https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84808#M17628 <P>I observe a strange behavior with one of out UniversalForwarders.</P> <P>First I've added a new logfile on the forwarder with CLI. Events looks good on a search.</P> <P>After that I'vre removed the monitor and re-added with "-sourcetype cerberus-ftp".</P> <P>Result: Events are not encoded anymore:</P> <PRE><CODE>\x00[\x002\x000\x001\x003\x00-\x000\x007\x00-\x000\x004\x00 \x001\x004\x00:\x002\x005\x00:\x003\x003\x00]\x00:\x00C\x00O\x00N\x00N\x00E\x00C\x00T\x00 \x00[\x00 \x00 \x001\x003\x007\x000\x00]\x00 \x00-\x00 \x00T\x00h\x00e\x00 \x00c\x00l\x00i\x00e\x00n\x00t\x00 \x00c\x00l\x00o\x00s\x00e\x00d\x00 \x00t\x00h\x00e\x00 \x00c\x00o\x00n\x00n\x00e\x00c\x00t\x00i\x00o\x00n\x00 </CODE></PRE> <P>I've tried to add "CHARSET = UTF-16" to props.conf. Nothing changed.</P> <P>If I remove the monitor and add without the sourcetype specified the event is displayed correctly.</P> <P>Our Setup:</P> <UL> <LI>Windows SplunkForwarder 5.0.2</LI> <LI>Linux Indexer 5.0.1 </LI> <LI>Linux SearchHead 5.0.1</LI> </UL> <P>Some ideas how to fix the encoding and why the specification of the sourcetype change it?</P> Thu, 04 Jul 2013 12:40:07 GMT berndg 2013-07-04T12:40:07Z https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84808#M17628 <P>I observe a strange behavior with one of out UniversalForwarders.</P> <P>First I've added a new logfile on the forwarder with CLI. Events looks good on a search.</P> <P>After that I'vre removed the monitor and re-added with "-sourcetype cerberus-ftp".</P> <P>Result: Events are not encoded anymore:</P> <PRE><CODE>\x00[\x002\x000\x001\x003\x00-\x000\x007\x00-\x000\x004\x00 \x001\x004\x00:\x002\x005\x00:\x003\x003\x00]\x00:\x00C\x00O\x00N\x00N\x00E\x00C\x00T\x00 \x00[\x00 \x00 \x001\x003\x007\x000\x00]\x00 \x00-\x00 \x00T\x00h\x00e\x00 \x00c\x00l\x00i\x00e\x00n\x00t\x00 \x00c\x00l\x00o\x00s\x00e\x00d\x00 \x00t\x00h\x00e\x00 \x00c\x00o\x00n\x00n\x00e\x00c\x00t\x00i\x00o\x00n\x00 </CODE></PRE> <P>I've tried to add "CHARSET = UTF-16" to props.conf. Nothing changed.</P> <P>If I remove the monitor and add without the sourcetype specified the event is displayed correctly.</P> <P>Our Setup:</P> <UL> <LI>Windows SplunkForwarder 5.0.2</LI> <LI>Linux Indexer 5.0.1 </LI> <LI>Linux SearchHead 5.0.1</LI> </UL> <P>Some ideas how to fix the encoding and why the specification of the sourcetype change it?</P> Thu, 04 Jul 2013 12:40:07 GMT https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84808#M17628 berndg 2013-07-04T12:40:07Z https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84809#M17629 <P>Can you please share your input and props conf files ? I have the same issue with the same architecture and i cannot solve it</P> <P>thanks</P> Wed, 02 Oct 2013 10:12:05 GMT https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84809#M17629 jonthanze 2013-10-02T10:12:05Z https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84810#M17630 <P>I had the exact same issue. No matter what I changed the sourcetype to, unless it was "server", which is the default, I got those characters coming through.</P> <P>I even tried the charset suggestion from here <A href="http://answers.splunk.com/answers/24484/sql-server-errorlog">http://answers.splunk.com/answers/24484/sql-server-errorlog</A>, but then on one server I started to get even stranger results.</P> <P>Only seems to happen with the Cerberus FTP log file though.</P> Wed, 22 Jan 2014 20:20:51 GMT https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84810#M17630 russellliss 2014-01-22T20:20:51Z https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84811#M17631 <P>Did you ever get a solution to this? Also, I assume this is for logs for cerberus ftp? If so could you please provide your solution for getting the logs from cerberus?</P> <P>Thanks,</P> Wed, 19 Sep 2018 15:53:49 GMT https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-garble-events-with-x00/m-p/84811#M17631 josh_beverly 2018-09-19T15:53:49Z