include "logs.otelcol.enabled" .) "true" }}
@@ -1334,7 +1334,7 @@ Example Usage:
 {{- end -}}
 
 {{/*
-Check if fluentd logs provider is enabled
+Check if fluentd logs metadata provider is enabled
 
 Example Usage:
 {{- if eq (include "logs.fluentd.enabled" .) "true" }}
@@ -1350,6 +1350,26 @@ Example Usage:
 {{ $enabled }}
 {{- end -}}
 
+{{/*
+Check if otelcol logs collector is enabled.
+It's enabled if logs are enabled but Fluent-Bit is disabled
+
+Example Usage:
+{{- if eq (include "logs.otelcol.collector.enabled" .) "true" }}
+
+*/}}
+{{- define "logs.otelcol.collector.enabled" -}}
+{{- $enabled := false -}}
+{{- if eq .Values.sumologic.logs.enabled true -}}
+{{- $fluentBitEnabled := index .Values "fluent-bit" "enabled" -}}
+{{- if eq $fluentBitEnabled nil -}}
+{{- $fluentBitEnabled = true -}}
+{{- end -}}
+{{- $enabled = not $fluentBitEnabled -}}
+{{- end -}}
+{{ $enabled }}
+{{- end -}}
+
 {{/*
 Check if any events provider is enabled
 Example Usage:
diff --git a/deploy/helm/sumologic/templates/logs/collector/otelcol/configmap.yaml b/deploy/helm/sumologic/templates/logs/collector/otelcol/configmap.yaml
index e781b2fdc1..d5aea5d56f 100644
--- a/deploy/helm/sumologic/templates/logs/collector/otelcol/configmap.yaml
+++ b/deploy/helm/sumologic/templates/logs/collector/otelcol/configmap.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.otellogs.enabled }}
+{{- if eq (include "logs.otelcol.collector.enabled" .) "true" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -7,5 +7,9 @@ metadata:
     app: {{ template "sumologic.labels.app.logs.collector.configmap" . }}
     {{- include "sumologic.labels.common" . | nindent 4 }}
 data:
-  {{- (tpl (.Files.Glob "conf/logs/collector/otelcol/config.yaml").AsConfig .) | nindent 2 }}
+  {{- $baseConfig := (tpl (.Files.Get "conf/logs/collector/otelcol/config.yaml") .) | fromYaml -}}
+  {{- $overrideConfig := .Values.otellogs.config.override -}}
+  {{- $finalConfig := mergeOverwrite $baseConfig $overrideConfig }}
+  config.yaml: |
+  {{- $finalConfig | toYaml | nindent 4 }}
 {{- end }}
diff --git a/deploy/helm/sumologic/templates/logs/collector/otelcol/daemonset.yaml b/deploy/helm/sumologic/templates/logs/collector/otelcol/daemonset.yaml
index 9723bdcd9f..e0edf56659 100644
--- a/deploy/helm/sumologic/templates/logs/collector/otelcol/daemonset.yaml
+++ b/deploy/helm/sumologic/templates/logs/collector/otelcol/daemonset.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.otellogs.enabled }}
+{{- if eq (include "logs.otelcol.collector.enabled" .) "true" }}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -75,7 +75,7 @@ spec:
         - mountPath: /var/lib/docker/containers
           name: varlibdockercontainers
           readOnly: true
-        - mountPath: {{ .Values.otellogs.config.extensions.file_storage.directory }}
+        - mountPath: {{ .Values.sumologic.logs.persistence.storageDirectory }}
           name: file-storage
         - mountPath: /var/log/journal
           name: varlogjournal
@@ -116,9 +116,9 @@ spec:
         - |
           chown -R \
             {{ .Values.otellogs.daemonset.securityContext.fsGroup }}:{{ .Values.otellogs.daemonset.securityContext.fsGroup }} \
-            {{ .Values.otellogs.config.extensions.file_storage.directory }}
+            {{ .Values.sumologic.logs.persistence.storageDirectory }}
         volumeMounts:
-        - mountPath: {{ .Values.otellogs.config.extensions.file_storage.directory }}
+        - mountPath: {{ .Values.sumologic.logs.persistence.storageDirectory }}
           name: file-storage
       volumes:
       - configMap:
diff --git a/deploy/helm/sumologic/templates/logs/collector/otelcol/service.yaml b/deploy/helm/sumologic/templates/logs/collector/otelcol/service.yaml
index 25772c46ad..458fe57a50 100644
--- a/deploy/helm/sumologic/templates/logs/collector/otelcol/service.yaml
+++ b/deploy/helm/sumologic/templates/logs/collector/otelcol/service.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.otellogs.enabled }}
+{{- if eq (include "logs.otelcol.collector.enabled" .) "true" }}
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/deploy/helm/sumologic/templates/logs/collector/otelcol/serviceaccount.yaml b/deploy/helm/sumologic/templates/logs/collector/otelcol/serviceaccount.yaml
index 1ed0de2ceb..ab2c702149 100644
--- a/deploy/helm/sumologic/templates/logs/collector/otelcol/serviceaccount.yaml
+++ b/deploy/helm/sumologic/templates/logs/collector/otelcol/serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.otellogs.enabled }}
+{{- if eq (include "logs.otelcol.collector.enabled" .) "true" }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml
index 602a5ae6ee..bbe068dafd 100644
--- a/deploy/helm/sumologic/values.yaml
+++ b/deploy/helm/sumologic/values.yaml
@@ -203,6 +203,68 @@ sumologic:
       ## Set provider service (either fluentd or otelcol).
       provider: fluentd
 
+    persistence:
+      enabled: true
+      storageDirectory: /var/lib/storage/otc
+
+    multiline:
+      enabled: true
+      start_regex: "^\\[?\\d{4}-\\d{1,2}-\\d{1,2}.\\d{2}:\\d{2}:\\d{2}.*"
+    
+    systemd:
+      enabled: true
+      units:
+        - addon-config.service
+        - addon-run.service
+        - cfn-etcd-environment.service
+        - cfn-signal.service
+        - clean-ca-certificates.service
+        - containerd.service
+        - coreos-metadata.service
+        - coreos-setup-environment.service
+        - coreos-tmpfiles.service
+        - dbus.service
+        - docker.service
+        - efs.service
+        - etcd-member.service
+        - etcd.service
+        - etcd2.service
+        - etcd3.service
+        - etcdadm-check.service
+        - etcdadm-reconfigure.service
+        - etcdadm-save.service
+        - etcdadm-update-status.service
+        - flanneld.service
+        - format-etcd2-volume.service
+        - kube-node-taint-and-uncordon.service
+        - kubelet.service
+        - ldconfig.service
+        - locksmithd.service
+        - logrotate.service
+        - lvm2-monitor.service
+        - mdmon.service
+        - nfs-idmapd.service
+        - nfs-mountd.service
+        - nfs-server.service
+        - nfs-utils.service
+        - node-problem-detector.service
+        - ntp.service
+        - oem-cloudinit.service
+        - rkt-gc.service
+        - rkt-metadata.service
+        - rpc-idmapd.service
+        - rpc-mountd.service
+        - rpc-statd.service
+        - rpcbind.service
+        - set-aws-environment.service
+        - system-cloudinit.service
+        - systemd-timesyncd.service
+        - update-ca-certificates.service
+        - user-cloudinit.service
+        - var-lib-etcd2.service
+
+    additionalFilePatterns: []
+      
     ## Fields to be created at Sumo Logic to ensure logs are tagged with
     ## relevant metadata.
     ## https://help.sumologic.com/Manage/Fields#Manage_fields
@@ -4862,9 +4924,6 @@ otelevents:
 ## which is consistent with CRI, but may possibly cause issues on older K8s versions.
 ## This is an alpha feature, and may change in the near future.
 otellogs:
-  ## In order to enable this feature, a configuration block under metadata.logs.config.service.pipelines.logs/otlp/containers
-  ## needs to be uncommented
-  enabled: false
 
   ## Metrics from Collector
   metrics:
@@ -4880,294 +4939,10 @@ otellogs:
     pullPolicy: IfNotPresent
 
   logLevel: info
+
   config:
-    extensions:
-      health_check: {}
-      ## Configuration for File Storage extension
-      ## ref: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/release/v0.37.x/extension/storage/filestorage
-      file_storage:
-        directory: /var/lib/storage/otc
-        timeout: 10s
-      pprof: {}
-    service:
-      telemetry:
-        logs:
-          level: '{{ .Values.otellogs.logLevel }}'
-      extensions:
-        - health_check
-        - file_storage
-        - pprof
-      pipelines:
-        logs/containers:
-          receivers:
-            - filelog/containers
-          processors:
-            - batch
-          exporters:
-            - otlphttp
-        logs/systemd:
-          receivers:
-            - journald
-          processors:
-            - logstransform/systemd
-            - batch
-          exporters:
-            - otlphttp
-    receivers:
-      filelog/containers:
-        include:
-          - /var/log/pods/*/*/*.log
-        start_at: beginning
-        ## sets fingerprint_size to 17kb in order to match the longest possible docker line (which by default is 16kb)
-        ## we want to include timestamp, which is at the end of the line
-        fingerprint_size: 17408
-        include_file_path: true
-        include_file_name: false
-        operators:
-          ## Detect the container runtime log format
-          ## Can be: docker-shim, CRI-O and containerd
-          - id: get-format
-            type: router
-            routes:
-              - output: parser-docker
-                expr: 'body matches "^\\{"'
-              - output: parser-crio
-                expr: 'body matches "^[^ Z]+ "'
-              - output: parser-containerd
-                expr: 'body matches "^[^ Z]+Z"'
-          ## Parse CRI-O format
-          - id: parser-crio
-            type: regex_parser
-            regex: '^(?P<time>[^ Z]+) (?P<stream>stdout|stderr) (?P<logtag>[^ ]*)( |)(?P<log>.*)$'
-            output: merge-cri-lines
-            parse_to: body
-            timestamp:
-              parse_from: body.time
-              layout_type: gotime
-              layout: '2006-01-02T15:04:05.000000000-07:00'
-          ## Parse CRI-Containerd format
-          - id: parser-containerd
-            type: regex_parser
-            regex: '^(?P<time>[^ ^Z]+Z) (?P<stream>stdout|stderr) (?P<logtag>[^ ]*)( |)(?P<log>.*)$'
-            output: merge-cri-lines
-            parse_to: body
-            timestamp:
-              parse_from: body.time
-              layout: '%Y-%m-%dT%H:%M:%S.%LZ'
-          ## Parse docker-shim format
-          ## parser-docker interprets the input string as JSON and moves the `time` field from the JSON to Timestamp field in the OTLP log
-          ## record.
-          ## Input Body (string): '{"log":"2001-02-03 04:05:06 first line\n","stream":"stdout","time":"2021-11-25T09:59:13.23887954Z"}'
-          ## Output Body (JSON): { "log": "2001-02-03 04:05:06 first line\n", "stream": "stdout" }
-          ## Input Timestamp: _empty_
-          ## Output Timestamp: 2021-11-25 09:59:13.23887954 +0000 UTC
-          - id: parser-docker
-            type: json_parser
-            parse_to: body
-            output: merge-docker-lines
-            timestamp:
-              parse_from: body.time
-              layout: '%Y-%m-%dT%H:%M:%S.%LZ'
-
-          ## merge-docker-lines stitches back together log lines split by Docker logging driver.
-          ## Input Body (JSON): { "log": "2001-02-03 04:05:06 very long li", "stream": "stdout" }
-          ## Input Body (JSON): { "log": "ne that was split by the logging driver\n", "stream": "stdout" }
-          ## Output Body (JSON): { "log": "2001-02-03 04:05:06 very long line that was split by the logging driver\n","stream":"stdout"}
-          - id: merge-docker-lines
-            type: recombine
-            source_identifier: attributes["log.file.path"]
-            output: merge-multiline-logs
-            combine_field: body.log
-            combine_with: ""
-            is_last_entry: body.log matches "\n$"
-
-          ## merge-cri-lines stitches back together log lines split by CRI logging drivers.
