How to load emails into ES instance

Hello, I am trying to upload emails in xml format, these xml files were obtained using apache tika to convert the .eml files to .xml

I'm trying to load the data into ES with logstash but it's not working and I think it's because of the filters.

Below I pass my configuration file for logstash:

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
	pattern => "^<\?xml"
        negate => "true"
        what => "previous"
    }
  }
}

filter {
   xml {
    source => "message"
    target => "parsed"
  }
   mutate {
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Spam-Status'][@content]" => "X-Spam-Status" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-MsgID'][@content]" => "X-PostalIn-MsgID" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-SenderInfo'][@content]" => "X-PostalIn-SenderInfo" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Antivirus'][@content]" => "X-Antivirus" }
    rename => { "[parsed][meta][name='dc:creator'][@content]" => "dc:creator" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Received'][@content]" => "X-Received" }
    rename => { "[parsed][meta][name='Message:From-Email'][@content]" => "Message-From-Email" }
    rename => { "[parsed][meta][name='dcterms:created'][@content]" => "dcterms:created" }
    rename => { "[parsed][meta][name='Message-To'][@content]" => "Message-To" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-VADEPIN-SPAMSTATE'][@content]" => "X-VADEPIN-SPAMSTATE" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Authentication-Results'][@content]" => "Authentication-Results" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Google-DKIM-Signature'][@content]" => "X-Google-DKIM-Signature" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Gm-Message-State'][@content]" => "X-Gm-Message-State" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-VADEPIN-SPAMSCORE'][@content]" => "X-VADEPIN-SPAMSCORE" }
    rename => { "[parsed][meta][name='Message:Raw-Header:MIME-Version'][@content]" => "MIME-Version" }
    rename => { "[parsed][meta][name='Multipart-Boundary'][@content]" => "Multipart-Boundary" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-VADEPIN-SPAMCAUSE'][@content]" => "X-VADEPIN-SPAMCAUSE" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Message-ID'][@content]" => "Message-ID" }
    rename => { "[parsed][meta][name='dc:title'][@content]" => "dc:title" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-From'][@content]" => "X-PostalIn-From" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-SpamCheck'][@content]" => "X-PostalIn-SpamCheck" }
    rename => { "[parsed][meta][name='Content-Length'][@content]" => "Content-Length" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Postal-ASAV'][@content]" => "X-Postal-ASAV" }
    rename => { "[parsed][meta][name='Content-Type'][@content]" => "Content-Type" }
    rename => { "[parsed][meta][name='dc:subject'][@content]" => "dc:subject" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Google-Smtp-Source'][@content]" => "X-Google-Smtp-Source" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Antivirus-Status'][@content]" => "X-Antivirus-Status" }
    rename => { "[parsed][meta][name='resourceName'][@content]" => "resourceName" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Return-Path'][@content]" => "Return-Path" }
    rename => { "[parsed][meta][name='Message:Raw-Header:DKIM-Signature'][@content]" => "DKIM-Signature" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-Information'][@content]" => "X-PostalIn-Information" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Delivered-To'][@content]" => "Delivered-To" }
    rename => { "[parsed][meta][name='X-TIKA:Parsed-By'][@content]" => "X-TIKA-Parsed-By" }
    rename => { "[parsed][meta][name='Message:From-Name'][@content]" => "Message-From-Name" }
    rename => { "[parsed][meta][name='Multipart-Subtype'][@content]" => "Multipart-Subtype" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Received'][@content]" => "Received" }
    rename => { "[parsed][meta][name='Message-From'][@content]" => "Message-From" }
  }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

I want to be able to filter by message from, date, etc.

It stays here and does not move forward
[INFO ] 2024-08-10 11:45:46.255 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>3, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>375, "pipeline.sources"=>["/usr/share/logstash/01-emailsx.conf"], :thread=>"#<Thread:0x3ddfaf9c /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[INFO ] 2024-08-10 11:45:46.716 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.46}
[INFO ] 2024-08-10 11:45:46.726 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2024-08-10 11:45:46.727 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2024-08-10 11:45:46.742 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

If there is another better way to upload emails to logstash I would appreciate it and if it allows me to filter by "message from" I would appreciate it.

All the best

If you have one email per file then when using a negated pattern to consume the entire file you will need to set auto_flush_interval to a small number. Otherwise it will wait forever for a second line in the file that does match the pattern.

If that does not help can you show us an example of an XML file that you are trying to parse?

Hello.

By entering the auto_flush_interval at 5, it advances and ingests all the files. It is even fine, but the ingestion is not done correctly and it is most likely due to the filter issue, which is not correct.

This is how the file looks with auto_flush_interval added

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
        pattern => "^<\?xml"
        negate => "true"
        what => "previous"
        auto_flush_interval => 5
    }
  }
}

filter {
   xml {
    source => "message"
    target => "parsed"
  }
   mutate {
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Spam-Status'][@content]" => "X-Spam-Status" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-MsgID'][@content]" => "X-PostalIn-MsgID" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-SenderInfo'][@content]" => "X-PostalIn-SenderInfo" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Antivirus'][@content]" => "X-Antivirus" }
    rename => { "[parsed][meta][name='dc:creator'][@content]" => "dc:creator" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Received'][@content]" => "X-Received" }
    rename => { "[parsed][meta][name='Message:From-Email'][@content]" => "Message-From-Email" }
    rename => { "[parsed][meta][name='dcterms:created'][@content]" => "dcterms:created" }
    rename => { "[parsed][meta][name='Message-To'][@content]" => "Message-To" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-VADEPIN-SPAMSTATE'][@content]" => "X-VADEPIN-SPAMSTATE" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Authentication-Results'][@content]" => "Authentication-Results" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Google-DKIM-Signature'][@content]" => "X-Google-DKIM-Signature" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Gm-Message-State'][@content]" => "X-Gm-Message-State" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-VADEPIN-SPAMSCORE'][@content]" => "X-VADEPIN-SPAMSCORE" }
    rename => { "[parsed][meta][name='Message:Raw-Header:MIME-Version'][@content]" => "MIME-Version" }
    rename => { "[parsed][meta][name='Multipart-Boundary'][@content]" => "Multipart-Boundary" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-VADEPIN-SPAMCAUSE'][@content]" => "X-VADEPIN-SPAMCAUSE" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Message-ID'][@content]" => "Message-ID" }
    rename => { "[parsed][meta][name='dc:title'][@content]" => "dc:title" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-From'][@content]" => "X-PostalIn-From" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-SpamCheck'][@content]" => "X-PostalIn-SpamCheck" }
    rename => { "[parsed][meta][name='Content-Length'][@content]" => "Content-Length" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Postal-ASAV'][@content]" => "X-Postal-ASAV" }
    rename => { "[parsed][meta][name='Content-Type'][@content]" => "Content-Type" }
    rename => { "[parsed][meta][name='dc:subject'][@content]" => "dc:subject" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Google-Smtp-Source'][@content]" => "X-Google-Smtp-Source" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-Antivirus-Status'][@content]" => "X-Antivirus-Status" }
    rename => { "[parsed][meta][name='resourceName'][@content]" => "resourceName" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Return-Path'][@content]" => "Return-Path" }
    rename => { "[parsed][meta][name='Message:Raw-Header:DKIM-Signature'][@content]" => "DKIM-Signature" }
    rename => { "[parsed][meta][name='Message:Raw-Header:X-PostalIn-Information'][@content]" => "X-PostalIn-Information" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Delivered-To'][@content]" => "Delivered-To" }
    rename => { "[parsed][meta][name='X-TIKA:Parsed-By'][@content]" => "X-TIKA-Parsed-By" }
    rename => { "[parsed][meta][name='Message:From-Name'][@content]" => "Message-From-Name" }
    rename => { "[parsed][meta][name='Multipart-Subtype'][@content]" => "Multipart-Subtype" }
    rename => { "[parsed][meta][name='Message:Raw-Header:Received'][@content]" => "Received" }
    rename => { "[parsed][meta][name='Message-From'][@content]" => "Message-From" }
  }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

As I have told you, the problem is probably in the filters.

