Logstash output email plugin failure

shailendra1 · January 26, 2024, 4:09am

Hello Team,
i am using elk 8.5.3 and in the logstash output plugin , its failing with SMTP syntax error as pasted below

ERROR][logstash.outputs.email   ][main][9ab43dc1824014b9cc39372f569aeded7925e535ec037015bed8af14390dcff0] Something happen while delivering an email {:exception=>#<Net:**:SMTPSyntaxError: 501 5.1.7 Invalid address**

email {
                                to => '%{[netcool_alert][recipients]}'
                                from => '%{[netcool_alert][from]}'
                                body => "Subject: %{[netcool_alert][subject]}\nHostname: %{[netcool_alert][hostname]}"
                                domain => 'smtp.uat1entp.abcd.com'
                                address => 'smtp.uat1entp.abcd.com'
                                port => 25
                                use_tls => true
                                }

strawgate · January 26, 2024, 4:31am

Can you share an example log so we can see what these values you're passing to the email output actually look like?

This error means that the value in the to field or the value in the from field is invalid.

You can add this before your email output in the output block to print the event to logstash stdout for troubleshooting

stdout { codec => rubydebug }

shailendra1 · January 26, 2024, 4:42am

below is the output is passing and output from the codec

                "severity" => "CRITICAL",
             " alertgroup" => "SERVICEWATCH",
             " recipients" => "adapavp@uat1entp.abcd.com",
        " applicationcode" => "demo",
               " hostname" => "demo",
                   " from" => "demo_portal@1entp.abcd.com",
                " message" => "<CRITICAL> 2024-01-26 12:23:00. Max Humidity of 58.7% reached. Affected zone(s): SG3:3:03:HALL6:Z4(55.14%), DCE:::S320A:Z7(46.81%)", " instanceid" => "SG3:3:03:HALL6:Z6"," alertkey" => "ZONE_HUMIDITY_CRITICAL_SG3:3:03:HALL6:Z6"," ichampgroup" => "PSG_abcdINF_demo","subject" => "<CRITICAL> 2024-01-26 12:23:00. Max Humidity of 58.7% reached."," instancevalue" => "58.7"

i can see the values which i am passing seems correctly filled for parameters, i am facing in the email trigger ouput.

strawgate · January 26, 2024, 12:59pm

It might make sense to try hard coding the to and from addresses instead of pulling from the event and seeing if it works.

This would help narrow down whether the issue is with the values from the document or from the values themselves.

shailendra1 · January 29, 2024, 2:45am

thanks @strawgate , when i passed hardcoded values its going throught to send emails.

    "event" => {
        "original" => "{\"@timestamp\":\"2024-01-29T02:36:08.955Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\"},\"agent\":{\"version\":\"8.5.3\",\"ephemeral_id\":\"18ac6df1-2395-4cec-a817-5c739a4d4b66\",\"id\":\"16974657-8a7a-4f23-8d32-b9c1c67c1b81\",\"name\":\"x01sshost1.vsi.uat.abcd.com\",\"type\":\"filebeat\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"x01sshost1.vsi.uat.abcd.com\"},\"log\":{\"file\":{\"path\":\"/logs/path/elasticsearch/path_mutli_action_netcool_watcher.log\"},\"offset\":118386},\"message\":\"2024-01-29T10:36:00,078, {0={severity=CRITICAL, alertgroup=SERVICEWATCH, hostname=path-APP, applicationcode=path, ichampgroup=[PSG_abcdINF_path], instanceid=DCE:::S320A:Z1DCE:::S320A:Z2DCE:::S320A:Z3DCE:::S320A:Z4DCE:::S320A:Z5DCE:::S320A:Z6DCE:::S320A:Z7SG3:3:03:HALL6:Z4SG3:3:03:HALL6:Z5SG3:3:03:HALL6:Z8SG3:3:03:HALL6:Z2SG3:3:03:HALL6:Z6SG3:3:03:HALL6:Z1SG3:3:03:HALL6:Z7SG3:3:03:HALL6:Z3, recipients=[adapavp@uat11ent.abcd.com], subject=\\\"<CRITICAL> 2024-01-29 10:35:00. Max Humidity of 57.48% reached.\\\", instancevalue=0, from=adapavp@uat11ent.abcd.com, alertkey=ZONE_HUMIDITY_CRITICAL, message=\\\"<CRITICAL> 2024-01-29 10:35:00. Max Humidity of 57.48% reached. Affected zone(s): DCE:::S320A:Z1(45.56%), DCE:::S320A:Z2(45.77%), DCE:::S320A:Z3(43.83%), DCE:::S320A:Z4(46.23%), DCE:::S320A:Z5(45.02%), DCE:::S320A:Z6(44.77%), DCE:::S320A:Z7(46.41%), SG3:3:03:HALL6:Z4(54.98%), SG3:3:03:HALL6:Z5(55.39%), SG3:3:03:HALL6:Z8(55.96%), SG3:3:03:HALL6:Z2(55.75%), SG3:3:03:HALL6:Z6(57.48%), SG3:3:03:HALL6:Z1(56.62%), SG3:3:03:HALL6:Z7(55.96%), SG3:3:03:HALL6:Z3(55.31%)\\\"}}\",\"metadata\":{\"timezone\":\"Asia/India\"},\"topic\":\"trigger_netcool_alerts\",\"input\":{\"type\":\"filestream\"}}"

