Imap Plugin Parsing Error

Stefano_Serano · May 14, 2020, 7:25am

Hi all.
I've configured logstash multiple input:

Filebeat Input
Imap Plugin Input

and output to two different Elasticsearch index.

After upgrade form 7.2 to 7.6 logstash not index mails anymore prompting this error:

:exception=>#<LogStash::Json::ParserError: Unrecognized token 'dsfwdfqwd': was expecting ('true', 'false' or 'null')
at [Source: (byte)" Message Body

Message Body = Any message i put in mail body.

So, i think logstash is trying to parsing Json instead using ruby codex. my first impression is that logstash is using the wrong output, but i'm not sure. Here my configuration:
'''

Imap Input

input {
imap {
host => "host.domain.it"
password => "mypw"
user => "mymail"
port=> 143
secure=>"false"
check_interval => 10
tags => [ "emails" ]
}
}

Wazuh Input

input {
beats {
port => 5000

}

output {
if "emails" in [tags] {
stdout { codec => rubydebug }
elasticsearch {
index => "email-monitoring"
document_type => "email"
hosts => "127.0.0.1:9200"
}
}
if "emails" not in [tags] {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"

}
}
'''
If i remove the filebeat configuration mails are indexed correctly

Hope someone can help me figured out the problem.

system · June 11, 2020, 7:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Imap input gives weird error Logstash	7	767	January 5, 2022
Unexpected error with Beats input plugin Logstash	9	724	September 10, 2021
_jsonparsefailure with filebeat and logstash Logstash	11	965	January 31, 2023
Logstash-input-imap plugin error Logstash	1	578	February 8, 2018
Logstash IMAP issues Elasticsearch	1	482	July 6, 2017

Imap Plugin Parsing Error

Imap Input

Wazuh Input

Related Topics