IBM Support

QRadar: Hebrew characters are not parsed correctly when collecting events using WinCollect File Forwarder

Troubleshooting


Problem

Events containing Hebrew characters are not always parsing correctly. This article helps you resolve the issue.

Symptom

If the payload contains values in the Hebrew language, for example, if the data is stored in a CSV format. We can see the Event_Type and Error_Text values contain Hebrew characters, which are not parsed correctly, but showing as unknown characters "????".

Date, System, Event_type, Index, Error_Text
12/1/2023 10:30, plato_elm_arx.nsf, שנבג, FN020200000003296271, שנבגקכעיןחלךצמםפ

QRadar Log Activity:

image-20230220144455-1

Cause

A common cause is that the file with the data is saved in another encoding UTF-8 - for example in ANSI.

image-20230227164259-1

Environment

QRadar 7.4.x / 7.5.x
WinCollect 7.3.x / 10.x

Resolving The Problem

Before you start
The file needs to be saved with encoding UTF-8.image-20230227164610-2
Steps
  1. Login on the Windows® host that has IBM WinCollect 10 installed.
  2. Open IBM WinCollect 10 Console from the Start menu.
  3. Enable Advance UI in settings in WinCollect 10.
    advancedUI
  4. On the navigation menu ( Navigation menu icon ), click Local Sources and Edit your File Forwarder log source configuration.
    image-20230302101311-1
  5. Find File reader encoding and make sure that UTF8 (no conversion) is selected.
    image-20230302095500-1
  6. If you made any changes, click Apply.
  7. Log in to the QRadar Console UI.
  8. On the navigation menu ( Navigation menu icon ), click Admin, in the Data Sources section, click Log Sources, Manage Log Sources, find, and check your log source configuration for the File Forwarder log source.
  9. In the QRadar Log source configuration, the Incoming Payload Encoding needs to be UTF-8. If UTF-8 does not resolve the issue, you can try for example ISO-8859-8.
    image-20230302100254-3
  10. Disable and then Enable the Log source.

     
    Result
    Verify the correct parsing of the payloads in the QRadar Log Activity view.

Related Information

Hebrew - IBM Documentation

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS011765161","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 March 2023

UID

ibm16956862

Page Feedback