-          ## Input Body (JSON): { "log": "2001-02-03 04:05:06 very long li", "logtag": "P" }
-          ## Input Body (JSON): { "log": "ne that was split by the logging driver", "logtag": "F" }
-          ## Output Body (JSON): { "log": "2001-02-03 04:05:06 very long line that was split by the logging driver\n", "stream": "stdout" }
-          - id: merge-cri-lines
-            type: recombine
-            source_identifier: attributes["log.file.path"]
-            output: merge-multiline-logs
-            combine_field: body.log
-            combine_with: ""
-            is_last_entry: body.logtag == "F"
-            overwrite_with: newest
-
-          ## merge-multiline-logs merges incoming log records into multiline logs.
-          ## Input Body (JSON): { "log": "2001-02-03 04:05:06 first line\n", "stream": "stdout" }
-          ## Input Body (JSON): { "log": "  second line\n", "stream": "stdout" }
-          ## Input Body (JSON): { "log": "  third line\n", "stream": "stdout" }
-          ## Output Body (JSON): { "log": "2001-02-03 04:05:06 first line\n  second line\n  third line\n", "stream": "stdout" }
-          - id: merge-multiline-logs
-            type: recombine
-            output: extract-metadata-from-filepath
-            source_identifier: attributes["log.file.path"]
-            combine_field: body.log
-            combine_with: ""
-            is_first_entry: body.log matches "^\\[?\\d{4}-\\d{1,2}-\\d{1,2}.\\d{2}:\\d{2}:\\d{2}.*"
-
-          ## extract-metadata-from-filepath extracts data from the `log.file.path` Attribute into the Attributes
-          ## Input Attributes:
-          ## - log.file.path: '/var/log/pods/default_logger-multiline-4nvg4_aed49747-b541-4a07-8663-f7e1febc47d5/loggercontainer/0.log'
-          ## Output Attributes:
-          ## - log.file.path: '/var/log/pods/default_logger-multiline-4nvg4_aed49747-b541-4a07-8663-f7e1febc47d5/loggercontainer/0.log'
-          ## - container_name: "loggercontainer",
-          ## - namespace: "default",
-          ## - pod_name: "logger-multiline-4nvg4",
-          ## - run_id: "0",
-          ## - uid: "aed49747-b541-4a07-8663-f7e1febc47d5"
-          ## }
-          - id: extract-metadata-from-filepath
-            type: regex_parser
-            regex: '^.*\/(?P<namespace>[^_]+)_(?P<pod_name>[^_]+)_(?P<uid>[a-f0-9\-]+)\/(?P<container_name>[^\._]+)\/(?P<run_id>\d+)\.log$'
-            parse_from: attributes["log.file.path"]
-
-          ## The following actions are being performed:
-          ## - renaming attributes
-          ## - moving stream from body to attribtues
-          ## - using body.log as body
-          ## - create fluent.tag attribute in order to route in metadata pods
-          ## Input Body (JSON): {
-          ##   "log": "2001-02-03 04:05:06 loggerlog 1 first line\n",
-          ##   "stream": "stdout",
-          ## }
-          ## Output Body (String): "2001-02-03 04:05:06 loggerlog 1 first line\n"
-          ## Input Attributes:
-          ## - log.file.path: '/var/log/pods/default_logger-multiline-4nvg4_aed49747-b541-4a07-8663-f7e1febc47d5/loggercontainer/0.log'
-          ## - container_name: "loggercontainer",
-          ## - namespace: "default",
-          ## - pod_name: "logger-multiline-4nvg4",
-          ## - run_id: "0",
-          ## - uid: "aed49747-b541-4a07-8663-f7e1febc47d5"
-          ## Output Attributes:
-          ## - k8s.container.name: "loggercontainer"
-          ## - k8s.namespace.name: "default"
-          ## - k8s.pod.name: "logger-multiline-4nvg4"
-          ## - k8s.pod.uid: "aed49747-b541-4a07-8663-f7e1febc47d5"
-          ## - run_id: "0"
-          ## - stream: "stdout"
-          ## - fluent.tag: "containers.loggercontainer"
-          - id: move-attributes
-            type: move
