Plugin imap: get attachment

Elastic Stack Logstash
1

Hi all,

With logstash-oss v7.17.6, i want to read a .zip attachment in a mail. I can read the mail itself, but the attachment can not be read.

Logstash conf file:

input {
  imap {
    id => "dmarc"
    host => "xxx"
    password => "xxx"
    user => "xxx"
    port => 993
    secure => true
    check_interval => 60
    save_attachments => true
    strip_attachments => false
    folder => "Inbox"
    content_type => "application/zip"
    codec => plain {
      charset => "ISO-8859-1"
    }
  }
}

Result:

{
	"delivered-to" => "<xxx>",
	"from" => "noreply-dmarc-support@google.com",
	"x-google-dkim-signature" => "v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:content-disposition:to:from:subject :message-id:date:mime-version:x-gm-message-state:from:to:cc; bh=xwTFX4421b2kXPF/O1XR4Jl9I/BWLp4Tw/GewxhnTPk=; b=b4iKsK6pa6eWfVIv2TLD7GJyBQFM+gweXDtMKtW+0cxA9PsmF85ZHDUejbcW6NFo1i CkEpYjQnagV1YtwRb4eXvPs+btDebpfqEhP8kyt5aA33iNio6EymaXp8GDSTYo8kiBeO 2LU2Jex2l59h+ByBxeNno4dlc9O9mq7LSUQOqraYP7mTnrhEmZRMp1F3IS9Bd3Lr2Py4 I9PeLFXt3JVrP2K8ugKXiU8OFjxPjMA6v655Dv31Y056jUHMFQJWnRNOT+0C43LJBuSe jlo6qJnH9lozq2SRPqrAt3xIPv0u6zomol3jIB8LEoTsY2NBSbic6aYHl3gJ8IefhzSf 5mnQ==",
	"@version" => "1",
	"x-xxx-mailscanner-efa" => "Found to be clean",
	"subject" => "Report domain: xxx Submitter: google.com Report-ID: 1850682791998211228",
	"x-xxx-mailscanner-efa-id" => "4MHfww1TwRz50blH",
	"x-google-smtp-source" => "AA6agR7Ov1SrSIl4iWFcu/ibGvr7X7Ne4AM1U+naTMxCCQTNn7TJG0WOPcIf95vN2VqCVptaAARrde+mdMp/oA==",
	"arc-authentication-results" => "i=1; mail.xxx; dkim=pass header.d=google.com header.s=20210112 header.b=OjRam96k; spf=pass (mail.xxx: domain of noreply-dmarc-support@google.com designates 209.85.219.73 as permitted sender) smtp.mailfrom=noreply-dmarc-support@google.com",
	"dkim-filter" => [
[0] "OpenDKIM Filter v2.11.0 xxx 4MHfwy6tYqz50blH",
[1] "OpenDKIM Filter v2.11.0 xxx 4MHfww1TwRz50blH"
],
	"x-spam-level" => "********",
	"x-xxx-mailscanner-efa-watermark" => "1662545233.50653@J47O3tT1XbVGvvQPOCil/g",
	"content-type" => "application/zip; name=google.com!xxx!1661817600!1661903999.zip",
	"x-spam-status" => "No",
	"to" => "dmarc@xxx",
	"x-gm-message-state" => "ACgBeo243b5Zb2PzLvG0hSvZ3vc+YxbspBzw3bhRztNIuzxdBYW+Sdq1 mcnJeSxdF/vDKrcUYbc12g==",
	"x-received" => "by 2002:a05:620a:10a4:b0:6ba:e280:3aff with SMTP id h4-20020a05620a10a400b006bae2803affmr15238469qkk.177.1661940430123; Wed, 31 Aug 2022 03:07:10 -0700 (PDT)",
