Messages containing unicode breaks LogStash parsing

[aknot242]

The following attack: http://TARGET/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

Results in the event not appearing in Kibana, and the following error appears in the logstash log:

[2020-10-08T19:36:10,453][WARN ][logstash.codecs.plain ][main] Received an event that has a different character encoding than you configured. {:text=>"<130>Oct 8 19:36:10 ip-10-1-1-7 ASM:attack_type=\\\"Non-browser Client,Abuse of Functionality,Predictable Resource Location,Path Traversal,Forceful Browsing\\\",blocking_exception_reason=\\\"N/A\\\",date_time=\\\"2020-10-08 19:36:09\\\",dest_port=\\\"8080\\\",ip_client=\\\"10.1.1.254\\\",is_truncated=\\\"false\\\",method=\\\"GET\\\",policy_name=\\\"/Common/policy1\\\",protocol=\\\"HTTP\\\",request_status=\\\"blocked\\\",response_code=\\\"0\\\",severity=\\\"Critical\\\",sig_cves=\\\"N/A\\\",sig_ids=\\\"200010012,200007003,200007029\\\",sig_names=\\\"\\\"\\\"system32\\\"\\\" access,Directory Traversal attempt \\\"\\\"/..%c0%af\\\"\\\",Directory Traversal attempt \\\"\\\"../\\\"\\\" (URI)\\\",sig_set_names=\\\"{Predictable Resource Location Signatures},{Path Traversal Signatures},{Path Traversal Signatures}\\\",src_port=\\\"24054\\\",sub_violations=\\\"N/A\\\",support_id=\\\"5296512740007329311\\\",threat_campaign_names=\\\"N/A\\\",unit_hostname=\\\"N/A\\\",uri=\\\"/scripts/..\\xC0\\xAF../winnt/system32/cmd.exe\\\",violation_rating=\\\"5\\\",vs_name=\\\"18-localhost:1-/\\\",x_forwarded_for_header_value=\\\"192.183.206.144\\\",outcome=\\\"REJECTED\\\",outcome_reason=\\\"SECURITY_WAF_VIOLATION\\\",violations=\\\"Failed to convert character,Illegal meta character in parameter name,Illegal file type,Attack signature detected,Violation Rating Threat detected\\\",violation_details=\\\"<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>10000000000c00-3030c40000000</block><alarm>477f0ffcbbd0fea-8003f35cc0000000</alarm><learn>0-0</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>url</context><sig_data><sig_id>200010012</sig_id><blocking_mask>2</blocking_mask><kw_data><buffer>L3NjcmlwdHMvLi7Ary4uL3dpbm50L3N5c3RlbTMyL2NtZC5leGU=</buffer><offset>22</offset><length>8</linput { ength></kw_data></sig_data><sig_data><sig_id>200007003</sig_id><blocking_mask>2</blocking_mask><kw_data><buffer>R0VUIC9zY3JpcHRzLy4uJWMwJWFmLi4vd2lubnQvc3lzdGVtMzIvY21kLmV4ZT8vYytkaXIrYzpcIEhUVFAv</buffer><offset>12</offset><length>9</length></kw_data></sig_data><sig_data><sig_id>200007029</sig_id><blocking_mask>2</blocking_mask><kw_data><buffer>R0VUIC9zY3JpcHRzLy4uJWMwJWFmLi4vd2lubnQvc3lzdGVtMzIvY21kLmV4ZT8vYytkaXIrYzpcIEhUVFAv</buffer><offset>0</offset><length>24</length></kw_data></sig_data></violation><violation><viol_index>13</viol_index><viol_name>VIOL_ENCODING</viol_name><context>uri</context><buffer>L3NjcmlwdHMvLi7Ary4uL3dpbm50L3N5c3RlbTMyL2M=</buffer><offset>11</offset></violation><violation><viol_index>39</viol_index><viol_name>VIOL_FILETYPE</viol_name><extension>ZXhl</extension><flg_disallowed_file_type>1</flg_disallowed_file_type></violation><violation><viol_index>25</viol_index><viol_name>VIOL_PARAMETER_NAME_METACHAR</viol_name><param_name>L2MgZGlyIGM6XA==</param_name><wildcard_entity>*</wildcard_entity><enforcement_level>global</enforcement_level><metachar_index>47</metachar_index><metachar_index>58</metachar_index><metachar_index>92</metachar_index><staging>0</staging></violation></request-violations></BAD_MSG>\\\",request=\\\"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\\\ HTTP/1.1\\\\r\\\\nx-forwarded-host: 1c5f3e42-4f7d-4c9e-8d0a-f87551e9d7d8.access.udf.f5.com\\\\r\\\\nx-forwarded-proto: https\\\\r\\\\nx-forwarded-port: 443\\\\r\\\\nx-forwarded-for: 192.183.206.144\\\\r\\\\ncookie: io=20x_LVk2iKQ98P1mAAAB; TS0169ca99=0105268efa56926a2218f94de128fddd7072799d5d8bc12b464420a6ec4c26f658edbc7400a9cadc2439bc5df366707df466bd7453;\\\\r\\\\naccept-language: en-US,en;q=0.9\\\\r\\\\naccept-encoding: gzip, deflate, br\\\\r\\\\nsec-fetch-dest: document\\\\r\\\\nsec-fetch-user: ?1\\\\r\\\\nsec-fetch-mode: navigate\\\\r\\\\nsec-fetch-site: none\\\\r\\\\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\\r\\\\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\\r\\\\nupgrade-insecure-requests: 1\\\\r\\\\ncache-control: max-age=0\\\\r\\\\nconnection: keep-alive\\\\r\\\\nhost: 1c5f3e42-4f7d-4c9e-8d0a-f87551e9d7d8.access.udf.f5.com\\\\r\\\\n\\\\r\\\\n\\\"\\r\\n", :expected_charset=>"UTF-8"}