Imap input plugin download attachment


I am using imap input plugin to fetch email along with attachments. Below configuration gets me multiple fields but does not get the attachment content.
Can anyone help here how to download attachments while connection with imap

input { imap { host => "" port => 123 user => "" password => "******" check_interval => 3600 fetch_count => 100 folder => "Inbox" content_type => "application/gzip" } }

try to add save_attachments parameter
When set to true the content of attachments will be included in the field.

input { 
	imap { 
			host => "" 
			port => 123 
			user => "" 
			password => "******" 
			check_interval => 3600 
			fetch_count => 100 
			folder => "Inbox" 
			content_type => "application/gzip" 
			save_attachments => true


Thanks for the reply
I tried adding this parameter, but it gives error

[ERROR] 2020-12-17 12:36:28.400 [Converge PipelineAction::Create] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.",

** Only change I did was
save_attachments => true

What version of logstash are you using ?
I guess this option has been introduced with logstash 7.9.0 (check it here)

1 Like

[INFO ] 2020-12-17 13:23:04.243 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.8.0", "jruby.version"=>"jruby (2.5.7) 2020-03-25 b1f55b1a40 OpenJDK 64-Bit Server VM 25.262-b10 on 1.8.0_262-b10 +indy +jit [linux-x86_64]"}
[INFO ] 2020-12-17 13:23:08.562 [Converge PipelineAction::Create] Reflections - Reflections took 127 ms to scan 1 urls, producing 21 keys and 41 values
[ERROR] 2020-12-17 13:23:09.082 [Converge PipelineAction::Create] imap - Unknown setting 'save_attachments' for imap

Its 7.8.0

Ok..Let me try it out with 7.9 then..I am using 7.8 right now.

1 Like

Thanks @ylasri, its working with 7.9.x version of logstash. Only prob now is that is encrypted and not in human readable format and so cant apply parsing to it.

Probably need to use some python code to fetch attachment, store at a location and then use logstash to read the file and parse it.

Check if the content is not base64 encoded ?

Yes it's base64 encoded and then you can use an other elasticsearch plugin Ingest Attachment Processor to ge the content of the attachmenet with an ingest pipeline

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.