Re: SplunkForwarder garble events with \x00

berndg · ‎07-04-2013

I observe a strange behavior with one of out UniversalForwarders.

First I've added a new logfile on the forwarder with CLI. Events looks good on a search.

After that I'vre removed the monitor and re-added with "-sourcetype cerberus-ftp".

Result: Events are not encoded anymore:

\x00[\x002\x000\x001\x003\x00-\x000\x007\x00-\x000\x004\x00 \x001\x004\x00:\x002\x005\x00:\x003\x003\x00]\x00:\x00C\x00O\x00N\x00N\x00E\x00C\x00T\x00 \x00[\x00 \x00 \x001\x003\x007\x000\x00]\x00 \x00-\x00 \x00T\x00h\x00e\x00 \x00c\x00l\x00i\x00e\x00n\x00t\x00 \x00c\x00l\x00o\x00s\x00e\x00d\x00 \x00t\x00h\x00e\x00 \x00c\x00o\x00n\x00n\x00e\x00c\x00t\x00i\x00o\x00n\x00

I've tried to add "CHARSET = UTF-16" to props.conf. Nothing changed.

If I remove the monitor and add without the sourcetype specified the event is displayed correctly.

Our Setup:

Windows SplunkForwarder 5.0.2
Linux Indexer 5.0.1
Linux SearchHead 5.0.1

Some ideas how to fix the encoding and why the specification of the sourcetype change it?

josh_beverly · ‎09-19-2018

Did you ever get a solution to this? Also, I assume this is for logs for cerberus ftp? If so could you please provide your solution for getting the logs from cerberus?

Thanks,

russellliss · ‎01-22-2014

I had the exact same issue. No matter what I changed the sourcetype to, unless it was "server", which is the default, I got those characters coming through.

I even tried the charset suggestion from here http://answers.splunk.com/answers/24484/sql-server-errorlog, but then on one server I started to get even stranger results.

Only seems to happen with the Cerberus FTP log file though.

jonthanze · ‎10-02-2013

Can you please share your input and props conf files ? I have the same issue with the same architecture and i cannot solve it

thanks

SplunkForwarder garble events with \x00

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life