https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151465#M30799 <P>I think the PCap is showing those bytes in octal. Since octal 351 is hexadecimal E9</P> Mon, 20 Apr 2015 16:21:50 GMT acharlieh 2015-04-20T16:21:50Z https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151462#M30796 <P>Hi,<BR /> (Sorry for my English, I'm French)</P> <P>I have new systems that send Syslog to Splunk UniversalFowarder via 40514 port. The UF listen and I receive Syslog (its ok).<BR /> When I test (logger) and check configuration of all systems, we have LANG=en_CA.UTF8.<BR /> My Charset parameter is set to AUTO and I dont understand why the systems replaces characters by .... see exemple.</P> <P>Example:<BR /> root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 61"<BR /> root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 62 with accent è é à"</P> <P>Apr 17 16:15:08 10.62.1.140 Apr 17 16:15:08 SERVERX root: Test logger 62 with accent \xE8 \xE9 \xE0<BR /> date_hour = 16 date_mday = 17 date_minute = 15 date_month = april date_second = 8 date_wday = friday date_year = 2015 date_zone = local host = 192.168.80.210 index = IndexLav linecount = 1 punct = <STRONG>::_...</STRONG><EM>::</EM><EM>:</EM>______\ source = udp:40514 sourcetype = udp:40514 splunk_server = SERVERY splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default</P> <P>Anyone know how to fix this?<BR /> Thank you in advance.</P> Mon, 28 Sep 2020 19:35:42 GMT https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151462#M30796 rene847 2020-09-28T19:35:42Z https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151463#M30797 <P>I'm not sure, but I suspect that Splunk is guessing UTF-8 but the log is not that format. For example: é<BR /> is Unicode code point U+00E9, which in UTF-8 is 2 bytes: 0xC3 0xA9 But here it looks like you have a substitution for a single byte E9 which makes me believe it's actually ISO-8859-1 or another character set with a similar mapping.</P> Mon, 20 Apr 2015 14:24:48 GMT https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151463#M30797 acharlieh 2015-04-20T14:24:48Z https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151464#M30798 <P>I made a Pcap and I visualized with Wireshark:</P> <P>Syslog message: LOCAL0.INFO: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340 <BR /> 1000 0... = Facility: LOCAL0 - reserved for local use (16)<BR /> .... .110 = Level: INFO - informational (6)<BR /> Message: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340<BR /> (backslash before 350, 351 and 340)</P> <P>Strange</P> Mon, 20 Apr 2015 14:42:38 GMT https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151464#M30798 rene847 2015-04-20T14:42:38Z https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151465#M30799 <P>I think the PCap is showing those bytes in octal. Since octal 351 is hexadecimal E9</P> Mon, 20 Apr 2015 16:21:50 GMT https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151465#M30799 acharlieh 2015-04-20T16:21:50Z https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151466#M30800 <P>Yesss I know. I find a solution....</P> Mon, 20 Apr 2015 17:40:58 GMT https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151466#M30800 rene847 2015-04-20T17:40:58Z https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151467#M30801 <P>I, Ihave the same problem. <BR /> You wrote that you fond a solution, please, can you tell us what is it ?</P> <P>Thank's, Olivier.</P> Wed, 22 Apr 2015 09:11:46 GMT https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151467#M30801 o_calmels 2015-04-22T09:11:46Z https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151468#M30802 <P>For now, I removed accents. I have no other solution.<BR /> :-((</P> Thu, 23 Apr 2015 18:19:32 GMT https://community.splunk.com/t5/Getting-Data-In/French-Syslog/m-p/151468#M30802 rene847 2015-04-23T18:19:32Z