i have few doubts here -

Why the logstash is showing correct events values in debug console mode
if the values on the debug/console are correct it should pass the same values in the parameters ?

please correct my understanding

also is it because if i have dateparse failure in events .

{
             "@timestamp" => 2024-01-29T02:36:08.955Z,
                   "tags" => [
        [0] "_dateparsefailure"
    ],

Badger · January 29, 2024, 3:51am

If you replace the email output with stdout { codec => rubydebug} then what do these two fields inside [netcool_alert] look like? Are they arrays or comma-separated strings?

shailendra1 · January 29, 2024, 6:32am

inside the codec in the [netcool_alerts] below are the values coming

          "netcool_alert" => {
             " instanceid" => "DCE:::S320A:Z1DCE:::S320A:Z2DCE:::S320A:Z3DCE:::S320A:Z4DCE:::S320A:Z5DCE:::S320A:Z6DCE:::S320A:Z7SG3:3:03:HALL6:Z4SG3:3:03:HALL6:Z5SG3:3:03:HALL6:Z8SG3:3:03:HALL6:Z2SG3:3:03:HALL6:Z6SG3:3:03:HALL6:Z1SG3:3:03:HALL6:Z7SG3:3:03:HALL6:Z3",
                " message" => "<CRITICAL> 2024-01-29 11:55:00. Max Humidity of 57.91% reached. Affected zone(s): DCE:::S320A:Z1(45.68%), DCE:::S320A:Z2(45.69%), DCE:::S320A:Z3(43.87%), DCE:::S320A:Z4(45.99%), DCE:::S320A:Z5(45.1%), DCE:::S320A:Z6(44.71%), DCE:::S320A:Z7(46.33%), SG3:3:03:HALL6:Z4(54.85%), SG3:3:03:HALL6:Z5(55.83%), SG3:3:03:HALL6:Z8(56.13%), SG3:3:03:HALL6:Z2(55.48%), SG3:3:03:HALL6:Z6(57.91%), SG3:3:03:HALL6:Z1(56.2%), SG3:3:03:HALL6:Z7(56.13%), SG3:3:03:HALL6:Z3(54.72%)",
            " ichampgroup" => "PSG_ABCDINF_ENT",
          " instancevalue" => "0",
             " alertgroup" => "SERVICEWATCH",
                " subject" => "<CRITICAL> 2024-01-29 11:55:00. Max Humidity of 57.91% reached.",
               " alertkey" => "ZONE_HUMIDITY_CRITICAL",
        " applicationcode" => "ENT",
             " recipients" => "adapavp@uat1ent.ABCD.com",
                   " from" => "adapavp@uat1ent.ABCD.com",
                "severity" => "CRITICAL",
               " hostname" => "ENT-APP"
    },

i am also doubting whether whitespace is causing the issue ? if so how i can over come from it if not then what else is causing it.

Badger · January 29, 2024, 3:39pm

You do not have a

[netcool_alert][recipients]

field, you have a

[netcool_alert][ recipients]

field (with a space in the fieldname), so the to option will evaluate to %{[netcool_alert][recipients]}, which is not a valid email address.

If you are using a kv filter then the trim_key option may help you.

Gadapa_Vasundhara · January 29, 2024, 6:06pm

Hi @Badger Passing Current time in Logstash input plugin 'exec' for executing API in curl - #4 by Badger.. Can you help me on process monitor in elk

shailendra1 · February 5, 2024, 3:38am

thank you @Badger . i have fixed this emails fileds after removing the extra space from the code which was genrating the events .
thank you @strawgate , for your valueable inputs.

system · March 4, 2024, 3:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem of plugin logstash-input-imap Logstash	4	1952	July 6, 2017
Logstash conf file for Email Alert Logstash	6	309	January 17, 2023
From logstash i need to send email to gmail Logstash	8	3458	October 4, 2017
Problem indexation mails to elasticsearch with logstash Logstash	3	480	June 4, 2018
Logstash Email Output Plugin not using environmental variables Logstash	3	167	March 5, 2024

Logstash output email plugin failure

Related Topics