What I'm looking for is to be able to filter by the name of the email (.eml file or resourceName if you search in the xml file), who sent it, when, where it was sent from, and see the body of the message, and little else.

Below I upload an example of an xml file that I want to parse

<?xml version="1.0" encoding="UTF-8"?><html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="Message:Raw-Header:Accept-Language" content="en-GB, en-US"/>
<meta name="Message:Raw-Header:X-MS-Office365-Filtering-Correlation-Id" content="991b7297-434f-4ac3-8c15-08dcb163545a"/>
<meta name="Message:Raw-Header:X-ExclaimerImprintAction" content="003a2421e5dd4ea58f5fa76779aa5d25"/>
<meta name="Message:Raw-Header:ARC-Authentication-Results" content="i=1; mx.microsoft.com 1; spf=pass (sender ip is 51.141.5.228) smtp.rcpttodomain=arestes.es smtp.mailfrom=yourshortlist.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=yourshortlist.com; dkim=none (message not signed); arc=none (0)"/>
<meta name="Message:Raw-Header:ARC-Seal" content="i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VC6Ftxh7OFnY6fGk9ae3BHgmEz4+1+cSgArbJP0r2U7wdtD9JVtvuYti463a6xL5BmaA/yFvxWRAcK96dt53TvQzc+YRcrUAIpE0DGymOKiYQtRQDgLGbQ+L3DcIeSYOUP9ZcTuDcL4SP/e+5t6M/eMd9P2dboljUuqd3i0bFGLAU41B/TVgyoQhV0cpYLi3uR6Rv9LNChscnxRu3IZ1xIoQwmdjB/ms3PXWNspl1ncBAtAPgmYNtLREdcHZNwFlvJNyZFOxaylqDyb14aX458kVA0+EaqUDBqskID2MfN00PCaMV9Qo401MaXhBgwIy+hynXmsDZ/ZzADWMH9xE5g=="/>
<meta name="Message:Raw-Header:X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp" content="TenantId=1df37b14-dcb6-4062-9b6a-4d9b750ed0de;Ip=[51.141.5.228];Helo=[uk2.smtp.exclaimer.net]"/>
<meta name="Message:Raw-Header:Content-Language" content="en-US"/>
<meta name="Message:From-Email" content="LeadsSpain@yourshortlist.com"/>
<meta name="Message:Raw-Header:X-VADEPIN-SPAMSTATE" content="commercial:mce"/>
<meta name="Message:Raw-Header:x-ms-traffictypediagnostic" content="&#9;DB9PR06MB8671:EE_|DUZPR06MB8817:EE_|AM2PEPF0001C716:EE_|AM9PR06MB8067:EE_"/>
<meta name="Message:Raw-Header:X-MS-Office365-Filtering-Correlation-Id-Prvs" content="&#9;6662c626-0dc4-488b-3eb5-08dcb1634926"/>
<meta name="Message:Raw-Header:X-VADEPIN-SPAMSCORE" content="17"/>
<meta name="Multipart-Boundary" content="_004_DB9PR06MB8671F80CBCF664D945C50314FBB12DB9PR06MB8671eurp_"/>
<meta name="Message:Raw-Header:MIME-Version" content="1.0"/>
<meta name="dc:title" content="S12317 - Ciberseguridad"/>
<meta name="Message:Raw-Header:Message-ID" content=" &lt;DB9PR06MB8671F80CBCF664D945C50314FBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt;"/>
<meta name="Message:Raw-Header:X-MS-Exchange-CrossTenant-Network-Message-Id" content="991b7297-434f-4ac3-8c15-08dcb163545a"/>
<meta name="Message:Raw-Header:X-PostalIn-SpamCheck" content="no es spam, 3, commercial:mce DKIM_PASS SPF_PASS"/>
<meta name="Message:Raw-Header:X-Microsoft-Antispam-Message-Info" content="&#9;=?utf-8?B?OUlvWk95aTVYd01SRVB5b1dWV2E5YTFUUk93dlROUDFpYkxIZ050eGM4RUtr?= =?utf-8?B?MVhKMlNJOTQzeTBaRzA5QjYrU0QwU3lrVThrVGhUNUlFM3RFbGxFT0gvT09t?= =?utf-8?B?V0FDL0VxNVRpWVorZG0zNzRtcVRZQnhkR3UxRmNRUlBOVDBQZFUvZTQxRHhW?= =?utf-8?B?VUlpR0FtMHZadnJjN21IRzVFeWFodGlZakl1YzZLdWxnVnpxdG5EeTRJbXVu?= =?utf-8?B?amR2SFMxV04vZjRXY3Z1VzFaVStJVTRQaFkwV3ZmMEsxMlBCamFTUWJldCtZ?= =?utf-8?B?RCsrUW5RN2JmWVNPYy82UVJQRGxlald0d3JuK0ZvOXhFejAwWWVlRXZkSlcz?= =?utf-8?B?Rkx3TFRQK0U3NUZTYXMrY1c1RExITmNveHAwUUhvOUt6bkszaFFOOU01djQw?= =?utf-8?B?aGxWeWYzc0kvRGtXNGpWYkdIR0o0SjhwTnBHNitib0F6K2g2bm9VeEMxV3Fr?= =?utf-8?B?bkx2Tjd6c1lsbjkvMHI3WnJCcy9ueEk4TFpVbVRMTUhHMjFXQk1kK2RVdFVo?= =?utf-8?B?cWdDS3d6TUxqNnlyOVJ5eDRWUVJVM2RWL21lUmRKV2h2TmwyeWE4bXduSEVt?= =?utf-8?B?MkxmQTdEVGZueURjQitvNVB5QjZ0Z3Zqd2o2N05Mb1BLcVd2Y1RGOXB5NGp1?= =?utf-8?B?c1I3cG1XK2tCa0hERFJBQlJXR3FyWFlNYVgwZmNab3d1Uzc0VU9Wd3h4TkhJ?= =?utf-8?B?NDdsc3djYVBHWGNnRVNWOXV4bUV6dEQ5ZDdYOVhVV1NLaythM0JRb2pxK3VS?= =?utf-8?B?YXMxd09OMVY1Mlg1ZzVEM2hkQVFPbXV1YXlyVHZ6c0hFclpTazVYVGRTN3M4?= =?utf-8?B?TXVXYVBPN0dTU3BwUXQ3enBrVTJyd0J2TlZRVmoyTERnSHVNWGhlSkdyT3NE?= =?utf-8?B?N2krZUdocFAvNkxkM0g5eUZqUmo0R2plY05pTTk3emN3WWlPWEsxN2NkczVl?= =?utf-8?B?YXJCNU9NSWtkNjhXMG41cEtpc0tFMnNlRWM2MGxOdnVLRzFPeXpVa1U1WTBQ?= =?utf-8?B?NDNaeXBaVE5FR3lOMVM5TU9LVTRpSStrdldGVzl3ZzFXUWtKR3cwZEczOHVR?= =?utf-8?B?RVFCR09tZXh6WmlaSm44V2JCamRCUzVjdjF2OUJ2L3FvclROOUJML1BEWm01?= =?utf-8?B?MU9YcGJBT1ZiTENqb3hRc1dzL2JiaGdJV0VuSVFaYVFjakpCV092MmFRNHFX?= =?utf-8?B?Znd2UkExRTNJN1lYZFpSY2g2SE5OT2VvNFFLUldlb0VKcHp0T3RSWkhzb0VP?= =?utf-8?B?MzhpUkhvWE5FVFB6QzBWUjI5RTlkWkgwTUp6c2dKaGswYk1FdlNTZEJGR1NW?= =?utf-8?B?aWk5aFNpM0trZWFPZ1Zxb3ptNUF3MXRnUHZGUVlaRjZPYTdDalhrYlc3d05L?= =?utf-8?B?eUplVjUrZFNneWlncWhOUENFTmlHOFJ4ME5VWkFwU3NNcmo1OXZJZHZ4YzJq?= =?utf-8?B?UDdFTkE5aEhsdUk1T0lVYXFvYTRJMnZ0QysvSFJZSFY0SzJXcVlTeGcwV21U?= =?utf-8?B?L3VJNFdpTG1TaVFaOFFiK0tneGxsaEJCczJtdHBwRndxMm03emt0cDNJUkl4?= =?utf-8?B?QlJGTFJZbHBBMEs1d1lnN2sya21VRUtseVlXcTY5bEhZUG5lSTM1Wmh3SmlZ?= =?utf-8?B?ZVZ0QTN4cHZ0RVhEYkpWZk9kZVB0aFZpRUZBRXIvL29mNVl4RGlqdHl2SzJp?= =?utf-8?B?dndRQmpNU1ByRlRxckFvRDlYZDIyT0FEaXh5R0VoK1FhVEVtYWZWL0NHUEpR?= =?utf-8?B?N2cvbFRIYXZRczFieEJHVjNjS2VaK29naEhVdzhJQ0tLbmtNaXVvTis5MFdS?= =?utf-8?B?WnRleGYxZTVXdEtTRzRZdz09?="/>
<meta name="Message:Raw-Header:In-Reply-To" content=" &lt;DB9PR06MB86710FE703CE8660136DC6C4FBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt;"/>
<meta name="Message:Raw-Header:X-MS-Exchange-AntiSpam-Relay" content="0"/>
<meta name="Message:Raw-Header:X-OriginatorOrg" content="yourshortlist.com"/>
<meta name="Message:Raw-Header:X-PostalIn-SpamScore" content="sss"/>
<meta name="Message:Raw-Header:X-MS-Exchange-CrossTenant-Id" content="1df37b14-dcb6-4062-9b6a-4d9b750ed0de"/>
<meta name="Message:Raw-Header:x-ms-exchange-messagesentrepresentingtype" content="1"/>
<meta name="Message:Raw-Header:References" content=" &lt;DB7PR06MB5210BEC101C6D8DF9582910AEEB12@DB7PR06MB5210.eurprd06.prod.outlook.com&gt; &lt;DB9PR06MB86710E00AAA1FAACF45B7990FBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt; &lt;DB9PR06MB8671804AD7FB21DB3F442D26FBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt; &lt;DB9PR06MB867139362C2C401575479B41FBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt; &lt;DB9PR06MB86713BFF4811976021B63C63FBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt; &lt;DB9PR06MB8671AC25E5C094663CA7E5DBFBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt; &lt;DB9PR06MB86710FE703CE8660136DC6C4FBB12@DB9PR06MB8671.eurprd06.prod.outlook.com&gt;"/>
