eml-file

Parses EML (Electronic Mail) format email files and converts sender, recipient, subject, body, and attachment information into structured fields for retrieval.

Command properties

ItemDescription
Command typeDriver query
Required permissionNone
License usageCounted
Parallel executionNot supported
Distributed executionRuns on Data Node (mapper)

Syntax

eml-file [raw=BOOL] [zippath=STR] [zipcharset=STR] FILE_PATH

Options

raw=BOOL
When set to true, returns the mail body as raw HTML. If not specified, returns the plain text body.
zippath=STR
Path to the ZIP file containing the EML file. Use this to query EML files directly inside a ZIP archive.
zipcharset=STR
Character set for ZIP file entries (default: utf-8)

Target

FILE_PATH
Path to the EML file to query. You can use a wildcard (*) to specify multiple files.

Output fields

FieldTypeDescription
_filestringEML file name
_timetimestampTime the mail was sent
src_ipipaddrPublic IP address of the sending server. Extracted from the Received, Received-SPF, X-Originating-IP, and X-Hanmail-Peer-IP headers
mail_fromstringSender email address. Multiple addresses are separated by a newline (\n)
mail_from_namestringSender display name. Multiple names are separated by a newline (\n)
mail_tostringRecipient email address. Multiple addresses are separated by a newline (\n)
mail_to_namestringRecipient display name. Multiple names are separated by a newline (\n)
mail_ccstringCC email address. Multiple addresses are separated by a newline (\n)
mail_cc_namestringCC display name. Multiple names are separated by a newline (\n)
mail_bccstringBCC email address. Multiple addresses are separated by a newline (\n)
mail_bcc_namestringBCC display name. Multiple names are separated by a newline (\n)
mail_subjectstringMail subject
mail_contentstringMail body. Returns raw HTML or plain text depending on the raw option
mail_attachmentsstringList of attachment file names. Multiple names are separated by a newline (\n)
mail_headersstringComplete mail headers. Each header is returned in key: value format, separated by a newline (\n)
attachmentsarrayDetailed attachment information. Each element is a map containing file_name (string) and file_size (long) fields

Error codes

Parse errors

N/A

Runtime errors
Error codeMessageDescriptionPost-processing
-cannot read eml fileUnable to read the EML fileStops query execution

Description

The eml-file command parses the specified EML file and converts each component of the email message into structured fields. It extracts sender, recipient, CC, and BCC addresses and display names into separate fields.

The src_ip field extracts the public IP address of the sending server from the mail headers. It scans the Received, Received-SPF, X-Originating-IP, and X-Hanmail-Peer-IP headers for IPv4 and IPv6 addresses, and returns the first public IP address, excluding private IP addresses.

When you specify the raw option, the mail_content field returns raw HTML. If not specified, it returns the plain text body. If only an HTML body exists and no plain text body is available, the field returns null.

To query EML files inside a ZIP archive, specify the ZIP file path in the zippath option and specify the path to the EML file inside the ZIP as the target.

Examples

  1. Query an EML file

    eml-file /opt/logpresso/evidence/phishing.eml

    Retrieves email information from the EML file at the specified path.

  2. Query multiple EML files using a wildcard

    eml-file /opt/logpresso/evidence/mail/*.eml

    Retrieves email information from all EML files in the specified directory.

  3. Query the mail body as raw HTML

    eml-file raw=t /opt/logpresso/evidence/phishing.eml

    Returns raw HTML in the mail_content field.

  4. Query an EML file inside a ZIP archive

    eml-file zippath=/opt/logpresso/evidence/mails.zip phishing.eml

    Retrieves email information from the phishing.eml file inside the ZIP archive.

  5. Filter mail from a specific sender

    eml-file /opt/logpresso/evidence/mail/*.eml
| search mail_from == "*@example.com"

    Filters only mail sent from the example.com domain.