Windows evtx files and utf encoding

Hello,

I changed the encoding on my filebeat ingester so that the log contents don’t have spaces in between each character.
As demostrated in the following article:

By doing that, the encoding sometimes displays chinese characters instead. The log are windows evtx files.

Any help would be appreciated.

The configuration for the filebeat.yml is the following:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
fields.source: ${sidecar.nodeName}
fields.os: ${sidecar.operatingSystem}

filebeat:
  inputs:
    - type: log
      close_removed: true
      clean_removed: true
      enabled: true
      close_inactive: 2h
      scan_frequency: 15s
      tail_files: true
      fields_under_root: true
      paths: 
        - E:\EventForwarded\Archive-ForwardedEvents*.evtx
      encoding: utf-16le-bom
      
output.logstash:
   hosts: ["rtce-log-graylog1:5044", "rtce-log-graylog2:5044"]
   compression_level: 9
   bulk_max_size: 256    
   loadbalance: true
tags:
 - windows

path:
  data: C:\Program Files\Graylog\sidecar\cache\filebeat\data
  logs: C:\Program Files\Graylog\sidecar\logs

also my filebeat.log file is full of the following error:

2020-03-10T18:14:02.870+0100 ERROR readfile/line.go:154 Error decoding line: transform: short source buffer

An example inside a message field in graylog is as follows:

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Ą жԂଁ䤀渀昀漀爀洀愀琀椀漀渀Ѐᐁ嬀ȀąLogonĄ҆ԂЁ䤀渀昀漀Ѐᨁ琀ȀąSecurityĄRˮԂ␁䴀椀挀爀漀猀漀昀琀 圀椀渀搀漀眀猀 猀攀挀甀爀椀琀礀 愀甀搀椀琀椀渀最⸀Ѐ⼁관Ȁ␁�Ȁą Audit SuccessЄЄ0း⨪ᰐ糥煷쮍Ǖďe─猀؀ɂą5http://schemas.microsoft.com/win/2004/08/events/eventĂɜˎ䄂­ˮ¤ᅆԀ⌁䴀椀挀爀漀猀漀昀琀ⴀ圀椀渀搀漀眀猀ⴀ匀攀挀甀爀椀琀礀ⴀ䄀甀搀椀琀椀渀最؀Ͳą&{54849625-5478-4994-A5BA-3E3B0328C30D}ăϞԂЁ㐀㘀㈀㐀ЀఁഀȀą1ĄжԂā Ѐᐁ嬀Ȁą12544Ą҆Ԃā Ѐ⸁관Ȁą0x8020000000000000䄄NӺE⌆Ԁḁ㈀ ㈀ ⴀ ㌀ⴀ㄀ 吀 㠀㨀㐀㤀㨀 㤀⸀㠀㔀㐀㌀㔀㄀㘀 娀̀ᨁ謀Ȁą52750629Ą׎䄃)׸ ᵆԀ́㔀㘀 ؀لą8004ăٴԂࠁ匀攀挀甀爀椀琀礀Ѐ㘁꬀ȀąICTS-SEPM1.unog.un.orgĄ܀Ѓ쨁─aȀ䍁䬀a─؀̑ąSubjectUserSidԂࠁ匀ⴀ㄀ⴀ㔀ⴀ㄀㠀Ѐ䭁䬀a✀؀̑ąSubjectUserNameԂଁ䤀䌀吀匀ⴀ匀䔀倀䴀㄀␀Ѐ佁䬀a⬀؀̑ąSubjectDomainNameԂଁ䤀䌀吀匀ⴀ唀一伀䜀嘀䄀Ѐ㵁䬀a─؀̑ąSubjectLogonIdԂԁ 砀㌀攀㜀Ѐ赁䬀a⌀؀̑ą TargetUserSidԂ⸁匀ⴀ㄀ⴀ㔀ⴀ㈀㄀ⴀ㄀㘀㐀㔀㔀㈀㈀㈀㌀㤀ⴀ㄀㄀㜀㜀㈀㌀㠀㤀㄀㔀ⴀ㠀㌀㤀㔀㈀㈀㄀㄀㔀ⴀ㐀㌀㠀㈀ Ѐ佁䬀a─؀̑ąTargetUserNameԂก匀礀洀愀渀琀攀挀匀刀嘀䄀䌀䌀Ѐ䵁䬀a⤀؀̑ąTargetDomainNameԂଁ䤀䌀吀匀ⴀ唀一伀䜀嘀䄀Ѐ䝁䬀a⌀؀̑ą TargetLogonIdԂଁ 砀㄀㠀愀㈀㠀戀愀㜀搀Ѐ⭁䬀aᬀ؀̑ą LogonTypeԂā㈀Ѐ䝁䬀a⤀؀̑ąLogonProcessNameԂࠁ䄀搀瘀愀瀀椀 Ѐ孁䬀a㬀؀̑ąAuthenticationPackageNameԂँ一攀最漀琀椀This event is generated when a process attempts to log on an account by explicitly specifying that account s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 6Information[Logon�InfotSecurityR�$Microsoft Windows security auditing./�$� Audit Success08**�|wq���˸��A�e%sB5http://schemas.microsoft.com/win/2004/08/events/event\�A���F#Microsoft-Windows-Security-Auditingr&{54849625-5478-4994-A5BA-3E3B0328C30D}�4624 160[12544�0.�0x8020000000000000AN�E#2020-03-10T08:49:09.854351600Z�52750629�A)� F560D8004tSecurity6�ICTS-SEPM1.unog.un.orga�%aACKa%SubjectUserSidS-1-5-18AKKa'SubjectUserNameICTS-SEPM1$A

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.