<meta name="Message:Raw-Header:X-Microsoft-Antispam" content="&#9;BCL:0;ARA:13230040|35042699022|1032899013|82310400026|376014|7416014|69100299015|36860700013|1800799024;"/>
<meta name="resourceName" content="S12317 - Ciberseguridad - LeadsSpain (LeadsSpain@yourshortlist.com) - 2024-07-31 1518.eml"/>
<meta name="Message:Raw-Header:Return-Path" content="&lt;leadsspain@yourshortlist.com&gt;"/>
<meta name="Message:Raw-Header:X-ExclaimerHostedSignatures-MessageProcessed" content="true"/>
<meta name="Message:Raw-Header:Authentication-Results-Original" content="dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=yourshortlist.com;"/>
<meta name="Message:Raw-Header:X-EOPAttributedMessage" content="0"/>
<meta name="Message:Raw-Header:DKIM-Signature" content="v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourshortlist.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DaZwHY9EOAQdxxHBJjGA1DZw5+TuI58tX6P4X+wvkFM=; b=iCqhZvAWEIsbvudAI+6ADctIxPTDifj1qSiWTVrUWPiI1OaHx1SWsGO98fciO8JOHxatvIffAbS2Tue03myqoEYb0rkmD2ytghlWpGmEPrEm28OefiydgMXh6GzpYNgPrfM5Lk6zs4Q1gpXLsQIy2GO+FMBxCIf58pOwn8NmNG6FM+NyA6+ZUAPzdLVsW2lKgapZp69H6sgvjzoI+RsFr+lnw2aqqpCqtu4nawq0z7wMASZbBKOsdMBNOpyne7PQWwn+ZuaqzEPtPi1xMkQLcMTuIzHbJAdApMMMVYjXFymelyO+g8HMiHVHLT+Ox9jGky3trf6aHRkuWe9mmiFTcQ=="/>
<meta name="Message:Raw-Header:Delivered-To" content="contacto.miolnir.es"/>
<meta name="Message:Raw-Header:Thread-Topic" content="S12317 - Ciberseguridad"/>
<meta name="Message:Raw-Header:X-ExclaimerProxyLatency" content="34303228"/>
<meta name="X-TIKA:Parsed-By" content="org.apache.tika.parser.DefaultParser"/>
<meta name="X-TIKA:Parsed-By" content="org.apache.tika.parser.mail.RFC822Parser"/>
<meta name="Message:Raw-Header:X-MS-Exchange-SenderADCheck" content="1"/>
<meta name="Message:From-Name" content="LeadsSpain"/>
<meta name="Multipart-Subtype" content="mixed"/>
<meta name="Message:Raw-Header:Received" content="from dovector02.dominioabsoluto.net ([77.240.117.125])&#9;by lda04.dominioabsoluto.net with LMTP&#9;id oPKfNsc5qmbErTsAIwciwg&#9;(envelope-from &lt;leadsspain@yourshortlist.com&gt;)&#9;for &lt;contacto.miolnir.es&gt;; Wed, 31 Jul 2024 15:19:03 +0200"/>
<meta name="Message:Raw-Header:Received" content="from asavin05.dominioabsoluto.net ([77.240.117.125])&#9;by dovector02.dominioabsoluto.net with LMTP&#9;id uP5JNsc5qmaSuDAABdekbQ&#9;(envelope-from &lt;leadsspain@yourshortlist.com&gt;)&#9;for &lt;contacto@miolnir.es&gt;; Wed, 31 Jul 2024 15:19:03 +0200"/>
<meta name="Message:Raw-Header:Received" content="from relayin07.dominioabsoluto.net (217-116-26-4.redes.acens.net [217.116.26.4])&#9;by asavin05.dominioabsoluto.net (relay) with ESMTP id 4WYt3B2WNZz14B9&#9;for &lt;contacto@miolnir.es&gt;; Wed, 31 Jul 2024 15:19:00 +0200 (CEST)"/>
<meta name="Message:Raw-Header:Received" content="from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2119.outbound.protection.outlook.com [40.107.104.119])&#9;(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))&#9;(No client certificate requested)&#9;by relayin07.dominioabsoluto.net (relay) with ESMTPS id 4WYt375F1Sz2bQKt&#9;for &lt;contacto@miolnir.es&gt;; Wed, 31 Jul 2024 15:18:59 +0200 (CEST)"/>
<meta name="Message:Raw-Header:Received" content="from AS8PR04CA0193.eurprd04.prod.outlook.com (2603:10a6:20b:2f3::18) by AM9PR06MB8067.eurprd06.prod.outlook.com (2603:10a6:20b:3ae::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.28; Wed, 31 Jul 2024 13:18:55 +0000"/>
<meta name="Message:Raw-Header:Received" content="from AM2PEPF0001C716.eurprd05.prod.outlook.com (2603:10a6:20b:2f3:cafe::be) by AS8PR04CA0193.outlook.office365.com (2603:10a6:20b:2f3::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.35 via Frontend Transport; Wed, 31 Jul 2024 13:18:55 +0000"/>
<meta name="Message:Raw-Header:Received" content="from uk2.smtp.exclaimer.net (51.141.5.228) by AM2PEPF0001C716.mail.protection.outlook.com (10.167.16.186) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.19 via Frontend Transport; Wed, 31 Jul 2024 13:18:52 +0000"/>
<meta name="Message:Raw-Header:Received" content="from EUR02-AM0-obe.outbound.protection.outlook.com (104.47.11.235)&#9; by uk2.smtp.exclaimer.net (51.141.5.228) with Exclaimer Signature Manager&#9; ESMTP Proxy uk2.smtp.exclaimer.net (tlsversion=TLS12,&#9; tlscipher=TLS_DIFFIEHELLMAN_WITH_AES256_NONE); Wed, 31 Jul 2024 13:18:55&#9; +0000"/>
<meta name="Message:Raw-Header:Received" content="from DB9PR06MB8671.eurprd06.prod.outlook.com (2603:10a6:10:4ce::7) by DUZPR06MB8817.eurprd06.prod.outlook.com (2603:10a6:10:4e2::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.28; Wed, 31 Jul 2024 13:18:36 +0000"/>
<meta name="Message:Raw-Header:Received" content="from DB9PR06MB8671.eurprd06.prod.outlook.com ([fe80::be27:f76c:d59:1826]) by DB9PR06MB8671.eurprd06.prod.outlook.com ([fe80::be27:f76c:d59:1826%7]) with mapi id 15.20.7807.026; Wed, 31 Jul 2024 13:18:36 +0000"/>
<meta name="Message:Raw-Header:X-MS-Exchange-Authentication-Results" content="spf=pass (sender IP is 51.141.5.228) smtp.mailfrom=yourshortlist.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=yourshortlist.com;"/>
<meta name="Message-From" content="LeadsSpain &lt;LeadsSpain@yourshortlist.com&gt;"/>
<meta name="Message:Raw-Header:Thread-Index" content="AQHa40v5J/1a2G3lYECO9l8SYjWWz7IQ0Y9AgAAAIiA="/>
<meta name="Message:Raw-Header:X-MS-Exchange-CrossTenant-AuthAs" content="Anonymous"/>
<meta name="Message:Raw-Header:X-MS-Exchange-Transport-CrossTenantHeadersStripped" content=" AM2PEPF0001C716.eurprd05.prod.outlook.com"/>
<meta name="Message:Raw-Header:X-Spam-Status" content="No"/>
<meta name="Message:Raw-Header:X-Forefront-Antispam-Report-Untrusted" content=" CIP:255.255.255.255;CTRY:;LANG:es;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR06MB8671.eurprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(7416014)(1800799024)(38070700018);DIR:OUT;SFP:1102;"/>
