When log rotation splits a multiline log entry filestream cannot track it

[rdner]

When users have a filestream configured to ingest multiline logs and there is a configured log rotation, it's possible that the log rotation takes place in the middle of a multiline log entry.

In this case filestream is not able to track that 2 parts of the split multiline entry are a part of the same event. This leads to a possible partial data loss.

This is especially relevant for container logs in Kubernetes where the log rotation is configured by default.

Currently filestream is detecting a rotated file as a brand new file and there is no connection between the previously rotated file and the new file.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)