-
Title
Non-Breaking Space in event log when viewed in logstore. -
Description
When Windows event logs are viewed in a logstore or in a file some logs have a space between the data label & the colon and other logs do not have this space.
The log looks look this: ( For clarity the data labels are highlighted below )
2021-03-02T15:58:32+01:00 OICRK1DC2 Microsoft_Windows_security_auditing.[2700]: OICRK1DC2 \Administrateur Security Microsoft Windows security auditing.: [Success Audit] Fermeture de session d’un compte. Sujet : ID de sécurité : OICRK1DC2\Administrateur…………………………
But would be expected to look like this:
2021-03-02T15:58:32+01:00 OICRK1DC2 Microsoft_Windows_security_auditing.[2700]: OICRK1DC2 \Administrateur Security Microsoft Windows security auditing.: [Success Audit] Fermeture de session d’un compte. Sujet: ID de sécurité: OICRK1DC2\Administrateur…………………………
-
Cause
The problem is caused by the French translation by Microsoft of the event logs. In the French edition of the logs there is a ‘non-breaking space’ between the ‘Data Name’ and the colon. This space does not appear in the English version of the logs.
This only seems to affect the Security event logs.
-
Resolution
The space can be removed using the following rewrite rule and placing it before the destination in the logpath.
rewrite r_removeSpace {subst(" :", ":", value("MESSAGE"), flags("global"));};
log {source(s_ windowseventlog); rewrite(r_ removeSpace); destination(d_ windowseventlog);};
-
Additional Information
The hexadecimal value for the non-breaking space is 'c2 a0'