I'm using nxlog to send the IIS logs to my Nagios Log Server servers.
Logs are being sent, processed and displayed correctly in Kibana.
However; Today, I noticed that some logs are being lost because logstash is not able to work with some logs.
Apparently it is considering some strings, like different charset.
My setting is default.
My log files in IIS are UTF-8.
How can I manage this problem?
tcp {
type => 'eventlog'
port => 3515
codec => json {
charset => 'CP1252'
}
}
Code: Select all
{:timestamp=>"2017-08-10T22:25:15.981000-0300", :message=>"Received an event that has a different character encoding than you configured.", :text=>"{\\\"EventReceivedTime\\\":\\\"2017-08-10 22:25:16\\\",\\\"SourceModuleName\\\":\\\"iisw3c\\\",\\\"date\\\":\\\"2017-08-11\\\",\\\"time\\\":\\\"01:25:04\\\",\\\"s_sitename\\\":\\\"W3SVC2\\\",\\\"s_computername\\\":\\\"SAASPEXMBX02\\\",\\\"s_ip\\\":\\\"10.20.10.122\\\",\\\"cs_method\\\":\\\"POST\\\",\\\"cs_uri_stem\\\":\\\"/EWS/Exchange.asmx\\\",\\\"cs_uri_query\\\":null,\\\"s_port\\\":\\\"444\\\",\\\"cs_username\\\":\\\"SAASPEX\\\\\\\\mkt_brasilgrafica.co\\\",\\\"c_ip\\\":\\\"10.20.10.101\\\",\\\"cs_version\\\":\\\"HTTP/1.1\\\",\\\"cs_user_agent\\\":\\\"MacOutlook/15.36.1.170721+(Intelx64+Mac+OS+X+Vers\\xE3o+10.13+(Fase+17A330h))\\\",\\\"cs_cookie\\\":\\\"ClientId=OGRMHNKCIYXKEQLEDW;+exchangecookie=23378b5845294c28a1c6476d080d0839\\\",\\\"cs_referer\\\":null,\\\"cs_host\\\":\\\"saaspexmbx02.saaspex.local:444\\\",\\\"sc_status\\\":\\\"200\\\",\\\"sc_substatus\\\":\\\"0\\\",\\\"sc_win32_status\\\":\\\"0\\\",\\\"sc_bytes\\\":\\\"5646\\\",\\\"cs_bytes\\\":\\\"8686\\\",\\\"time_taken\\\":\\\"93\\\",\\\"FileName\\\":\\\"C:\\\\\\\\Inetpub\\\\\\\\Logs\\\\\\\\LogFiles\\\\\\\\W3SVC2\\\\\\\\u_ex170811.log\\\",\\\"EventTime\\\":\\\"2017-08-11T01:25:04.000Z\\\",\\\"message\\\":\\\"POST /EWS/Exchange.asmx\\\",\\\"Env\\\":\\\"UOLDIVEO\\\",\\\"EnvType\\\":\\\"Exchange2013\\\"}\\r", :expected_charset=>"UTF-8", :level=>:warn}
Code: Select all
{:timestamp=>"2017-08-10T22:25:15.981000-0300", :message=>"Received an event that has a different character encoding than you configured.", :text=>"{\\\"EventReceivedTime\\\":\\\"2017-08-10 