Logstash and VirusTotal

sampasei · November 16, 2015, 7:04pm

Hi All,
i've tried to use Lostash 2.0 with VirusTotal plugin

without any result.
Here my config file snippet:

    virustotal {
            apikey => "myapikey"
            field => [src_ip]
            lookup_type => "url"
            target => "virustotal"
    }

Below the error code

`Exception in filterworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>#<JSON::ParserError: A JSON text must at least contain two octets!>'

JSON::ParserError: A JSON text must at least contain two octets!
     initialize at json/ext/Parser.java:175
            new at json/ext/Parser.java:151
          parse at /opt/logstash/vendor/bundle/jruby/1.9/gems/json-1.8.3-java/lib/json/common.rb:155
         filter at /opt/logstash/vendor/local_gems/0f94f654/logstash-filter-virustotal-0.1.1/lib/logstash/filters/virustotal.rb:53
   multi_filter at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/filters/base.rb:152
           each at org/jruby/RubyArray.java:1613
   multi_filter at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/filters/base.rb:149
    filter_func at (eval):1467
   filterworker at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:219
  start_filters at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:154

How can i avoid this error?
Thanks

magnusbaeck · November 16, 2015, 8:11pm

Since this error originates in the virustotal plugin perhaps you should contact its author? Reading the plugin's source code it looks like it blindly assumes that it gets a non-empty response from the server but that doesn't seem to hold true in your case.