-            from: body.stream
-            to: attributes["stream"]
-          - type: move
-            from: attributes.container_name
-            to: attributes["k8s.container.name"]
-          - type: move
-            from: attributes.namespace
-            to: attributes["k8s.namespace.name"]
-          - type: move
-            from: attributes.pod_name
-            to: attributes["k8s.pod.name"]
-          - type: move
-            from: attributes.run_id
-            to: attributes["run_id"]
-          - type: move
-            from: attributes.uid
-            to: attributes["k8s.pod.uid"]
-          - type: add
-            field: attributes["fluent.tag"]
-            value: EXPR("containers." + attributes["k8s.container.name"])
-          ## Use remove operator when available in opentelemetry collector:
-          ## https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/9524
-          - type: move
-            from: attributes["log.file.path"]
-            to: body["log.file.path"]
-          - type: move
-            from: body.log
-            to: body
-      journald:
-        directory: /var/log/journal
-        ## This is not a full equivalent of fluent-bit filtering as fluent-bit filters by `_SYSTEMD_UNIT`
-        ## Here is filtering by `UNIT`
-        units:
-          - addon-config.service
-          - addon-run.service
-          - cfn-etcd-environment.service
-          - cfn-signal.service
-          - clean-ca-certificates.service
-          - containerd.service
-          - coreos-metadata.service
-          - coreos-setup-environment.service
-          - coreos-tmpfiles.service
-          - dbus.service
-          - docker.service
-          - efs.service
-          - etcd-member.service
-          - etcd.service
-          - etcd2.service
-          - etcd3.service
-          - etcdadm-check.service
-          - etcdadm-reconfigure.service
-          - etcdadm-save.service
-          - etcdadm-update-status.service
-          - flanneld.service
-          - format-etcd2-volume.service
-          - kube-node-taint-and-uncordon.service
-          - kubelet.service
-          - ldconfig.service
-          - locksmithd.service
-          - logrotate.service
-          - lvm2-monitor.service
-          - mdmon.service
-          - nfs-idmapd.service
-          - nfs-mountd.service
-          - nfs-server.service
-          - nfs-utils.service
-          - node-problem-detector.service
-          - ntp.service
-          - oem-cloudinit.service
-          - rkt-gc.service
-          - rkt-metadata.service
-          - rpc-idmapd.service
-          - rpc-mountd.service
-          - rpc-statd.service
-          - rpcbind.service
-          - set-aws-environment.service
-          - system-cloudinit.service
-          - systemd-timesyncd.service
-          - update-ca-certificates.service
-          - user-cloudinit.service
-          - var-lib-etcd2.service
-    exporters:
-      otlphttp:
-        endpoint: http://${LOGS_METADATA_SVC}.${NAMESPACE}.svc.cluster.local:4318
-    processors:
-      ## The batch processor accepts spans and places them into batches grouped by node and resource
-      batch:
-        ## Number of spans after which a batch will be sent regardless of time
-        ## This is set to the 10240, to avoid loosing logs on the start of the collector
-        ## TODO: Figure out what the optimal values should be for different configurations
-        send_batch_size: 10_240
-        ## Time duration after which a batch will be sent regardless of size
-        timeout: 1s
-      ## copy _SYSTEMD_UNIT, SYSLOG_FACILITY, _HOSTNAME and PRIORITY from body to attributes
-      ## so they can be used by metadata processors same way like for fluentd
-      ## build fluent.tag attribute as `host.{_SYSTEMD_UNIT}`