	"dmarc-filter" => "OpenDMARC Filter v1.4.1 xxx 4MHfww1TwRz50blH",
	"arc-message-signature" => "i=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx; s=dkim; t=1661940431; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=xwTFX4421b2kXPF/O1XR4Jl9I/BWLp4Tw/GewxhnTPk=; b=56AohUNVIsFIJYYEoVeVN5JqmQEm80Hsyk/HA3BwIz5OY4RNBOSxynmgCAoRxwSWKvwyG9 6PAYEgOuomISQYFRgeGVct/mf8p7j+b+HfYLeyK+v4gWU3Fso4at6g+WAikiBgX6HrephC WJxIRk56twPgN+NYVYXo+3C+iKk848xeXmGK9JuIQcNfexUw1IFcaWgAxTMDeZxIsFmUei zo2MuI+CUPJ1qWPgm0Ef8wGzmt7OkmVVHlv3h9hYAmJBS3SXWPJxuhgRcJKUbM6zxsC+ML A1DcfgK/ekf5pa6RT6brRWr8hoXhpzHzB9nMlitN/kFk8T+Ktq64Aszl5m1OUA==",
	"authentication-results" => "xxx; arc=reject (\"signature check failed: fail, {[1] = sig:xxx:reject}\")",
	"dkim-signature" => "v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:content-disposition:to:from:subject :message-id:date:mime-version:from:to:cc; bh=xwTFX4421b2kXPF/O1XR4Jl9I/BWLp4Tw/GewxhnTPk=; b=OjRam96kURGmYCE3INxpgmABg4Ww0jgMwOPbqA9AE8/wTPkaUGX5/mz0iNDZr1vrVl wIM4FD/OKYXz+Yp7a6mOBqWK+ne4yt0QgsjRnPO56UuJwpGAtKvSf4KxqZAf4zm9SG3n EOyIKTuBS6NB0guErkMzm6gFNqkAiFIwqR8TMp3yV5qfHGK0i/54bCZ54pgIhaRA7SNr NfkVDBrR27reKR+dfj+vJZyBI7k3MfthYEwyIvehXqv7A3wQbyi7xAinlfuk/xYbrUdl 5+HDYKixbwbYCYQL6r1yWAFOnbyPA6N57HV3riP75V+Mymh/ziYhrRD52mRLK15h3Oh6 5vjg==",
	"content-transfer-encoding" => "base64",
	"date" => "Tue, 30 Aug 2022 16:59:59 -0700",
	"mime-version" => "1.0",
	"content-disposition" => "attachment; filename=google.com!xxx!1661817600!1661903999.zip",
	"x-spam" => "Yes",
	"message-id" => "<1850682791998211228@google.com>",
	"received" => [
[0] "from xxx ([10.42.137.195]) by xxx with LMTP id yNKdEtMyD2O5PQAASODelQ (envelope-from <SRS1=uNUe=xxx==ldxw=zd=google.com=noreply-dmarc-support@xxx>) for <xxx>; Wed, 31 Aug 2022 10:07:15 +0000",
[1] "from xxx (xxx [10.0.0.8]) by xxx (Postfix) with ESMTP id 2F795201096 for <xxx>; Wed, 31 Aug 2022 10:07:15 +0000",
[2] "from mail.xxx (mail.xxx [212.83.135.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (no client certificate requested) by xxx (MailScanner Milter) with SMTP id 4MHfww1TwRz50blH for <xxx>; mer., 31 août 2022 12:07:12 +0200 (CEST)",
[3] "from mail-qv1-f73.google.com (mail-qv1-f73.google.com [209.85.219.73]) by mail.xxx (Postfix) with ESMTP id 47D385E4D for <dmarc@xxx>; Wed, 31 Aug 2022 10:07:11 +0000",