<meta name="Message:Raw-Header:X-MS-PublicTrafficType" content="Email"/>
<meta name="Message:Raw-Header:X-PostalIn-MsgID" content="4WYt3B2WNZz14B9.A9CDE"/>
<meta name="Message:Raw-Header:X-PostalIn-SenderInfo" content="IP: 40.107.104.119 | Country: IE | SPF: pass"/>
<meta name="Message:Raw-Header:X-MS-TNEF-Correlator" content=""/>
<meta name="dc:creator" content="LeadsSpain &lt;LeadsSpain@yourshortlist.com&gt;"/>
<meta name="Message:Raw-Header:X-Microsoft-Antispam-Message-Info-Original" content=" =?us-ascii?Q?o9XPwoy1AFZUpeHU3by8Yb+TC4hNcdTbnJb1YKUb4UA3idZpH8ubKl+lfHu7?= =?us-ascii?Q?REm3k9qRetEqegps5EMOTAsocbu8R2RuZMpLWd/5YlWzJ/VDHlB+EUiWeER1?= =?us-ascii?Q?LIhlEYxhdcdWRXhqj48Qr71BE3Gkn0T5E0+Sy2ytX2U4d9pqD5TAYJDDzwQ3?= =?us-ascii?Q?KmZzYthkGkcT/ZnootoLRuI5IZsQmTvmfKU6Tnx8J3FdfcdC5zGygxoFcSOI?= =?us-ascii?Q?nqFCWMAvn0ZoJCfw7mRGvF5u0OwQMRXr5YJAGOgeUh/fKLpyuoG0zMeyeCV+?= =?us-ascii?Q?20z6jviDXO4f09xo1f7dOLHeXQS4enMOpLzUcs71eHnS91gS5NuZTVxykYWl?= =?us-ascii?Q?yAEM0NhcZgv7w8ZHdyYJ4CrPwVtrUWgVd3FDlBRXt36VbA6WaOl8dpKFevkr?= =?us-ascii?Q?1q+LgN6fwlpTKrELCR3r7aWHr/SefQZAq8ohoUrpwGc4gJIOujSxdIa8tTSY?= =?us-ascii?Q?vyScIVZv2Fc923AyZn9j93YAb77/qC+K11Ru6ddgE2pOwetYOtnHzzI8T4CA?= =?us-ascii?Q?McMxmIAG+tzrUI8dRAhEC6WNo7/6mB/LAJA5vb++yrM9gFeqxkMEbeDcV5f+?= =?us-ascii?Q?ePAf+wpmsZXYk+ZDxVdiFa643Ep4Xq3SH+gbQr8WoOaIWTWal18KaoVPS+0/?= =?us-ascii?Q?FM9n7GVmqbqxMeG+aNGnDpK1BMk8eCj6Zth5CeTpWnATOCfb4zkLFsasNnKR?= =?us-ascii?Q?mgdaHNCfNHWqQ+qrYsaeGlC7ab1Qcw+plERUy/+wOZq8fXE/3+fe+BXawt4m?= =?us-ascii?Q?bzW9jL5MW3tfIFQH38CelFosdDa20u2jXz7mCYoolK96dELcN9FUn9FDzS/d?= =?us-ascii?Q?j7N2nDaqGMKZ5PD3Ji66ltwQ4mAQGYpmdBktszExf80FsUQArEhe9C6lYa5B?= =?us-ascii?Q?LZZZlXaoyRheXZKkFswop2vlljlcJTnp941C1wRcmlfb7m0aFZGOBEhuMdvn?= =?us-ascii?Q?MY2g6jW0GQBOTKno477WXWd+ipyTyzacKP2HrbsPH3EBAjt3KquUCyPKY+80?= =?us-ascii?Q?6Ch6B26H/b/hzXEbPkXkYt5DKs2vaRz8RqBmvdx1TFwfMXHzHCcKNdhNaSBR?= =?us-ascii?Q?BVFtVCDty2SZeDV2La3stTUX5rFdN3xg0j0WhFuLa3TcFp1HCqnThxvi2Rp5?= =?us-ascii?Q?Hcq0gv3XVe52/aFEy+sC/lchw3ltuc/qQealMRCOL765YPm+J3XP2xB94hVe?= =?us-ascii?Q?o1oGDQYpv1BZJR9y8MkQw7hl643cHWuCKqYDmy0bcQRZXAVc5QtrhlK4/RUY?= =?us-ascii?Q?GGKdwhpVjazo8oizJvTpwBMxOls6iIVcLjTTiTKSYCXFxkF9jD9ZJATCkPOJ?= =?us-ascii?Q?Fcw=3D?="/>
<meta name="dcterms:created" content="2024-07-31T13:18:36Z"/>
<meta name="Message-To" content="Undisclosed recipients:;"/>
<meta name="Message:Raw-Header:Authentication-Results" content="relayin07.dominioabsoluto.net;&#9;dkim=pass (2048-bit key; unprotected) header.d=yourshortlist.com header.i=@yourshortlist.com header.b=&quot;iCqhZvAW&quot;;&#9;dkim-atps=neutral"/>
<meta name="Message:Raw-Header:x-ld-processed" content="1df37b14-dcb6-4062-9b6a-4d9b750ed0de,ExtAddr"/>
<meta name="Message:Raw-Header:X-Forefront-Antispam-Report" content="&#9;CIP:51.141.5.228;CTRY:GB;LANG:es;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:uk2.smtp.exclaimer.net;PTR:uk2.smtp.exclaimer.net;CAT:NONE;SFS:(13230040)(35042699022)(1032899013)(82310400026)(376014)(7416014)(69100299015)(36860700013)(1800799024);DIR:OUT;SFP:1102;"/>
<meta name="Message:Raw-Header:X-VADEPIN-SPAMCAUSE" content="gggruggvucftvghtrhhoucdtuddrgeeftddrjeeigdeifecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucetvefgpffuqdeuvdeunecuuegrihhlohhuthemuceftddtnecundfotefknffkpffiucdludejmdenucfjughrpefhufhtfffkfhgjtgggvfesmhdttdertddtjeenucfhrhhomhepnfgvrggushfuphgrihhnuceonfgvrggushfuphgrihhnseihohhurhhshhhorhhtlhhishhtrdgtohhmqeenucggtffrrghtthgvrhhnpedvfeevkeevkeevkeelhffhhfekvefgheehgeduvedvjedukeeuhfdtfeeggfejgfenucffohhmrghinhephihouhhrshhhohhrthhlihhsthdrtghomhdplhhinhhkvgguihhnrdgtohhmpdhtrhhushhtphhilhhothdrtghomhdprghirhhtrggslhgvrdgtohhmnecukfhppeegtddruddtjedruddtgedrudduledphedurddugedurdehrddvvdekpddviedtfeemuddtrgeimedutdemgegtvgemmeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedtrddutdejrddutdegrdduudelpdhhvghlohepgfgftfdtfedqffeutedqohgsvgdrohhuthgsohhunhgurdhprhhothgvtghtihhonhdrohhuthhlohhokhdrtghomhdpmhgrihhlfhhrohhmpefnvggrughsufhprghinheshihouhhrshhhohhrthhlihhsthdrtghomhdpnhgspghrtghpthhtohepuddprhgtphhtthhopegtohhnthgrtghtohesmhhiohhlnhhirhdrvghs"/>
<meta name="Message:Raw-Header:X-PostalIn-From" content="leadsspain@yourshortlist.com"/>
<meta name="Message:Raw-Header:X-MS-Exchange-Transport-CrossTenantHeadersStamped" content="DUZPR06MB8817"/>
<meta name="Message:Raw-Header:X-MS-Exchange-Transport-CrossTenantHeadersStamped" content="AM9PR06MB8067"/>
<meta name="Content-Length" content="471443"/>
<meta name="Message:Raw-Header:X-Microsoft-Antispam-Untrusted" content=" BCL:0;ARA:13230040|376014|366016|7416014|1800799024|38070700018;"/>
<meta name="Message:Raw-Header:X-Postal-ASAV" content="Yes"/>
<meta name="Content-Type" content="message/rfc822"/>
<meta name="dc:subject" content="S12317 - Ciberseguridad"/>
<meta name="Message:Raw-Header:X-ExclaimerImprintLatency" content="2798649"/>
<meta name="Message:Raw-Header:X-MS-Exchange-CrossTenant-FromEntityHeader" content="HybridOnPrem"/>
<meta name="Message:Raw-Header:X-MS-Has-Attach" content="yes"/>
<meta name="Message:Raw-Header:X-MS-Exchange-CrossTenant-AuthSource" content="&#9;AM2PEPF0001C716.eurprd05.prod.outlook.com"/>
<meta name="Message:Raw-Header:Received-SPF" content="Pass (protection.outlook.com: domain of yourshortlist.com designates 51.141.5.228 as permitted sender) receiver=protection.outlook.com; client-ip=51.141.5.228; helo=uk2.smtp.exclaimer.net; pr=C"/>
<meta name="Message:Raw-Header:X-PostalIn-Information" content="AntiSPAM and AntiVIRUS on asavin05"/>
<meta name="Message:Raw-Header:ARC-Message-Signature" content="i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DaZwHY9EOAQdxxHBJjGA1DZw5+TuI58tX6P4X+wvkFM=; b=lveHqwy/yNL7kg5ZkLvD3X1XafM/JtAimjeF/FxFZydy2OhGbxV3XLRLe9M6WCPrnHWIvm46MJbZgV3QXA1o3vJExZt2Ol2mX0+EsGJbew5NsEXSFNVlTnBoXOl9Qr6EjiwQbCZi/Ksg+L4srSGmVGspycvm3fcg1PLlgtBDVl8KIuTTvkhyZQFR64Mp7F5J25bq7KLtJe2gqbXcYxYXkTu8OQ4uvJQ3HZlWl3EeBlpm3T7hyiSj7242JOSEnHgv6bxYATMPWIlMThHuwLe9grIUJ6S+EYug6eB5IMigqQ4h7IN9bEJ2Gi7zN9lbc3B2qaiIqQg6G0gcJJxCLnXDrg=="/>
<meta name="Message:Raw-Header:X-MS-Exchange-CrossTenant-OriginalArrivalTime" content="31 Jul 2024 13:18:52.3304 (UTC)"/>
<title>S12317 - Ciberseguridad</title>
</head>
<body><div class="email-entry"><p>

