Using logstash-output-email plugin

Hi everyone,
Before all, sorry for my English, it's not my native language.
I try to configure Logstash for sending mail when some specific events coming with the logstash-output-email plugin.
I'm using SMTPS mail server on port 465 ( the same as me, which is working for my user. )
my configuration file look like to that :

filter {
        grok {
                match => { "severity" => "warning" }
                add_tag => ["warning"]
                }
}


output {
		if "warning" in [tags] {
                email {
                        to => "technicien@entreprise.com"
                        address => "mail.entreprise.com"
                        port => "465"
                        via => "smtp"
                        username => "elk@entreprise.com"
                        password => "passwordelk@entreprise.com"
                        from => "elk@entreprise.com"
                        subject => "critical event spotted by ELK from : %{host}"
                        body => "%{message,_id}"
                }
        }

        else {
                stdout {
                        codec => rubydebug
                }
        }
}

the events thas interresting me take the "warning" tags well, but I receive this following error on my stdout when email should be sent :

[[main]>worker1] ERROR logstash.outputs.email - Something happen while delivering an email {:exception=>#<Timeout::Error: Timeout::Error>}

I've try to configure this email account on thunderbird on different computer with the same parameters ( mail.entreprise.com as SMTP server on port 465 ) and it's works, I can send email to technicien@entreprise.com ...
I also try with different options according to that : https://www.elastic.co/guide/en/logstash/5.1/plugins-outputs-email.html#plugins-outputs-email-to but it's still not working.

Is someone see what's wrong with this configuration file ?
Thanks.

You're not telling Logstash to use SMTPS so Logstash is attempting a plaintext connection to a peer that expects SSL. I don't think SMTPS is supported, but STARTTLS is.

Hi Magnus, thanks for your help, one more time.
I understand better why it doesn't work ... Perhaps, I've looking for an option to tell Logstash tu use StartTLS security connection but I don't find it on 4.0.3 release of the output-email plugin.

The only one which look like to that is the option "use_tls" but it's not working too.
How can I tell LS to use this security connection ?

Otherwise, for my understanding, where did you find those informations ? ( for example SMTPS is not supported by this plugin ? ) because I have looking for more informations about this plugin but i found it only on the officlal website of elastic, and there is not a lot of explaination ...

Thanks for your help.

@vsdm
Magnus advised to use STARTTLS and the doc that you linked to shows a config option called use_tls. https://www.elastic.co/guide/en/logstash/5.1/plugins-outputs-email.html#plugins-outputs-email-use_tls

Try that and post back here if you still get the [[main[>worker N] error.

Hi @guyboertje
I've already try with this option on true, I have this error when an email should be send :

[[main]>worker0] ERROR logstash.outputs.email - Something happen while delivering an email {:exception=>#<"Timeout::Error: Timeout::Error>}

In fact, i've got the same error with or without his parameters ...

A Timeout::Error is thrown when Timeout class is used to interrupt the caller of a connection attempt (or some other action that is synchronous and uninterruptable by design).

This would indicate that the email output can't "see" the email server on the port specified. Maybe Logstash is trying on a different port when using TLS? What does Wireshark say?

Otherwise, for my understanding, where did you find those informations ? ( for example SMTPS is not supported by this plugin ? ) because I have looking for more informations about this plugin but i found it only on the officlal website of elastic, and there is not a lot of explaination ...

Since the plugin documentation does not mention SMTPS I assumed that it wasn't supported. If there was support for it there would've been some kind of configuration option to enable it.

I can't install Wireshark on the ELK server because it is in pre production, and I don't have any right on the email server.

But I can see with netstat port 39645 on ELK server to port 465 on the email server established when i start LS. After the error occurred, it became in "time wait" state.

Ok thanks Magnus, there is no "magic" website with all options and specifications for all plugins :slight_smile:

Do you have a development machine to debug this on?

Try to send just one message into LS using the stdin input - do you get the timeout error and the time wait on in netstat immediately on the first message?

IIRC the SMTP protocol is a very "chatty" state machine.

Are you able to put the email server into a verbose debug mode? we need to see what point the smtp protocol exchange stops.

But I can see with netstat port 39645 on ELK server to port 465 on the email server established when i start LS. After the error occurred, it became in "time wait" state.

Port 465 is for SMTPS. To use SMTP with STARTTLS you should typically use port 25 or 587, but that depends on how your email server has been set up.

Ok thanks Magnus, there is no "magic" website with all options and specifications for all plugins :slight_smile:

The Logstash plugin reference on elastic.co lists all available options for each plugin.

1 Like

Port 465 is for SMTPS. To use SMTP with STARTTLS you should typically use port 25 or 587, but that depends on how your email server has been set up.

I agree, but I can't start LS with parameter starttls => true, I've got an error which said something wrong with my configuration. This option seems to be not valid anymore in the 4.0.3 release of this plugin ( I don't see it on elastic.co )

The Logstash plugin reference on elastic.co lists all available options for each plugin.

Indeed, all options are describe, but not their arguments, specificly when a string is waiting by the plugin.

I don't have any development machine for debug, but I can stop LS temporary and work on a different configuration file.
So I try with thit :

input {
        stdin { }
}

output {
                email {
                        to => "technicien@entreprise.com"
                        address => "mail.entreprise.com"
                        port => "465"
                        via => "smtp"
                        username => "elk@entreprise.com"
                        password => "elkpassword"
                        from => "elk@entreprise.com"
                        subject => "test"
                        body => "test"
                        }

                stdout {
                        codec => rubydebug
                }
}

when I send one message on stdin, connection with the email server is established on port 465 with netstat, but after a short moment it's changing his state on time_wait with the same error.

I can't put the email server into debug mode because I don't have any rights on it, but I will ask to my N+1 as soon as I see him to do it to check what's happend at this moment. I will make you a feed back about that.
Thanks for your help.

I repeat: Do not use port 465.

1 Like

Under the hood the email output uses a very standard and very popular (almost every Ruby on Rails app ever written) gem mikel/mail. The output code is quite simple - it gathers some info from your event and config and hands it of to the Mail gem's code in the same way that most other applications would do.

Start with the most simple setup that you can build and get working - then change one thing at a time.

Ok thanks for advise.

Hi,
I finally resolving my problem by using Sendmail relay and ask to Logstash to use Sendmail instead of smtp.
Thanks for your help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.