Hi all.
I've configured logstash multiple input:
Filebeat Input
Imap Plugin Input
and output to two different Elasticsearch index.
After upgrade form 7.2 to 7.6 logstash not index mails anymore prompting this error:
:exception=>#<LogStash::Json::ParserError: Unrecognized token 'dsfwdfqwd': was expecting ('true', 'false' or 'null')
at [Source: (byte)" Message Body
Message Body = Any message i put in mail body.
So, i think logstash is trying to parsing Json instead using ruby codex. my first impression is that logstash is using the wrong output, but i'm not sure. Here my configuration:
'''
Imap Input
input {
imap {
host => "host.domain.it"
password => "mypw"
user => "mymail"
port=> 143
secure=>"false"
check_interval => 10
tags => [ "emails" ]
}
}
Wazuh Input
input {
beats {
port => 5000
}
}
output {
if "emails" in [tags] {
stdout { codec => rubydebug }
elasticsearch {
index => "email-monitoring"
document_type => "email"
hosts => "127.0.0.1:9200"
}
}
if "emails" not in [tags] {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
}
}
}
'''
If i remove the filebeat configuration mails are indexed correctly
Hope someone can help me figured out the problem.