[4] "by mail-qv1-f73.google.com with SMTP id q14-20020a0cf5ce000000b00498ee127c81so9002240qvm.23 for <dmarc@xxx>; Wed, 31 Aug 2022 03:07:11 -0700"
],
	"x-xxx-mailscanner-efa-information" => "Please contact support@xxx for more information",
	"@timestamp" => 2022-08-30T23:59:59.000Z,
	"arc-seal" => "i=1; s=dkim; d=xxx; t=1661940431; a=rsa-sha256; cv=none; b=vwRvtvm65VNtatPQlz2j9QTGatbqtEQJu8JXzAGeKesAD3hvQV1hfN/7PaYlwvZAD1xMC4 zNIWRCg1v5URMhIyLR5//MxO2iYTGvb1a6bSqTVAFhjlKTrDfU1/5GHbModgO0l8b/qn0v oy3xw1FOdwKppbSB7UmUShXDnqGfgiSfJhM5xTgDgxJ21e1Di5kXWsno/j4LnGFgtGkMM4 NCq7lFk51yzD4/jFPS8wdssU50lEzQPTIXXHyLIuyuUZL7NKQaZV2D0JL22kCcEhl2WWFZ 4sZr1JV7ieqrBhp+yWe5+whIWT2CliS5NVIQFrHkVuDoU1C5yxWV6cwYyaykrw==",
	"return-path" => "SRS1=uNUe=xxx==ldxw=zd=google.com=noreply-dmarc-support@xxx",
	"x-spamd-bar" => "++++++++",
	"x-xxx-mailscanner-efa-from" => "srs0=ldxw=zd=google.com=noreply-dmarc-support@xxx",
	"message" => "PK\u0003\u0004\n\u0000\u0000\u0000\b\u0000«L\u001FUhw})ì\u0001\u0000\u0000®\u0004\u0000\u00002\u0000\u0000\u0000google.com!xxx!1661817600!1661903999.xml­TËrã \u0010¼ç+\\¾[\b9V¤-Bö\u0094/Ø=«0\u008Cd6\u0012P\u0080òøûE\u0006=ÖIU.{\u0012ê\u0099é\u0099nF\"OïC¿{\u0005ë¤V\u008F{\u009Cåû\u001D(®…TÝãþ÷¯çCµß=Ñ;Ò\u0002\u00883ã/ôn·#\u0016\u008C¶¾\u0019À3Á<\u009B°\u0080jÛ5\u008A\r@;­»\u001E2®\a\u0082\u00160æÀÀdO\u0095\u000E\fýÇA\fÌò\u0083\eÍD÷s[\u0016óRÍ»·¬áZyÆ}#U«éÅ{ã~ \u0094J³µ\u00141Ä\u0094{\u0003\u008B\u008Aû²<Uyàú\\\u001F\u0089\u0093\f)(®NyY\u0015\u000F5®ëªÀ¸(*\u0082ÖpL\u000FR¡±LuIL\u0080ÎÐIEqYâ\n?\u0094yh\u0016\u00919\u000EJ\\£u~¬ë:\u008C¢f2ô/ÛÒmë)1º\u0097ü£1ã¹\u0097î\u0002Ë :¸£hé\u000EàG\u0001.Z\u0096Ð\u0098ÂÄ\u008B\u001C¨#(\u001E\u0012èL{Ŧg\u0084\fµð\a¸'È$Ä­\u0090\u009B1Ã=Å\u0093ºép\u009Dö«É\u0082\u009F\\ÛyH«ß\u0016\e\u009C\u001E-\u0087F\u001AZà\"«\u008E\u0019>\u009E2\\\u0015¡Å\u0012\u0099s¹\u001E\u0095§Ç{\u0082âiÆSGxeý\u0018¬\u0013s`òC:£\u009Dôa…Ãj)\b^l\u0090MÞd…a.X°º\u0092D·)°X³QyÓ3ÜÕ¬\u008DH\u0001ÊËV\u0086\u000Fh)»\u0000\u0013`\u009BÖêáö\u008E¶¡Äõ\u0089\u0081°Ñ_\u001A\vnìýJz3ð÷+\u00906|bIÒÒËF5ôá\u009Eµ¥\u0013y\u0090>¿.ú·MÉÆ\u0099ÿ2ÀÆë°\u00927\u009A§ä¸L\u0004­¿\u009E¿PK\u0001\u0002\n\u0000\n\u0000\u0000\u0000\b\u0000«L\u001FUhw})ì\u0001\u0000\u0000®\u0004\u0000\u00002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000google.com!xxx!1661817600!1661903999.xmlPK\u0005\u0006\u0000\u0000\u0000\u0000\u0001\u0000\u0001\u0000`\u0000\u0000\u0000<\u0002\u0000\u0000\u0000\u0000"
}

Who can help me ?

Thx

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.