hi folks,
I've been using the omelasticsearch output module for quite some time,
and I am happy with it. However, there is one issue I haven't been able
to tackle. Since I am writing data to Elasticsearch from wide variety of
sources, I am accidentally running into syslog messages which contain
some iso8859 characters. Unfortunately, when trying to write them into
Elasticsearch as-is, you would get back the following error:
org.elasticsearch.index.mapper.MapperParsingException: failed to parse
[@message]
...
...
...
Caused by: org.elasticsearch.common.jackson.core.JsonParseException:
Invalid UTF-8 start byte 0x99
Apparently, the 'json' property replacer is not able to detect and
remove (or replace) such characters.
As a solution, I have tried to add space-cc or drop-cc property replacer
to json, for example:
\"@message\":\"%rawmsg:::space-cc,json%\"
but they have no effect (in addition, I have specified
$EscapeControlCharactersOnReceive off
as recommended by rsyslog documentation).
Is there any way to handle this problem? So far, I've been happy with
rsyslog+Elasticsearch setup, and I wouldn't like to add any Java based
tool into the processing pipeline.
kind regards,
risto
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
