Cyrillic and Syslog
Defender
I am using wazuh_4.3.9+filebeat_7.17.6+kibana_7.17.6.
The problem is displaying Cyrillic characters in syslog.
Agent config:
<localfile>
<location>C:\Program Files (x86)\10-Strike Connection Monitor Pro\ConnMon*</location>
<log_format>syslog</log_format>
</localfile>
What it looks like in the Elastc interface - full_log
19.03.2023 | 1:09:59 | [fe80::991c:dc75:e11f:4f23] | [fe80::991c:dc75:e11f:4f23] | Server | ������ | D:\server-office\���������\20 ������������������� �����
What it looks like in the original - 19.03.2023 | 1:09:59 | [fe80::991c:dc75:e11f:4f23] | [fe80::991c:dc75:e11f:4f23] | | Server | Чтение | D:\server-office\Папка\20 файлов\Формирование текстов.
Question, what to do to make elastic start reading Cyrillic in syslog.
It is worth noting that the agent reads Cyrillic without problems if the agent is specified eventchannel
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
</localfile>
Defender
Defender
So far, I've gotten out of the situation by using python. But I don't think it's the best solution...
import codecs
import os
from chardet import detect
from unidecode import unidecode
Path to the file that stores the last read position
last_read_file = "C:\Program Files (x86)\10-Strike Connection Monitor Pro\last_read.txt"
Path to the directory with logs
log_dir = "C:\Program Files (x86)\10-Strike Connection Monitor Pro\"
Output file name
output_file = "python_converted.log"
List of file names that have already been processed
processed_files = []
Create the last_read.txt file if it does not exist
if not os.path.exists(last_read_file):
with open(last_read_file, 'w') as f:
f.write('0')
Open the file with the last read position
try:
with open(last_read_file, 'r') as f:
last_read_pos = int(f.read())
except (ValueError, FileNotFoundError):
last_read_pos = 0
Open the output file in append mode
with open(os.path.join(log_dir, output_file), 'a', encoding='utf-8') as out_file:
# Iterate through all log files in the directory
for log_file in os.listdir(log_dir):
if not log_file.startswith("ConnMon") or log_file in processed_files:
continue
# Determine the full path to the file
log_path = os.path.join(log_dir, log_file)
# Determine the size of the file
file_size = os.path.getsize(log_path)
# If the last read position is greater than the file size, move on to the next file
if last_read_pos > file_size:
continue
# Open the file in binary mode
with open(log_path, 'rb') as in_file:
# Move to the last read position
in_file.seek(last_read_pos)
# Read the contents of the file
content = in_file.read()
# Determine the encoding of the file
encoding = detect(content)['encoding']
# Use ANSI as the default encoding if auto-detection fails
if not encoding:
encoding = 'ansi'
# Decode the contents of the file and remove unnecessary characters
decoded_content = codecs.decode(content, encoding, errors='ignore')
cleaned_content = unidecode(decoded_content)
# Write the contents to the output file
out_file.write(cleaned_content)
# Update the last read position in the last_read.txt file
with open(last_read_file, 'w') as f:
f.write(str(file_size))
# Add the file name to the list of processed files
processed_files.append(log_file)
print("Script executed successfully")