<p> </p>


<p> </p>


<p> </p>


<p>Hola!</p>


<p> </p>


<p>Espero que estés bien.</p>


<p> </p>


<p>Hoy nos hemos comprometido con el siguiente proyecto que se ajusta a tu
 negocio, consulta el resumen a continuación, y hazme saber si estás dispuesto/a a comprometerte con él.</p>


<p> </p>


<p> </p>


<table><tbody><tr>		<td>
<p>Proyecto</p>


</td>		<td>
<p>Ciberseguridad</p>


</td></tr>

<tr>		<td>
<p>Región </p>


</td>		<td>
<p>Andalucía</p>


</td></tr>

<tr>		<td>
<p>Industria:</p>


</td>		<td>
<p>Otros servicios</p>


</td></tr>

<tr>		<td>
<p>Tamaño </p>


</td>		<td>
<p>Facturado:
0 M to 1 M</p>


</td></tr>

<tr>		<td>
<p>Número de empleados: 3</p>


<p>Número de Sedes: 1</p>


</td></tr>

<tr>		<td>
</td></tr>

<tr>		<td>
</td></tr>

<tr>		<td>
<p>Presupuesto </p>


</td>		<td>
<p>El cliente no tiene un presupuesto definido por desconocimiento de los costes, dejandolo abierto a la mejor solucion.</p>


</td></tr>

<tr>		<td>
<p>Tiempos</p>


</td>		<td>
<p>Contacto: De lunes a viernes de 10:00 a 14:00</p>


</td></tr>

<tr>		<td>
<p>Decisión:
Q3 - Q4 2024</p>


</td></tr>

<tr>		<td>
<p>Implementacion: Q4 - 2024</p>


</td></tr>

</tbody></table>


<p> </p>


<p> </p>


<p>Quedo a la espera de tus comentarios, </p>


<p> </p>


<p>Gracias</p>


<p> </p>


<p>Saludos,</p>


<p> </p>


<p> </p>




<table><tr>		<td> ​​​​
​   
</td></tr>

<tr>		<td><table><tr>		<td><table><tr>		<td>LeadsSpain</td>		<td>, 
</td></tr>

</table>

</td></tr>

</table>

</td></tr>

<tr>		<td><table><tr>		<td><a shape="rect" href="https://yourshortlist.com/es">YourShortlist</a>®
</td></tr>