22:25:16\\\",\\\"SourceModuleName\\\":\\\"iisw3c\\\",\\\"date\\\":\\\"2017-08-11\\\",\\\"time\\\":\\\"01:25:04\\\",\\\"s_sitename\\\":\\\"W3SVC2\\\",\\\"s_computername\\\":\\\"SAASPEXMBX02\\\",\\\"s_ip\\\":\\\"10.20.10.122\\\",\\\"cs_method\\\":\\\"POST\\\",\\\"cs_uri_stem\\\":\\\"/EWS/Exchange.asmx\\\",\\\"cs_uri_query\\\":null,\\\"s_port\\\":\\\"444\\\",\\\"cs_username\\\":\\\"SAASPEX\\\\\\\\mkt_brasilgrafica.co\\\",\\\"c_ip\\\":\\\"10.20.10.102\\\",\\\"cs_version\\\":\\\"HTTP/1.1\\\",\\\"cs_user_agent\\\":\\\"MacOutlook/15.36.1.170721+(Intelx64+Mac+OS+X+Vers\\xE3o+10.13+(Fase+17A330h))\\\",\\\"cs_cookie\\\":\\\"ClientId=OGRMHNKCIYXKEQLEDW;+exchangecookie=23378b5845294c28a1c6476d080d0839\\\",\\\"cs_referer\\\":null,\\\"cs_host\\\":\\\"saaspexmbx02.saaspex.local:444\\\",\\\"sc_status\\\":\\\"200\\\",\\\"sc_substatus\\\":\\\"0\\\",\\\"sc_win32_status\\\":\\\"0\\\",\\\"sc_bytes\\\":\\\"1934\\\",\\\"cs_bytes\\\":\\\"8426\\\",\\\"time_taken\\\":\\\"15\\\",\\\"FileName\\\":\\\"C:\\\\\\\\Inetpub\\\\\\\\Logs\\\\\\\\LogFiles\\\\\\\\W3SVC2\\\\\\\\u_ex170811.log\\\",\\\"EventTime\\\":\\\"2017-08-11T01:25:04.000Z\\\",\\\"message\\\":\\\"POST /EWS/Exchange.asmx\\\",\\\"Env\\\":\\\"UOLDIVEO\\\",\\\"EnvType\\\":\\\"Exchange2013\\\"}\\r", :expected_charset=>"UTF-8", :level=>:warn}
Code: Select all
{:timestamp=>"2017-08-10T22:25:15.983000-0300", :message=>"Received an event that has a different character encoding than you configured.", :text=>"{\\\"EventReceivedTime\\\":\\\"2017-08-10 22:25:16\\\",\\\"SourceModuleName\\\":\\\"iisw3c\\\",\\\"date\\\":\\\"2017-08-11\\\",\\\"time\\\":\\\"01:25:04\\\",\\\"s_sitename\\\":\\\"W3SVC2\\\",\\\"s_computername\\\":\\\"SAASPEXMBX02\\\",\\\"s_ip\\\":\\\"10.20.10.122\\\",\\\"cs_method\\\":\\\"POST\\\",\\\"cs_uri_stem\\\":\\\"/EWS/Exchange.asmx\\\",\\\"cs_uri_query\\\":null,\\\"s_port\\\":\\\"444\\\",\\\"cs_username\\\":\\\"SAASPEX\\\\\\\\mkt_brasilgrafica.co\\\",\\\"c_ip\\\":\\\"10.20.10.102\\\",\\\"cs_version\\\":\\\"HTTP/1.1\\\",\\\"cs_user_agent\\\":\\\"MacOutlook/15.36.1.170721+(Intelx64+Mac+OS+X+Vers\\xE3o+10.13+(Fase+17A330h))\\\",\\\"cs_cookie\\\":\\\"ClientId=OGRMHNKCIYXKEQLEDW;+exchangecookie=23378b5845294c28a1c6476d080d0839\\\",\\\"cs_referer\\\":null,\\\"cs_host\\\":\\\"saaspexmbx02.saaspex.local:444\\\",\\\"sc_status\\\":\\\"200\\\",\\\"sc_substatus\\\":\\\"0\\\",\\\"sc_win32_status\\\":\\\"0\\\",\\\"sc_bytes\\\":\\\"2574\\\",\\\"cs_bytes\\\":\\\"6866\\\",\\\"time_taken\\\":\\\"31\\\",\\\"FileName\\\":\\\"C:\\\\\\\\Inetpub\\\\\\\\Logs\\\\\\\\LogFiles\\\\\\\\W3SVC2\\\\\\\\u_ex170811.log\\\",\\\"EventTime\\\":\\\"2017-08-11T01:25:04.000Z\\\",\\\"message\\\":\\\"POST /EWS/Exchange.asmx\\\",\\\"Env\\\":\\\"UOLDIVEO\\\",\\\"EnvType\\\":\\\"Exchange2013\\\"}\\r", :expected_charset=>"UTF-8", :level=>:warn}