Problem with NT AUTHORITY\СИСТЕМА in windows event log

#1 takezi 7 years ago

Hello.

While reading log from windows, I got string with two encodings WIN-1251 and UTF-8:

like 2017-02-21 16:40:24 IT-73.domain.name INFO 44 NT AUTHORITY\҈Ғƌ�Центр обновления Windows начал скачивать обновление.

where all message in utf-8, and part with AccountName that (usually NT AUTHORITY\SYSTEM in english version of Windows 7) but in russian version its NT AUTHORITY\СИСТЕМА and in logs it looks like NT AUTHORITY\҈Ғƌ�

If I use

convert_fields("AUTO", "utf-8")

I got proper AccountName, but all other parts got wrong encoding.

Is where any way to replace that part with correct encoding?

Permalink

#2 b0ti Nxlog ✓ 7 years ago

#1 takezi

Hello. While reading log from windows, I got string with two encodings WIN-1251 and UTF-8: like 2017-02-21 16:40:24 IT-73.domain.name INFO 44 NT AUTHORITY\҈Ғƌ�Центр обновления Windows начал скачивать обновление. where all message in utf-8, and part with AccountName that (usually NT AUTHORITY\SYSTEM in english version of Windows 7) but in russian version its NT AUTHORITY\СИСТЕМА and in logs it looks like NT AUTHORITY\҈Ғƌ� If I use convert_fields("AUTO", "utf-8") I got proper AccountName, but all other parts got wrong encoding. Is where any way to replace that part with correct encoding?

Looks like im_msvistalog does not convert AccountName to utf8.

Until this is fixed the workaround could be something like this:

Exec $AccountName = convert($AccountName, "WIN-1251", "utf-8");

The $raw_event field will still contain garbage there, you will need to reformat it (e.g. with to_syslog_snare() or manually).