on the input, force everything to utf8 On Wed, 27 May 2015, T-SOC Operations wrote:
Date: Wed, 27 May 2015 19:02:33 +0200 From: T-SOC Operations <[email protected]> Reply-To: [email protected] To: [email protected] Subject: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges Hi david, thanks for your time & patience! If i just used those filters, i do get " _jsonparsefailure". so i just created different grok filters to match the messy encoded messages, but what I've seen as well, different encoding, depending on the ossec agent soure (linux versus windows :-)...so I've to play around with charsets as well. Cheers, gerald -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von David Lang Gesendet: Mittwoch, 27. Mai 2015 18:22 An: [email protected] Betreff: Re: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges in a filter section do: grok { match => { "message" => "%{SYSLOGBASE} %{DATA:message}" } } json { source => "message" } I'm not saying to go to rsyslog to then go to logstash, I'm saying go to rsyslog to go to ElasticSearch. There is no requirement to use logstash to get the logs in ElasticSearch. David Lang On Wed, 27 May 2015, T-SOC Operations wrote:
