Logstash output email plugin failure

Hello Team,
i am using elk 8.5.3 and in the logstash output plugin , its failing with SMTP syntax error as pasted below

ERROR][logstash.outputs.email   ][main][9ab43dc1824014b9cc39372f569aeded7925e535ec037015bed8af14390dcff0] Something happen while delivering an email {:exception=>#<Net:**:SMTPSyntaxError: 501 5.1.7 Invalid address**

email {
                                to => '%{[netcool_alert][recipients]}'
                                from => '%{[netcool_alert][from]}'
                                body => "Subject: %{[netcool_alert][subject]}\nHostname: %{[netcool_alert][hostname]}"
                                domain => 'smtp.uat1entp.abcd.com'
                                address => 'smtp.uat1entp.abcd.com'
                                port => 25
                                use_tls => true
                                }

Can you share an example log so we can see what these values you're passing to the email output actually look like?

This error means that the value in the to field or the value in the from field is invalid.

You can add this before your email output in the output block to print the event to logstash stdout for troubleshooting

stdout { codec => rubydebug }

below is the output is passing and output from the codec

                "severity" => "CRITICAL",
             " alertgroup" => "SERVICEWATCH",
             " recipients" => "adapavp@uat1entp.abcd.com",
        " applicationcode" => "demo",
               " hostname" => "demo",
                   " from" => "demo_portal@1entp.abcd.com",
                " message" => "<CRITICAL> 2024-01-26 12:23:00. Max Humidity of 58.7% reached. Affected zone(s): SG3:3:03:HALL6:Z4(55.14%), DCE:::S320A:Z7(46.81%)", " instanceid" => "SG3:3:03:HALL6:Z6"," alertkey" => "ZONE_HUMIDITY_CRITICAL_SG3:3:03:HALL6:Z6"," ichampgroup" => "PSG_abcdINF_demo","subject" => "<CRITICAL> 2024-01-26 12:23:00. Max Humidity of 58.7% reached."," instancevalue" => "58.7" 

i can see the values which i am passing seems correctly filled for parameters, i am facing in the email trigger ouput.

It might make sense to try hard coding the to and from addresses instead of pulling from the event and seeing if it works.

This would help narrow down whether the issue is with the values from the document or from the values themselves.

thanks @strawgate , when i passed hardcoded values its going throught to send emails.

    "event" => {
        "original" => "{\"@timestamp\":\"2024-01-29T02:36:08.955Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\"},\"agent\":{\"version\":\"8.5.3\",\"ephemeral_id\":\"18ac6df1-2395-4cec-a817-5c739a4d4b66\",\"id\":\"16974657-8a7a-4f23-8d32-b9c1c67c1b81\",\"name\":\"x01sshost1.vsi.uat.abcd.com\",\"type\":\"filebeat\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"x01sshost1.vsi.uat.abcd.com\"},\"log\":{\"file\":{\"path\":\"/logs/path/elasticsearch/path_mutli_action_netcool_watcher.log\"},\"offset\":118386},\"message\":\"2024-01-29T10:36:00,078, {0={severity=CRITICAL, alertgroup=SERVICEWATCH, hostname=path-APP, applicationcode=path, ichampgroup=[PSG_abcdINF_path], instanceid=DCE:::S320A:Z1DCE:::S320A:Z2DCE:::S320A:Z3DCE:::S320A:Z4DCE:::S320A:Z5DCE:::S320A:Z6DCE:::S320A:Z7SG3:3:03:HALL6:Z4SG3:3:03:HALL6:Z5SG3:3:03:HALL6:Z8SG3:3:03:HALL6:Z2SG3:3:03:HALL6:Z6SG3:3:03:HALL6:Z1SG3:3:03:HALL6:Z7SG3:3:03:HALL6:Z3, recipients=[adapavp@uat11ent.abcd.com], subject=\\\"<CRITICAL> 2024-01-29 10:35:00. Max Humidity of 57.48% reached.\\\", instancevalue=0, from=adapavp@uat11ent.abcd.com, alertkey=ZONE_HUMIDITY_CRITICAL, message=\\\"<CRITICAL> 2024-01-29 10:35:00. Max Humidity of 57.48% reached. Affected zone(s): DCE:::S320A:Z1(45.56%), DCE:::S320A:Z2(45.77%), DCE:::S320A:Z3(43.83%), DCE:::S320A:Z4(46.23%), DCE:::S320A:Z5(45.02%), DCE:::S320A:Z6(44.77%), DCE:::S320A:Z7(46.41%), SG3:3:03:HALL6:Z4(54.98%), SG3:3:03:HALL6:Z5(55.39%), SG3:3:03:HALL6:Z8(55.96%), SG3:3:03:HALL6:Z2(55.75%), SG3:3:03:HALL6:Z6(57.48%), SG3:3:03:HALL6:Z1(56.62%), SG3:3:03:HALL6:Z7(55.96%), SG3:3:03:HALL6:Z3(55.31%)\\\"}}\",\"metadata\":{\"timezone\":\"Asia/India\"},\"topic\":\"trigger_netcool_alerts\",\"input\":{\"type\":\"filestream\"}}"

