I have some log entries that are coming in from snare that look ok in the snare.log file, but when looking at the logstash.log, I see a message that says a character set other than UTF-8 was expected, but no indication on what character set I received. Other servers and workstations on the network don't have this message. Earlier in the day, I wasn't receiving any snare logs, but restarting logstash and elasticsearch made some of the logs start coming in. Any thoughts on how to troubleshoot this would be appreciated!!!
I had a similar issue on some of my servers and I've resolved this issue by adding correct charset name (at first open you log-file in someone application, which is able to show a text encoding) to input section:
file {
path => ["C:\App\events.log"]
type => "APP-log"
codec => plain { charset => "Windows-1252" }What made you decide to use Windows-1252. I was looking for a way to determine which character set it it receiving