I have seen several threads related to the same error, but none of them seem to address the issue as we are experiencing it. The messages I get this error for are from ADAudit+ reading logs from an Isilon storage appliance. The message is plain-text, as you can see in the Logstash error below, but I am wondering if the file path is causing the message to be interpreted as binary? You can see the literal string \\xB0 in the file path, but I have confirmed this is the actual name of the folder on the Isilon.
Feb 09 09:09:22 LS3 logstash[19327]: [2021-02-09T09:09:22,648][WARN ][logstash.codecs.line ][main][c0f4a18fa7c1a4e966ba29a207a3e1e5fd759cc188013a3bb9c4aa090c7e5323] Received an event that has a different character encoding than you configured. {:text=>"<110>1 2021-02-09T08:24:29.000-08:00 ServerName ADAuditPlus - - - [ Category = FileAuditReports ] [ REPORT_PROFILE = File (or) Folder Created ] [ EVENT_NUMBER = 46560 ] [ TIME_GENERATED = 1612887869 ] [ EVENT_TYPE = 8 ] [ EVENT_TYPE_TEXT = Success ] [ SOURCE = Isilon.Contoso.com ] [ REMARKS = An attempt was made to access an object ] [ HANDLE_ID = null ] [ OBJECT_NAME = \\\\ifs\\\\ShareName\\\\Arbitrary\\\\File\\\\Path\\\\To\\\\2021\\\\42100030\\\\HSM\\\\0030D302_2\\xB0\\\\t ] [ UNC_NAME = \\\\\\\\Isilon.Contoso.com\\\\Arbitrary\\\\File\\\\Path\\\\To\\\\2021\\\\42100030\\\\hsm\\\\0030d302_2\\xB0\\\\t ] [ FILE_NAME = t ] [ FILE_LOCATION = \\\\ifs\\\\ShareName\\\\Arbitrary\\\\File\\\\Path\\\\To\\\\2021\\\\42100030\\\\HSM\\\\0030D302_2\\xB0\\\\ ] [ LOGON_ID = null ] [ DOMAIN = Contoso.com ] [ ACCESSES = CREATED ] [ PROCESS_ID = null ] [ PROCESS_NAME = null ] [ CLIENT_HOST_NAME = ClientComputer.Contoso.com ] [ CLIENT_IP_ADDRESS = pri.vat.e.ip ] [ TRANSACTION_ID = 16 ] [ ACCESS_MASK = 0 ] [ USERNAME = someones_name ] [ RECORD_NUMBER = UVH@16593882 ] [ USER_SID = S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx ] [ ACCESS_TYPE = 5 ] [ ACCESS_TYPE_TEXT = File/Folder Created ] [ FORMAT_MESSAGE = User 'someones_name' Created file/folder '\\\\\\\\Isilon.Contoso.com\\\\Arbitrary\\\\File\\\\Path\\\\To\\\\2021\\\\42100030\\\\hsm\\\\0030d302_2\\xB0\\\\t'. ] [ USER_SAM_ACCOUNT_NAME = null ] [ USER_DISPLAY_NAME = null ] [ USER_PRINCIPAL_NAME = null ] [ USER_GUID = null ] [ USER_DISTINGUISH_NAME = null ] [ USER_OU_GUID = null ] [ USER_DEPARTMENT = null ] [ USER_MANAGER_NAME = null ] [ SOURCE_NAME = null ] [ LOG_FILE_NAME = null ] [ KEYWORDS_NAME = null ] [ TASK_CATEGORY_NAME = null ] [ TASK_CATEGORY_ID = null ] [ FILE_TYPE = Folder ] [ SHARE_NAME = null ] [ EXTRA_COLUMN1 = null ] [ EXTRA_COLUMN2 = null ] [ EXTRA_COLUMN3 = null ] [ EXTRA_COLUMN4 = null ] [ EXTRA_COLUMN5 = null ] [ EXTRA_COLUMN6 = null ] [ EXTRA_COLUMN7 = null ] [ EXTRA_COLUMN8 = null ] [ EXTRA_COLUMN9 = null ] [ EXTRA_COLUMN10 = null ] [ CONFIGURED_DOMAIN_NAME = null ] [ NEW_PRIVILEGES_USED = null ] ", :expected_charset=>"UTF-8"}
To note, from reading other similar threads...
- No overlapping port numbers with TCP/UDP
- The messages are plain-text (no special encoding)
- Logstash input is a very basic:
input {
tcp {
port => 5514
}
}
I would appreciate any and all thoughts on correcting this.
Thank you in advance!