i have few doubts here -

  • Why the logstash is showing correct events values in debug console mode

  • if the values on the debug/console are correct it should pass the same values in the parameters ?

please correct my understanding

also is it because if i have dateparse failure in events .

{
             "@timestamp" => 2024-01-29T02:36:08.955Z,
                   "tags" => [
        [0] "_dateparsefailure"
    ],

If you replace the email output with stdout { codec => rubydebug} then what do these two fields inside [netcool_alert] look like? Are they arrays or comma-separated strings?

inside the codec in the [netcool_alerts] below are the values coming

          "netcool_alert" => {
             " instanceid" => "DCE:::S320A:Z1DCE:::S320A:Z2DCE:::S320A:Z3DCE:::S320A:Z4DCE:::S320A:Z5DCE:::S320A:Z6DCE:::S320A:Z7SG3:3:03:HALL6:Z4SG3:3:03:HALL6:Z5SG3:3:03:HALL6:Z8SG3:3:03:HALL6:Z2SG3:3:03:HALL6:Z6SG3:3:03:HALL6:Z1SG3:3:03:HALL6:Z7SG3:3:03:HALL6:Z3",
                " message" => "<CRITICAL> 2024-01-29 11:55:00. Max Humidity of 57.91% reached. Affected zone(s): DCE:::S320A:Z1(45.68%), DCE:::S320A:Z2(45.69%), DCE:::S320A:Z3(43.87%), DCE:::S320A:Z4(45.99%), DCE:::S320A:Z5(45.1%), DCE:::S320A:Z6(44.71%), DCE:::S320A:Z7(46.33%), SG3:3:03:HALL6:Z4(54.85%), SG3:3:03:HALL6:Z5(55.83%), SG3:3:03:HALL6:Z8(56.13%), SG3:3:03:HALL6:Z2(55.48%), SG3:3:03:HALL6:Z6(57.91%), SG3:3:03:HALL6:Z1(56.2%), SG3:3:03:HALL6:Z7(56.13%), SG3:3:03:HALL6:Z3(54.72%)",
            " ichampgroup" => "PSG_ABCDINF_ENT",
          " instancevalue" => "0",
             " alertgroup" => "SERVICEWATCH",
                " subject" => "<CRITICAL> 2024-01-29 11:55:00. Max Humidity of 57.91% reached.",
               " alertkey" => "ZONE_HUMIDITY_CRITICAL",
        " applicationcode" => "ENT",
             " recipients" => "adapavp@uat1ent.ABCD.com",
                   " from" => "adapavp@uat1ent.ABCD.com",
                "severity" => "CRITICAL",
               " hostname" => "ENT-APP"
    },

i am also doubting whether whitespace is causing the issue ? if so how i can over come from it if not then what else is causing it.

You do not have a

[netcool_alert][recipients]

field, you have a

[netcool_alert][ recipients]

field (with a space in the fieldname), so the to option will evaluate to %{[netcool_alert][recipients]}, which is not a valid email address.

If you are using a kv filter then the trim_key option may help you.

1 Like

Hi @Badger Passing Current time in Logstash input plugin 'exec' for executing API in curl - #4 by Badger.. Can you help me on process monitor in elk

thank you @Badger . i have fixed this emails fileds after removing the extra space from the code which was genrating the events .
thank you @strawgate , for your valueable inputs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.