Getting Data In

French Syslog

rene847
Path Finder

Hi,
(Sorry for my English, I'm French)

I have new systems that send Syslog to Splunk UniversalFowarder via 40514 port. The UF listen and I receive Syslog (its ok).
When I test (logger) and check configuration of all systems, we have LANG=en_CA.UTF8.
My Charset parameter is set to AUTO and I dont understand why the systems replaces characters by .... see exemple.

Example:
root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 61"
root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 62 with accent è é à"

Apr 17 16:15:08 10.62.1.140 Apr 17 16:15:08 SERVERX root: Test logger 62 with accent \xE8 \xE9 \xE0
date_hour = 16 date_mday = 17 date_minute = 15 date_month = april date_second = 8 date_wday = friday date_year = 2015 date_zone = local host = 192.168.80.210 index = IndexLav linecount = 1 punct = ::_...:::______\ source = udp:40514 sourcetype = udp:40514 splunk_server = SERVERY splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default

Anyone know how to fix this?
Thank you in advance.

Tags (3)
0 Karma
1 Solution

rene847
Path Finder

For now, I removed accents. I have no other solution.
:-((

View solution in original post

0 Karma

rene847
Path Finder

For now, I removed accents. I have no other solution.
:-((

0 Karma

acharlieh
Influencer

I'm not sure, but I suspect that Splunk is guessing UTF-8 but the log is not that format. For example: é
is Unicode code point U+00E9, which in UTF-8 is 2 bytes: 0xC3 0xA9 But here it looks like you have a substitution for a single byte E9 which makes me believe it's actually ISO-8859-1 or another character set with a similar mapping.

0 Karma

rene847
Path Finder

I made a Pcap and I visualized with Wireshark:

Syslog message: LOCAL0.INFO: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340
1000 0... = Facility: LOCAL0 - reserved for local use (16)
.... .110 = Level: INFO - informational (6)
Message: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340
(backslash before 350, 351 and 340)

Strange

0 Karma

acharlieh
Influencer

I think the PCap is showing those bytes in octal. Since octal 351 is hexadecimal E9

0 Karma

rene847
Path Finder

Yesss I know. I find a solution....

0 Karma

o_calmels
Communicator

I, Ihave the same problem.
You wrote that you fond a solution, please, can you tell us what is it ?

Thank's, Olivier.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...