output {
file{
path => "/var/log/kube-audit/audit-%{+YYYY.MM.dd.HH}.log"
create_if_deleted => true
id => "file"
}
The file looks ends up being /var/log/kube-audit/audit-.log. The timestamp works fine in the elasticsearch output plugin so I'm not sure why this is broken.
In 7.1.1 that works as expected, provided, of course, that the events have an @timestamp field (that's what it uses to do the sprintf).
Thanks!
I noticed that the @timestamp field was removed from a bad example on the kubernetes docs.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.