-      logstransform/systemd:
-        operators:
-          - type: copy
-            from: body._SYSTEMD_UNIT
-            to: attributes._SYSTEMD_UNIT
-          - type: copy
-            from: body.SYSLOG_FACILITY
-            to: attributes.SYSLOG_FACILITY
-          - type: copy
-            from: body._HOSTNAME
-            to: attributes._HOSTNAME
-          - type: copy
-            from: body.PRIORITY
-            to: attributes.PRIORITY
-          - type: add
-            field: attributes["fluent.tag"]
-            value: EXPR("host." + attributes["_SYSTEMD_UNIT"])
-          ## Removes __CURSOR and __MONOTONIC_TIMESTAMP keys from body
-          - type: remove
-            field: body.__CURSOR
-          - type: remove
-            field: body.__MONOTONIC_TIMESTAMP
+    override: {}
+
   daemonset:
     ## Set securityContext for containers running in pods in log collector daemonset
     securityContext:
diff --git a/tests/helm/logs_otc/static/basic.input.yaml b/tests/helm/logs_otc/static/basic.input.yaml
index 4af858388d..29712b36f4 100644
--- a/tests/helm/logs_otc/static/basic.input.yaml
+++ b/tests/helm/logs_otc/static/basic.input.yaml
@@ -1,2 +1,2 @@
-otellogs:
-  enabled: true
+fluent-bit:
+  enabled: false
diff --git a/tests/helm/logs_otc/static/basic.output.yaml b/tests/helm/logs_otc/static/basic.output.yaml
index ca5e285b97..f538a0b608 100644
--- a/tests/helm/logs_otc/static/basic.output.yaml
+++ b/tests/helm/logs_otc/static/basic.output.yaml
@@ -11,7 +11,6 @@ metadata:
     heritage: "Helm"
 data:
   config.yaml: |
-    
     exporters:
       otlphttp:
         endpoint: http://${LOGS_METADATA_SVC}.${NAMESPACE}.svc.cluster.local:4318
diff --git a/tests/helm/logs_otc_daemonset/static/basic.input.yaml b/tests/helm/logs_otc_daemonset/static/basic.input.yaml
index 4af858388d..29712b36f4 100644
--- a/tests/helm/logs_otc_daemonset/static/basic.input.yaml
+++ b/tests/helm/logs_otc_daemonset/static/basic.input.yaml
@@ -1,2 +1,2 @@
-otellogs:
-  enabled: true
+fluent-bit:
+  enabled: false
diff --git a/tests/helm/logs_otc_daemonset/static/complex.input.yaml b/tests/helm/logs_otc_daemonset/static/complex.input.yaml
index 5baaa01874..31ae41229a 100644
--- a/tests/helm/logs_otc_daemonset/static/complex.input.yaml
+++ b/tests/helm/logs_otc_daemonset/static/complex.input.yaml
@@ -1,5 +1,7 @@
+fluent-bit:
+  enabled: false
+
 otellogs:
-  enabled: true
   daemonset:
     ## Set securityContext for containers running in pods in log collector daemonset
     securityContext:
diff --git a/tests/integration/values/values_helm_otelcol_logs.yaml b/tests/integration/values/values_helm_otelcol_logs.yaml
index 92fdb20fe5..f498fa3ac9 100644
--- a/tests/integration/values/values_helm_otelcol_logs.yaml
+++ b/tests/integration/values/values_helm_otelcol_logs.yaml
@@ -36,29 +36,14 @@ metadata:
               - sumologic/containers
 
 otellogs:
-  enabled: true
   config:
-    service:
-      pipelines:
-        logs/containers:
-          receivers:
-            - filelog/containers
-          exporters:
-            - otlphttp
-          processors:
-            - filter/exclude_receiver_mock_container
-    processors:
-      # Filter out receiver-mock logs to prevent snowball effect
-      filter/exclude_receiver_mock_container:
-        logs:
+    override:
+      receivers:
+        journald:
+          directory: /run/log/journal
+        filelog/containers:
           exclude:
-            match_type: strict
-            record_attributes:
-              - key: k8s.container.name
-                value: receiver-mock
-    receivers:
-      journald:
-        directory: /run/log/journal
+            - /var/log/pods/receiver-mock_*/*/*.log
   daemonset:
     extraVolumeMounts:
       - mountPath: /run/log/journal