<tr>		<td><table><tr>		<td>+34 (951) 569040
</td></tr>

</table>

</td></tr>

<tr>		<td><a shape="rect" href="https://yourshortlist.com/">www.yourshortlist.com</a>
</td></tr>

<tr>		<td><table><tr>		<td><a shape="rect" href="https://www.linkedin.com/company/software-advisory-service-spain/">Encuéntanos en LinkedIn</a>
</td></tr>

<tr>		<td>
</td></tr>

<tr>		<td>Lee nuestras reseñas</td></tr>

<tr>		<td>
</td></tr>

<tr>		<td><a shape="rect" href="https://es.trustpilot.com/review/www.yourshortlist.com"><img src="https://emailsignature.trustpilot.com/brand/s/1/logo.png" width="82" height="28" alt=""/></a></td></tr>

<tr>		<td>
</td></tr>

<tr>		<td><a shape="rect" href="https://es.trustpilot.com/review/www.yourshortlist.com"><img src="https://emailsignature.trustpilot.com/signature/en-US/1/620d79d732ba0a106dfd8ee9/stars.png" width="128" height="24" alt=""/></a></td></tr>

</table>

</td></tr>

</table>

</td></tr>

<tr>		<td><table><tr>		<td><table><tr>		<td>Convertirse en un<a shape="rect" href="https://yourshortlist.com/become-a-partner/"> YourShortlist</a>®<a shape="rect" href="https://yourshortlist.com/become-a-partner/"> </a>compañero
</td></tr>

<tr>		<td><table><tr>		<td><table><tr>		<td><table><tr>		<td>YourShortlist® Limited. NIF: SC482015. Domicilio Registado: Avenida Palma de Mallorca 45, 2nda Planta, 29620 Torremolinos, Malaga, Spain
</td></tr>

</table>

</td></tr>

</table>

</td></tr>

<tr>		<td> 
</td></tr>

<tr>		<td><table><tr>		<td><table><tr>		<td>Tenga en cuenta: ¡El Servicio de asesoría de software se está convirtiendo en YourShortlist! <a shape="rect" href="https://yourshortlist.com/">Aprende más aquí</a>.
</td></tr>

<tr>		<td>
</td></tr>

<tr>		<td>Para dejar de recibir estos correos, por favor, <a shape="rect" href="https://airtable.com/shrHi1quErvaniX4R">haz click aquí</a>
 </td></tr>

</table>

</td></tr>

</table>

</td></tr>

</table>

</td></tr>

</table>

</td></tr>

</table>

</td></tr>

</table>


</p>
</div>
<div class="email-entry"><p><div class="page"><p/>

<p>Lead Ref: S12317
</p>

<p> 
</p>

<p>Ciberseguridad
Detalles de cuenta
</p>

<p> Proyecto: Ciberseguridad  Industria: Otros servicios  
</p>

<p> Área: Andalucía  Facturado: A: 0 to 1M  
</p>

<p> Situación Actual: N/A  Nube/On premise: Ambos  
</p>

<p> A medida: No  Empleados: 3  
</p>

<p> Sedes: 1      
</p>

<p>Descripción
</p>

<p>Informe de Necesidades de Auditoría de Ciberseguridad
</p>

<p>En el día de hoy tuve una conversación con el director de informática de una empresa dedicada a la
compraventa de toda clase de fincas, ubicada en la Comunidad Autónoma de Andalucía.
</p>

<p>En la conversación mantenida con el cliente, se identificó la necesidad de realizar una auditoría de
ciberseguridad para un edificio de alquileres inteligentes.
</p>

<p>Este informe detalla los requisitos técnicos y funcionales de la solución buscada, con el objetivo de seleccionar
una empresa que pueda proporcionar formación y certificación adecuada.
</p>

<p>Descripción del Proyecto:
</p>

<p>• Sector: Servicios para empresas del sector inmobiliario
</p>

<p>• Objeto de la Auditoría: Edificio de alquileres inteligentes
</p>

<p>• Ubicación: Edificio con servicios digitales integrales
</p>

<p>Necesidades Identificadas:
</p>

<p>1. Auditoría de Ciberseguridad:
</p>

<p>• Alcance: Evaluación completa de la seguridad digital del edificio, incluyendo:
</p>

<p>- Servicios internos digitales (viviendas, internet, WiFi tipo hotel)
</p>

<p>- Llaves electrónicas y sistemas centralizados de gestión
</p>

<p>• Infraestructura Actual:
</p>

<p>- 6 conexiones de fibra óptica de dos compañías diferentes
</p>

<p>- Firewall provisional SonicWall, con planes para cambiar a Zyxel a corto plazo
</p>

<p>• Usuarios: Aproximadamente 200 inquilinos con acceso a la red, utilizando PCs, portátiles y móviles</p>

<p/>

</div>

<div class="page"><p/>

<p>2. Certificación de Seguridad:
</p>

<p>• Requisito: Certificado que garantice un grado adecuado de ciberseguridad para el edificio.
</p>

<p>• Objetivo: Asegurar la protección de todos los servicios digitales del edificio y la seguridad de los
datos de los inquilinos.
</p>

<p>Requisitos del Cliente:
</p>

<p>• Infraestructura y Equipos:
</p>

<p>- Actualización de Firewall: Evaluar la transición de SonicWall a Zyxel y asegurar la configuración adecuada.
</p>

<p>- Conectividad: Verificar y asegurar la robustez de las 6 conexiones de fibra óptica.
</p>

<p>• Usuarios y Acceso:
</p>

<p>- Gestión de Acceso: Implementar medidas de seguridad para gestionar el acceso de
aproximadamente 200 inquilinos.
</p>

<p>- Dispositivos: Asegurar la protección de PCs, portátiles y móviles conectados a la red.
</p>

<p>• Certificación:
</p>

<p>- Necesidad de Certificado: El cliente requiere un certificado que garantice la ciberseguridad del edificio, emitido
por una empresa reconocida en el ámbito de la ciberseguridad.
</p>

<p>Consideraciones Adicionales:
</p>

<p>• Formación y Soporte:
</p>

<p>- El cliente busca una empresa que pueda proporcionar formación en ciberseguridad para el personal encargado
de la gestión del edificio.
</p>

<p>- Es crucial contar con soporte técnico continuo para mantener y mejorar la seguridad del sistema.
</p>

<p>• Evaluación de Rentabilidad:
</p>

<p>- El cliente está interesado en evaluar la rentabilidad y la eficacia de las medidas de ciberseguridad
implementadas.
</p>

<p>Presupuesto y Tiempos:
</p>

<p>Presupuesto: El cliente no tiene un presupuesto definido y está dispuesto a considerar diversas soluciones
basadas en lo que ofrezcan los proveedores, ya que desconoce el coste de las mismas. Además, señala que
desea tener una primera reunión en la primera mitad de agosto, ya que le resulta prioritario.
</p>

<p>Tiempo de Implementación: En cuanto a los plazos para tomar una decisión, están contemplando los períodos
correspondientes el tercer y cuarto trimestre de 2024. Para la implementación, están considerando Q4 2024.</p>

<p/>

</div>

<div class="page"><p/>

<p> 
</p>

<p>Escala De Tiempo
</p>

<p> Llamada: De lunes a viernes de 10:00 a
14:00
</p>

<p> 
</p>

<p> Decisión: Q3 - Q4 2024  
</p>

<p> Implementación: Q4 - 2024
 
</p>

<p> 
</p>

<p>Presupuesto
</p>

<p>El cliente no tiene un presupuesto definido por desconocimiento de los costes, dejandolo abierto a la mejor
solucion.
 
</p>

<p>Próximos pasos
</p>

<p>Los socios que puedan cumplir con los requisitos de la empresa deben responder directamente a 
LeadsSpain@yourshortlist.com para registrar su interés. Una vez aprobado, recibirá inmediatamente los datos
de contacto de los prospectos.
 
