Imap Plugin Parsing Error

Stefano_Serano · May 14, 2020, 7:25am

Hi all.
I've configured logstash multiple input:

Filebeat Input
Imap Plugin Input

and output to two different Elasticsearch index.

After upgrade form 7.2 to 7.6 logstash not index mails anymore prompting this error:

:exception=>#<LogStash::Json::ParserError: Unrecognized token 'dsfwdfqwd': was expecting ('true', 'false' or 'null')
at [Source: (byte)" Message Body

Message Body = Any message i put in mail body.

So, i think logstash is trying to parsing Json instead using ruby codex. my first impression is that logstash is using the wrong output, but i'm not sure. Here my configuration:
'''

Imap Input

input {
imap {
host => "host.domain.it"
password => "mypw"
user => "mymail"
port=> 143
secure=>"false"
check_interval => 10
tags => [ "emails" ]
}
}

Wazuh Input

input {
beats {
port => 5000

}

output {
if "emails" in [tags] {
stdout { codec => rubydebug }
elasticsearch {
index => "email-monitoring"
document_type => "email"
hosts => "127.0.0.1:9200"
}
}
if "emails" not in [tags] {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"

}
}
'''
If i remove the filebeat configuration mails are indexed correctly

Hope someone can help me figured out the problem.

system · June 11, 2020, 7:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash issue with json input from beats [Solved] Logstash	6	10439	October 9, 2017
Imap input gives weird error Logstash	7	767	January 5, 2022
Problem parsing Json from Beats Logstash	2	2164	August 28, 2017
Unexpected error with Beats input plugin Logstash	9	725	September 10, 2021
Logstash-imap-input-error Logstash	3	504	November 8, 2018

Imap Plugin Parsing Error

Imap Input

Wazuh Input

Related topics