lib/logstash/inputs/eventlog.rb in logstash-input-eventlog-4.0.2 vs lib/logstash/inputs/eventlog.rb in logstash-input-eventlog-4.1.1

@@ -2,11 +2,13 @@
 require "logstash/inputs/base"
 require "logstash/namespace"
 require "logstash/timestamp"
 require "win32/eventlog"
 require "stud/interval"
+require "logstash/util/charset"
 
+
 # This input will pull events from a http://msdn.microsoft.com/en-us/library/windows/desktop/bb309026%28v=vs.85%29.aspx[Windows Event Log].
 # Note that Windows Event Logs are stored on disk in a binary format and are only accessible from the Win32 API.
 # This means Losgtash needs to be running as an agent on Windows servers where you wish to collect logs 
 # from, and will not be accesible across the network.
 #
@@ -30,10 +32,14 @@
   config :logfile, :validate => :string, :validate => [ "Application", "Security", "System" ], :default => "Application"
 
   # How frequently should tail check for new event logs in ms (default: 1 second)
   config :interval, :validate => :number, :default => 1000
 
+  # Event Log string encoding (default: UTF-16LE), however your system might be using another encoding, if you
+  # are seeing strange characters, inspect this variable.
+  config :charset, :validate => :string, :default => "UTF-16LE"
+
   public
   def register
 
     # wrap specified logfiles in suitable OR statements
     @hostname = Socket.gethostname
@@ -45,10 +51,11 @@
       if e.errno == 1314 # ERROR_PRIVILEGE_NOT_HELD
         @logger.fatal("No privilege held to open logfile", :logfile => @logfile)
       end
       raise
     end
+    @converter = LogStash::Util::Charset.new(Encoding.find(@charset))
   end # def register
 
   public
   def run(queue)
 
@@ -71,11 +78,11 @@
   end
 
   private
   def process(log)
 
-    LogStash::Event.new(
+    attrs = {
       "host"             => @hostname,
       "Logfile"          => @logfile,
       "message"          => log["description"].strip,
       "Category"         => log["category"],
       "ComputerName"     => log["computer"],
@@ -86,10 +93,27 @@
       "TimeGenerated"    => log["time_generated"],
       "TimeWritten"      => log["time_written"],
       "Type"             => log["event_type"],
       "User"             => log["user"],
       "InsertionStrings" => log["string_inserts"]
-    )
+    }
+
+    attrs.each do |k,v|
+      next if ["host", "Logfile"].include?(k)
+      attrs[k] = convert(v)
+    end
+
+    LogStash::Event.new(attrs)
   end # def run
+
+  def convert(field)
+    if field.is_a?(String)
+      @converter.convert(field)
+    elsif field.is_a?(Array)
+      field.map { |v| @converter.convert(v) }
+    else
+      field
+    end
+  end
 
 end # class LogStash::Inputs::EventLog