<p dir="ltr"></p>
<p dir="ltr">Hi,</p>
<p dir="ltr">Do i understand correctly that you added <U+1F633> in place of utf8 sequences in the email and the file contains utf8 encoding of the same value?</p>
<p dir="ltr">My theory right now is that elastic uses a 16bit representation of unicode codepoints, and 1f633 doesnt fit there. But I couldnt come up with plausible explanation how it would become ð<U+009F><U+0098>³</p>
<p dir="ltr">Syslog-ng uses utf8 internally, so it should work with long utf8 sequences without problems. Do you perhaps have an encoding() option at the elastic destination?</p>
<p dir="ltr">It could also be a problem in the elastic java plugin, I dont know how we supply the data. @juhaszviktor do you see any chance of this happening in the java code?</p>
<div class="gmail_quote">On Oct 2, 2015 20:19, "Evan Rempel" <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I think I havecome across a bug in the elasticsearch destination where log lines with UTF8 characters result in a shortend message length attribute which results in a slightly truncated json object being sent to elasticsearch.<br>
<br>
<br>
and here is the source syslog line at our syslog server. This is where the json object is created.<br>
<br>
2015-10-02T10:22:47-07:00 <a href="http://local@sandtiger.comp.uvic.ca/sandtiger.comp.uvic.ca" rel="noreferrer" target="_blank">local@sandtiger.comp.uvic.ca/sandtiger.comp.uvic.ca</a> mail.warning <a href="http://mimedefang.pl" rel="noreferrer" target="_blank">mimedefang.pl</a>[10880]: t92HMkGW028396: Allowing attachment named OutlookEmoji-<U+1F633>.png, ext=.png, type=image/png, RELAY=<a href="http://mail-bn1on0131.outbound.protection.outlook.com" rel="noreferrer" target="_blank">mail-bn1on0131.outbound.protection.outlook.com</a> [157.56.110.131], FROM=<Holly.Richardson@Dal.Ca>, TO=<<a href="mailto:cobyt@uvic.ca">cobyt@uvic.ca</a>><br>
<br>
Here is the json object as logged to a file destination on the same host that is rujnning the elasticsearch destination. This is just looging $MESSAGE since the payload is already JSON.<br>
<br>
{"flare":{"profile":"DCS"},"cfgmgrrole":"INFRA","cfgmgrosFull":"Redhat 5_64","cfgmgros":"unix","cfgmgrmodel":"ESX 5","cfgmgrlocation":"ESX-PROD","cfgmgrenvironment":"Prod","cfgmgrassetType":"Virtual Server","SOURCEHOST":"<a href="http://sandtiger.comp.uvic.ca" rel="noreferrer" target="_blank">sandtiger.comp.uvic.ca</a>","SHORTHOST":"sandtiger","PROGRAM":"<a href="http://mimedefang.pl" rel="noreferrer" target="_blank">mimedefang.pl</a>","PRIORITY":"warning","PID":"10880","PATTERNID":"377","MESSAGE":"t92HMkGW028396: Allowing attachment named OutlookEmoji-<U+1F633>.png, ext=.png, type=image/png,<br>
RELAY=<a href="http://mail-bn1on0131.outbound.protection.outlook.com" rel="noreferrer" target="_blank">mail-bn1on0131.outbound.protection.outlook.com</a> [157.56.110.131], FROM=<Holly.Richardson@Dal.Ca>, TO=<<a href="mailto:cobyt@uvic.ca">cobyt@uvic.ca</a>>","ISODATE":"2015-10-02T10:22:47-07:00","HOST":"<a href="http://sandtiger.comp.uvic.ca" rel="noreferrer" target="_blank">sandtiger.comp.uvic.ca</a>","FACILITY":"mail"}<br>
<br>
This is the same conent that is sent to the elasticsearch destination -- option("message-template", "$MESSAGE\n")<br>
<br>
and here is the failed message from the elasticsearch server<br>
<br>
[2015-10-02 10:22:48,630][DEBUG][action.bulk ] [sponge] [flare-2015.10.02.17][2] failed to execute bulk item (index) index {[flare-2015.10.02.17][test][AVApk-CyhIyyHCO_k_bc], source[{"flare":{"profile":"DCS"},"cfgmgrrole":"INFRA","cfgmgrosFull":"Redhat 5_64","cfgmgros":"unix","cfgmgrmodel":"ESX 5","cfgmgrlocation":"ESX-PROD","cfgmgrenvironment":"Prod","cfgmg<br>
rassetType":"Virtual Server","SOURCEHOST":"<a href="http://sandtiger.comp.uvic.ca" rel="noreferrer" target="_blank">sandtiger.comp.uvic.ca</a>","SHORTHOST":"sandtiger","PROGRAM":"<a href="http://mimedefang.pl" rel="noreferrer" target="_blank">mimedefang.pl</a>","PRIORITY":"warning","PID":"10880","PATTERNID":"377","MESSAGE":"t92HMkGW028396: Allowing attachment named OutlookEmoji-ð<U+009F><U+0098>³.png, ext=.png, type=image/png, RELAY=<a href="http://mail-bn1on0131.outbound.protection.outlook.com" rel="noreferrer" target="_blank">mail-bn1on0131.outbound.protection.outlook.com</a> [157.56.110.131], FROM=<Holly.Rich<br>
ardson@Dal.Ca>, TO=<<a href="mailto:cobyt@uvic.ca">cobyt@uvic.ca</a>>","ISODATE":"2015-10-02T10:22:47-07:00","HOST":"<a href="http://sandtiger.comp.uvic.ca" rel="noreferrer" target="_blank">sandtiger.comp.uvic.ca</a>","FACILITY":"mail]}<br>
<br>
<br>
<br>
Note that the source has unicde data as <U+1F633><br>
The elasticsearch destination is sent <U+1F633><br>
but the elastisearch server logs ð<U+009F><U+0098>³<br>
<br>
The elasticsearch server also seems to end the message with the text<br>
<br>
"FACILITY":"mail<br>
<br>
when it should end with<br>
<br>
"FACILITY":"mail"}<br>
<br>
so it is missing two characters.<br>
<br>
Does anyone want to guess at what is happening?<br>
<br>
Should I post to the elasticsearch group with the reasoning that the source (syslog-ng) and the destination (elasticsearch) need to be configured with the same unicode settings?<br>
<br>
Thanks,<br>
<br>
--<br>
Evan Rempel <a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a><br>
Senior Systems Administrator 250.721.7691<br>
Data Centre Services, University Systems, University of Victoria<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>