</p>

<p>Powered by TCPDF (www.tcpdf.org)</p>

<p/>

<div class="annotation"><a href="mailto:LeadsSpain@yourshortlist.com">mailto:LeadsSpain@yourshortlist.com</a></div>

<div class="annotation"><a href="http://www.tcpdf.org">http://www.tcpdf.org</a></div>

</div>

</p>
</div>
</body></html>

Greetings and thanks

OK, the first thing I would say is to set force_array => false on the xml filter. If you do not do this then everything will be an array (so that it can be consistent if elements only sometimes have more than one item in them). If you look at the rubydebug output you will see

     "head" => [
        [0] {
            "title" => [
                [0] "S12317 - Ciberseguridad"
            ],
             "meta" => [
                [ 0] {
                       "name" => "Message:Raw-Header:Accept-Language",
                    "content" => "en-GB, en-US"
                },

so you have to refer to title as [parsed][head][0][title][0]. If you set force_array then you get this instead

     "head" => {
        "title" => "S12317 - Ciberseguridad",
         "meta" => [
            [ 0] {
                   "name" => "Message:Raw-Header:Accept-Language",
                "content" => "en-GB, en-US"
            },

which I find easier to deal with. Instead of renaming the raw headers one by one I would iterate over the array

    xml { source => "message" target => "parsed" force_array => false remove_field => [ "message" ] }
    ruby {
        code => '
            meta = event.remove("[parsed][head][meta]")
            meta.each { |x|
                key = x["name"]
                if key =~ /^Message:Raw-Header:/
                    newKey = key.sub(/^Message:Raw-Header:/, "")
                    newKey = "[headers][#{newKey}]"
                else
                    newKey = key.sub(/^.*:/, "")
                    newKey = "[otherStuff][#{newKey}]"
                end
                event.set(newKey, x["content"])
            }
        '
    }

I think that leaves most of what you are interested in under [otherstuff]

"otherStuff" => {
            "From-Email" => "LeadsSpain@yourshortlist.com",
          "Content-Type" => "message/rfc822",
    "Multipart-Boundary" => "_004_DB9PR06MB8671F80CBCF664D945C50314FBB12DB9PR06MB8671eurp_",
     "Multipart-Subtype" => "mixed",
               "subject" => "S12317 - Ciberseguridad",
               "created" => "2024-07-31T13:18:36Z",
          "Message-From" => "LeadsSpain <LeadsSpain@yourshortlist.com>",
        "Content-Length" => "471443",
          "resourceName" => "S12317 - Ciberseguridad - LeadsSpain (LeadsSpain@yourshortlist.com) - 2024-07-31 1518.eml",
               "creator" => "LeadsSpain <LeadsSpain@yourshortlist.com>",
                 "title" => "S12317 - Ciberseguridad",
            "Message-To" => "Undisclosed recipients:;",
             "Parsed-By" => "org.apache.tika.parser.mail.RFC822Parser",
             "From-Name" => "LeadsSpain"
},

If you really do only want a handful of fields then you could use newKey = "[@metadata][otherStuff][#{newKey}]" and mutate+rename the fields you want to the top-level, then rely on the fact that fields under [@metadata] are discarded when they reach the output stage.

Hope that helps!

1 Like

Would you be so kind as to tell me what this would look like approximately in my logstash .conf file that I provided earlier? I'm new to elastic and I want to make sure I do it right and understand it for next times.

Thank you so much

Just replace your xml and mutate+rename filters with the xml and ruby filters from my post.

And what do I do with the "outerStuff", do I include it? What is it for? forgive my ignorance on this topic

Another question, the body of the message, the content itself, is not displayed? Since so far the email headers have been included in the filter, but how could the body of the message be included? Thank you very much for your help, I am learning a lot and I have only been using elastic for 5 days.

That's part of the rubydebug output after running that file through my filters. So

"otherStuff" => {
        "From-Email" => "LeadsSpain@yourshortlist.com",
      "Content-Type" => "message/rfc822",
 ...

is showing you that the event will now have an [otherStuff][From-Email] field, etc. I understood that you are only interested in a subset of these, so you could do something like

mutate {
    rename => {
        "[otherStuff][From-Name]" => "Message-From-Name"
        "[otherStuff][created]" => "created"
        ...
    }
}

If you just want to keep everything then you do not have to put them under otherStuff/headers and can put them at the top-level.

So I imagine it would be something like this, right?

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
        pattern => "^<\?xml"
        negate => "true"
        what => "previous"
        auto_flush_interval => 5
    }
  }
}

filter {
   xml {
	source => "message" 
	target => "parsed" 
	force_array => false 
        remove_field => [ "message" ] 
	}
   mutate {
 	"[otherStuff][From-Name]" => "Message-From-Name"
        "[otherStuff][created]" => "created"
        ...
  }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

Would this also be valid?

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
        pattern => "^<\?xml"
        negate => "true"
        what => "previous"
        auto_flush_interval => 5
    }
  }
}

filter {
   xml { source => "message" target => "parsed" force_array => false remove_field => [ "message" ] }
    ruby {
        code => '
            meta = event.remove("[parsed][head][meta]")
            meta.each { |x|
                key = x["name"]
                if key =~ /^Message:Raw-Header:/
                    newKey = key.sub(/^Message:Raw-Header:/, "")
                    newKey = "[headers][#{newKey}]"
                else
                    newKey = key.sub(/^.*:/, "")
                    newKey = "[otherStuff][#{newKey}]"
                end
                event.set(newKey, x["content"])
            }
        '
    }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

How could I see the body of the message?
How can I see the otherStuff on my own?

Your config should include

input {
    file {
        ...
    }
}
filter {
    xml {
        ...
    }
    ruby {
        code => '
            ...
        '
    }
    mutate {
        rename => {
            ...
        }
    }
}
output {
    ...
}

There should be a [parsed][body] field in the event. However, you have run the [message] through an xml filter, and HTML is also XML, so the xml filter will parse it. You will probably not like what it produces. It will consume this:

<body><div class="email-entry"><p>
<p> </p>
<p> </p>
<p> </p>
<p>Hola!</p>
<p> </p>
<p>Espero que estés bien.</p>
<p> </p>
<p>Hoy nos hemos comprometido ...</p>
<p> </p>
<p> </p>
<table><tbody><tr>      <td>
<p>Proyecto</p>
</td>       <td>
<p>Ciberseguridad</p>
</td></tr>

and produce

         "body" => {
            "div" => [
                [0] {
                    "class" => "email-entry",
                           ...
                            "p" => [
                            [0] "Hola!",
                            [1] "Espero que estés bien.",
                            [2] "Hoy nos hemos comprometido con el siguiente proyecto que se ajusta a tu\n negocio, consulta el resumen a continuación, y hazme saber si estás dispuesto/a a comprometerte con él.",
                            [3] "Quedo a la espera de tus comentarios, ",
                            [4] "Gracias",
                            [5] "Saludos,"
                        ]

(Notice all the empty <p></p> elements get eaten.) I won't even show you what it does to a table, but trust me, you will not find it useful.

If you want to stash the unprocessed HTML then you could add

    grok { match => { "message" => "<body>%{GREEDYDATA:theHTML}</body>" } }
    mutate { gsub => [ "theHTML", "\r\n", "" ] }

before the xml filter. The mutate+gsub is optional.

To understand the data format I suggest you leave elasticsearch out of it. Run logstash on the command line and review the rubydebug output that you get for a single email file. Tune your filters until you like the resulting data, then send it to elasticsearch and see what you can do with it there.

Hello, I have tested the .conf file following everything you have explained to me, and it has carried out all the ingestion successfully and everything now appears in elastic, making my work much easier.

