I changed the encoding on my filebeat ingester so that the log contents don’t have spaces in between each character.
As demostrated in the following article:
By doing that, the encoding sometimes displays chinese characters instead. The log are windows evtx files.
Any help would be appreciated.
The configuration for the filebeat.yml is the following:
An example inside a message field in graylog is as follows:
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Ą жԂଁ䤀渀昀漀爀洀愀琀椀漀渀Ѐᐁ嬀ȀąLogonĄ҆ԂЁ䤀渀昀漀Ѐᨁ琀ȀąSecurityĄRˮԂ␁䴀椀挀爀漀猀漀昀琀 圀椀渀搀漀眀猀 猀攀挀甀爀椀琀礀 愀甀搀椀琀椀渀最⸀Ѐ⼁관Ȁ␁�Ȁą Audit SuccessЄЄ0း⨪ᰐ糥煷쮍Ǖďe─猀ɂą5http://schemas.microsoft.com/win/2004/08/events/eventĂɜˎ䄂ˮ¤ᅆԀ⌁䴀椀挀爀漀猀漀昀琀ⴀ圀椀渀搀漀眀猀ⴀ匀攀挀甀爀椀琀礀ⴀ䄀甀搀椀琀椀渀最Ͳą&{54849625-5478-4994-A5BA-3E3B0328C30D}ăϞԂЁ㐀㘀㈀㐀ЀఁഀȀą1ĄжԂā Ѐᐁ嬀Ȁą12544Ą҆Ԃā Ѐ⸁관Ȁą0x8020000000000000䄄NӺE⌆Ԁḁ㈀ ㈀ ⴀ ㌀ⴀ 吀 㠀㨀㐀㤀㨀 㤀⸀㠀㔀㐀㌀㔀㘀 娀̀ᨁ謀Ȁą52750629Ą䄃) ᵆԀ́㔀㘀 لą8004ăٴԂࠁ匀攀挀甀爀椀琀礀Ѐ㘁ȀąICTS-SEPM1.unog.un.orgĄ܀Ѓ쨁─aȀ䍁䬀a─̑ąSubjectUserSidԂࠁ匀ⴀⴀ㔀ⴀ㠀Ѐ䭁䬀a✀̑ąSubjectUserNameԂଁ䤀䌀吀匀ⴀ匀䔀倀䴀␀Ѐ佁䬀a⬀̑ąSubjectDomainNameԂଁ䤀䌀吀匀ⴀ唀一伀䜀嘀䄀Ѐ㵁䬀a─̑ąSubjectLogonIdԂԁ 砀㌀攀㜀Ѐ赁䬀a⌀̑ą TargetUserSidԂ⸁匀ⴀⴀ㔀ⴀ㈀ⴀ㘀㐀㔀㔀㈀㈀㈀㌀㤀ⴀ㜀㜀㈀㌀㠀㤀㔀ⴀ㠀㌀㤀㔀㈀㈀㔀ⴀ㐀㌀㠀㈀ Ѐ佁䬀a─̑ąTargetUserNameԂก匀礀洀愀渀琀攀挀匀刀嘀䄀䌀䌀Ѐ䵁䬀a⤀̑ąTargetDomainNameԂଁ䤀䌀吀匀ⴀ唀一伀䜀嘀䄀Ѐ䝁䬀a⌀̑ą TargetLogonIdԂଁ 砀㠀愀㈀㠀戀愀㜀搀Ѐ⭁䬀aᬀ̑ą LogonTypeԂā㈀Ѐ䝁䬀a⤀̑ąLogonProcessNameԂࠁ䄀搀瘀愀瀀椀 Ѐ孁䬀a㬀̑ąAuthenticationPackageNameԂँ一攀最漀琀椀This event is generated when a process attempts to log on an account by explicitly specifying that account s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 6Information[Logon�InfotSecurityR�$Microsoft Windows security auditing./�$� Audit Success08**�|wq���˸��A�e%sB5http://schemas.microsoft.com/win/2004/08/events/event\�A���F#Microsoft-Windows-Security-Auditingr&{54849625-5478-4994-A5BA-3E3B0328C30D}�4624 160[12544�0.�0x8020000000000000AN�E#2020-03-10T08:49:09.854351600Z�52750629�A)� F560D8004tSecurity6�ICTS-SEPM1.unog.un.orga�%aACKa%SubjectUserSidS-1-5-18AKKa'SubjectUserNameICTS-SEPM1$A