Getting Data In

French Syslog

rene847
Path Finder

Hi,
(Sorry for my English, I'm French)

I have new systems that send Syslog to Splunk UniversalFowarder via 40514 port. The UF listen and I receive Syslog (its ok).
When I test (logger) and check configuration of all systems, we have LANG=en_CA.UTF8.
My Charset parameter is set to AUTO and I dont understand why the systems replaces characters by .... see exemple.

Example:
root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 61"
root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 62 with accent è é à"

Apr 17 16:15:08 10.62.1.140 Apr 17 16:15:08 SERVERX root: Test logger 62 with accent \xE8 \xE9 \xE0
date_hour = 16 date_mday = 17 date_minute = 15 date_month = april date_second = 8 date_wday = friday date_year = 2015 date_zone = local host = 192.168.80.210 index = IndexLav linecount = 1 punct = ::_...:::______\ source = udp:40514 sourcetype = udp:40514 splunk_server = SERVERY splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default

Anyone know how to fix this?
Thank you in advance.

Tags (3)
0 Karma
1 Solution

rene847
Path Finder

For now, I removed accents. I have no other solution.
:-((

View solution in original post

0 Karma

rene847
Path Finder

For now, I removed accents. I have no other solution.
:-((

0 Karma

acharlieh
Influencer

I'm not sure, but I suspect that Splunk is guessing UTF-8 but the log is not that format. For example: é
is Unicode code point U+00E9, which in UTF-8 is 2 bytes: 0xC3 0xA9 But here it looks like you have a substitution for a single byte E9 which makes me believe it's actually ISO-8859-1 or another character set with a similar mapping.

0 Karma

rene847
Path Finder

I made a Pcap and I visualized with Wireshark:

Syslog message: LOCAL0.INFO: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340
1000 0... = Facility: LOCAL0 - reserved for local use (16)
.... .110 = Level: INFO - informational (6)
Message: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340
(backslash before 350, 351 and 340)

Strange

0 Karma

acharlieh
Influencer

I think the PCap is showing those bytes in octal. Since octal 351 is hexadecimal E9

0 Karma

rene847
Path Finder

Yesss I know. I find a solution....

0 Karma

o_calmels
Communicator

I, Ihave the same problem.
You wrote that you fond a solution, please, can you tell us what is it ?

Thank's, Olivier.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...