I leave it here for you to see:

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
	pattern => "^<\?xml"
        negate => "true"
        what => "previous"
	auto_flush_interval => 5
    }
  }
}

filter {
  grok { match => { "message" => "<body>%{GREEDYDATA:theHTML}</body>" } }
  
  xml { source => "message" target => "parsed" force_array => false remove_field => [ "message" ] }
    ruby {
        code => '
            meta = event.remove("[parsed][head][meta]")
            meta.each { |x|
                key = x["name"]
                if key =~ /^Message:Raw-Header:/
                    newKey = key.sub(/^Message:Raw-Header:/, "")
                    newKey = "[headers][#{newKey}]"
                else
                    newKey = key.sub(/^.*:/, "")
                    newKey = "[otherStuff][#{newKey}]"
                end
                event.set(newKey, x["content"])
            }
        '
    }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

What I would like if it were possible is to improve the issue of filters so that, from Elasctic, I can filter by: Who sends the message?, Who receives it?, When do I send it?, etc.

Would this be possible?

Thank you very much

You can run queries against elasticsearch filtering on (or aggregating over) fields like
[otherStuff][From-Name]

I understand that the mutate along with the otherStuff would go as I show in the test code, to be able to filter as I need,
Can this truth be left as is for the body of the message?

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
	pattern => "^<\?xml"
        negate => "true"
        what => "previous"
	auto_flush_interval => 5
    }
  }
}

filter {
  grok { match => { "message" => "<body>%{GREEDYDATA:theHTML}</body>" } }
  
  xml { source => "message" target => "parsed" force_array => false remove_field => [ "message" ] }
    ruby {
        code => '
            meta = event.remove("[parsed][head][meta]")
            meta.each { |x|
                key = x["name"]
                if key =~ /^Message:Raw-Header:/
                    newKey = key.sub(/^Message:Raw-Header:/, "")
                    newKey = "[headers][#{newKey}]"
                else
                    newKey = key.sub(/^.*:/, "")
                    newKey = "[otherStuff][#{newKey}]"
                end
                event.set(newKey, x["content"])
            }
        '
    }
    mutate {
    rename => {
        "[otherStuff][From-Name]" => "Message-From-Name"
        "[otherStuff][created]" => "created"
        ...
    }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

I have tried the logstash file adding the mutate to filter and it has not worked, why?
You have ingested all the files correctly BUT you have not added the filters

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
	pattern => "^<\?xml"
        negate => "true"
        what => "previous"
	auto_flush_interval => 5
    }
  }
}

filter {
  grok { match => { "message" => "<body>%{GREEDYDATA:theHTML}</body>" } }
  
  xml { source => "message" target => "parsed" force_array => false remove_field => [ "message" ] }
    ruby {
        code => '
            meta = event.remove("[parsed][head][meta]")
            meta.each { |x|
                key = x["name"]
                if key =~ /^Message:Raw-Header:/
                    newKey = key.sub(/^Message:Raw-Header:/, "")
                    newKey = "[headers][#{newKey}]"
                else
                    newKey = key.sub(/^.*:/, "")
                    newKey = "[otherStuff][#{newKey}]"
                end
                event.set(newKey, x["content"])
            }
        '
    }
    mutate {
    rename => {
        "[otherStuff][From-Name]" => "Message-From-Name"
        "[otherStuff][created]" => "created"
        "[otherStuff][From-Email]" => "Message-From-Email"
        "[otherStuff][Content-Type]" => "Content-Type"
        "[otherStuff][Multipart-Boundary]" => "Multipart-Boundary"
        "[otherStuff][Multipart-Subtype]" => "Multipart-Subtype"
        "[otherStuff][Message-From]" => "Message-From"
        "[otherStuff][Content-Length]" => "Content-Length"
        "[otherStuff][resourceName]" => "resourceName"
        "[otherStuff][title]" => "Message-Title"
        "[otherStuff][Message-To]" => "Message-To"
        "[otherStuff][Parsed-By]" => "Message-Parsed-By"
    }
  }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

As I have seen that I have not seen a way to apply the filters directly from the logstash .conf file, I am trying to do it afterwards, but I cannot do it.

Any ideas?

thank you

I am not familiar with that screen or what you can use it for.

It sounds like the data is in elasticsearch and now you want to filter it. That's a kibana/elasticsearch question, not one about logstash. You could try creating a new question in one of those forums.

To create filters I am trying the xpath option to create the filters

 xml { 
    source => "message" 
    target => "parsed" 
    force_array => false 
    remove_field => [ "message" ] 
    xpath => [
      "/html/head/meta[@name='dcterms:created']/@content", "Fecha creacion email",
      "/html/head/meta[@name='Message:From-Email']/@content", "Message from",
      "/html/head/meta[@name='Message-To']/@content", "Message To",
      "/html/head/meta[@name='dc:title']/@content", "Titulo",
      "/html/head/meta[@name='resourceName']/@content", "eml origen",
    ]
  

But it gives an error and after reviewing this I don't know why.

WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2024-08-14 11:03:53.705 [main] runner - NOTICE: Running Logstash as superuser is not recommended and won't be allowed in the future. Set 'allow_superuser' to 'false' to avoid startup errors in future releases.
[WARN ] 2024-08-14 11:03:53.718 [main] runner - The use of JAVA_HOME has been deprecated. Logstash 8.0 and later ignores JAVA_HOME and uses the bundled JDK. Running Logstash with the bundled JDK is recommended. The bundled JDK has been verified to work with each specific version of Logstash, and generally provides best performance and reliability. If you have compelling reasons for using your own JDK (organizational-specific compliance requirements, for example), you can configure LS_JAVA_HOME to use that version instead.
[INFO ] 2024-08-14 11:03:53.718 [main] runner - Starting Logstash {"logstash.version"=>"8.15.0", "jruby.version"=>"jruby 9.4.8.0 (3.1.4) 2024-07-02 4d41e55a67 OpenJDK 64-Bit Server VM 21.0.4+7-LTS on 21.0.4+7-LTS +indy +jit [x86_64-linux]"}
[INFO ] 2024-08-14 11:03:53.720 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11]
[INFO ] 2024-08-14 11:03:53.722 [main] runner - Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
[INFO ] 2024-08-14 11:03:53.722 [main] runner - Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
[WARN ] 2024-08-14 11:03:53.848 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2024-08-14 11:03:54.168 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9601, :ssl_enabled=>false}
[ERROR] 2024-08-14 11:03:54.332 [Converge PipelineAction::Create<main>] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", [A-Za-z0-9_-], '\"', \"'\", [A-Za-z_], \"-\", [0-9], \"[\", \"{\" at line 29, column 5 (byte 853) after filter {\n  grok { match => { \"message\" => \"<body>%{GREEDYDATA:theHTML}</body>\" } }\n  \n  xml { \n    source => \"message\" \n    target => \"parsed\" \n    force_array => false \n    remove_field => [ \"message\" ]\n    xpath => [\n      \"/html/head/meta[@name='dcterms:created']/@content\", \"Fecha creacion email\",\n      \"/html/head/meta[@name='Message:From-Email']/@content\", \"Message from\",\n      \"/html/head/meta[@name='Message-To']/@content\", \"Message To\",\n      \"/html/head/meta[@name='dc:title']/@content\", \"Titulo\",\n      \"/html/head/meta[@name='resourceName']/@content\", \"eml origen\",\n    ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:239:in `initialize'", "org/logstash/execution/AbstractPipelineExt.java:173:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:949:in `new'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:49:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}
[INFO ] 2024-08-14 11:03:54.350 [LogStash::Runner] runner - Logstash shut down.

Read the error message

It's complaining about what comes after "eml origen", which is the ] to close the array value of the xpath option. But comma is only used to separate entries within the array. You cannot have a trailing comma at the end of the array. Change "eml origen", to "eml origen"

It doesn't return any errors, but the filters still don't work. What is the reason?