While reading log from windows, I got string with two encodings WIN-1251 and UTF-8:

like 2017-02-21 16:40:24 IT-73.domain.name INFO 44 NT AUTHORITY\҈Ғƌ�Центр обновления Windows начал скачивать обновление.

where all message in utf-8, and part with AccountName that (usually NT AUTHORITY\SYSTEM in english version of Windows 7) but in russian version its NT AUTHORITY\СИСТЕМА and in logs it looks like NT AUTHORITY\҈Ғƌ�

If I use 

convert_fields("AUTO", "utf-8")

I got proper AccountName, but all other parts got wrong encoding.

Is where any way to replace that part with correct encoding?


AskedMarch 23, 2017 - 9:39am

Answer (1)

Looks like im_msvistalog does not convert AccountName to utf8.

Until this is fixed the workaround could be something like this:

Exec $AccountName = convert($AccountName, "WIN-1251", "utf-8");

The $raw_event field will still contain garbage there, you will need to reformat it (e.g. with to_syslog_snare() or manually).