Help with Filebeat for Windows

jnpetty · October 3, 2016, 9:24pm

I am trying to test out filebeat on a Windows server. Currently I am echoing into a test file that filebeat is monitoring and then output to another file to see what the output looks like. I am writing to the test file with the following command:

echo "Does this work?" >> .\Logtest.log

In the output file the Message portion looks like:

"message":"\ufffd\ufffdD\u0000o\u0000e\u0000s\u0000 \u0000t\u0000h\u0000i\u0000s\u0000 \u0000w\u0000o\u0000r\u0000k\u0000?\u0000\r\u0000",

Thoughts on whats going on?

andrewkroh · October 3, 2016, 9:32pm

You probably need to set the proper file encoding. See https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#_encoding

filebeat:
  prospectors:
    - paths:
        - c:\programdata\myapp\logs\*
      # Configure the file encoding for reading files with international characters
      # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
      # Some sample encodings:
      #   plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
      #    hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
      encoding: utf-8

jnpetty · October 3, 2016, 9:50pm

No dice, I tried both plain and utf-8 encoding, with no luck

Plain resulted in
"message":"��t\u0000e\u0000s\u0000t\u0000n\u0000o\u0000t\u0000i\u0000c\u0000e\u0000\r\u0000",

and utf-8 resulted in
"message":"\u0000t\u0000e\u0000s\u0000t\u0000n\u0000o\u0000t\u0000i\u0000c\u0000e\u0000\r\u0000",

I also just tried manually typing in data and saving and it was the same result.

ruflin · October 4, 2016, 8:16am

What editor are you using to type in the data?

steffens · October 4, 2016, 1:46pm

can you open/show the file in a hex editor? the \u0000 is the NULL-character for example. It's literaly a byte having value 0 (normally used to indicate end of C-strings).

If I remember correctly \ufffd stands for 'invalid.

Given you have NULL-character followed by a character I'd assume this being UTF-16 with some BOM sequence at beginning of file. Normally windows uses little endian based utf-16 encoding. Try encoding like utf-16le or utf-16le-bom .

jnpetty · October 4, 2016, 4:47pm

Thanks everyone for the help, I was able to get it working by changing the encoding to utf-16

system · October 24, 2016, 9:24pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Default encoding for filebeat Beats filebeat	1	340	December 12, 2019
Can you test if Filebeat can read from a file? Beats filebeat	2	1261	October 27, 2016
Data sent by Filebeat looks garbled Beats filebeat	10	5414	July 5, 2017
Cp865 encoded logs Beats filebeat	4	477	November 13, 2018
Filebeat - received an event - has different character encoding Beats	21	24767	July 5, 2017

Help with Filebeat for Windows

Related topics