Skip to main content

Good Day,

I have configured a Ubuntu Server to send Auditd and syslog logs using local BindPlane Agent installed on this same system.  When I view the RAW logs in SecOps its showing odd characters or Unicode.

 

 

 

 

/h���file�1/var/log/remote/msg/ABr-dev01-gateway/AB_FLOW.log�log�qMar 2 16:06:03 ABr-mtl01-gateway AB_FLOW: AB_FLOW_SESSION_CREATE: session created 10.150.202.52/46768->10.55.182.88/28015 0x0 None 0.0.0.0/0->10.55.182.88/28015 0x0 N/A N/A N/A N/A 6 default-policy-logical-system-00 SL-PUBLIC SID-Workload-OCP-Storage-169-Segment-Zone 12886267255 N/A(N/A) ae1.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A N/A N/A���gā�


C�����file�1/var/log/remote/msg/ABr-dev01-gateway/AB_FLOW.log�log�zMar 2 16:05:20 ABr-mtl01-gateway AB_FLOW: AB_FLOW_SESSION_CREATE: session created 10.185.84/32769->10.1.1.245/443 0x0 junos-https 10.55.185.84/32769->10.1.1.245/443 0x0 N/A N/A N/A N/A 6 Allow-ABC-Management-Access-To-External-URLs Management-Public-OCT-Zone SL-PUBLIC 12886678565 N/A(N/A) ae1.787 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A N/A N/A���gā�

 

 

If I cheche the /etc/audit/audit.conf on the Linux server log_format = ENRCIHED

I am using the following config.yaml file for the bindplane agent:

 

 

receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "127.0.0.1:5140"

exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ INSERT SECOPS CREDS DATA HERE}'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <Cusomter ID>
endpoint: alachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: AUDITD
namespace: auditd
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels

/etc/audit/auditd.conf

 

 

Is there a setting I am missing here in the config? or could it be something related to the audit.conf file?

 

I would be happy to help.  This appears to be an encoding issue.  You would typically add an encoding parameter to the tcplog section to specify how they were encoded.  Something like the following:

encoding: utf-8

  You can substitute utf-8 for whichever encoding your logs need.  In your case I believe it may be utf-8.  Also, you may want to try out Bindplane, as it would make configuring agents a more pleasant experience, as these options and more are available in the UI, and managing groups of agents is easier as well.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.