Monitoring dovecot IMAP and POP3 logins

Abstract

For a big mail ( postfix, dovecot ) cluster with a central rsyslog server I wanted to count the IMAP and POP3 logins.

For a big mail ( postfix, dovecot ) cluster with a central rsyslog server I wanted to count the IMAP and POP3 logins.

Some customers do a lot of POP3 logins and subsequent message downloads from their Exchange servers in remote offices. At some time they changed the mode of their POP3 download software, without any prior announcement or warning. This lead to heavy POP3 traffic on our dovecot servers, so I decided to graph the data in question.

We use xymon (formerly known as hobbit, a "big brother" clone) for central monitoring.

A central rsyslog server was already in place, where everything mail-related is logged in /var/log/mail.log, and then filtered in other logs like:

/etc/rsyslog.d/50-default.conf

...
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn       |/dev/xconsole
...
# dovecot
:programname, isequal, "dovecot" /var/log/dovecot.log
#pop3
:msg, contains, "pop3" /var/log/dovecot-pop3.log
#imap
:msg, contains, "imap" /var/log/dovecot-imap.log
...

now we need to count logins with the local xymon ( hobbit ) client with an ext script

also needed: some sudo stuff and logtail (installed via apt-get)

/usr/lib/hobbit/client/ext/dovecot-pop3

#!/bin/sh
COLUMN=dovecot-pop3
COLOR=green
MSG="dovecot pop3 recent logins per minute"
sudo /usr/sbin/logtail -f /var/log/dovecot-pop3.log -o /tmp/dovecot-pop3.log-offset | grep "pop3-login" | wc -l | awk '{print "dovecot-pop3 : " $0}' > /tmp/dovecot-pop3.log-count > /tmp/dovecot-pop3.log-count
$BB $BBDISP "status $MACHINE.$COLUMN $COLOR `date`
${MSG}
`/bin/cat /tmp/dovecot-pop3.log-count`
"
exit 0

/usr/lib/hobbit/client/ext/dovecot-imap

#!/bin/sh
COLUMN=dovecot-imap
COLOR=green
MSG="dovecot imap recent logins per minute"
sudo /usr/sbin/logtail -f /var/log/dovecot-imap.log -o /tmp/dovecot-imap.log-offset | grep "imap-login" | wc -l | awk '{print "dovecot-imap : " $0}' > /tmp/dovecot-imap.log-count > /tmp/dovecot-imap.log-count
$BB $BBDISP "status $MACHINE.$COLUMN $COLOR `date`
${MSG}
`/bin/cat /tmp/dovecot-imap.log-count`
"
exit 0

/etc/sudoers

...
hobbit ALL=(root) NOPASSWD: /usr/sbin/logtail
...

/usr/lib/hobbit/client/etc/clientlaunch.cfg

...
[dovecot-pop3]
     ENVFILE $HOBBITCLIENTHOME/etc/hobbitclient.cfg
     CMD $HOBBITCLIENTHOME/ext/dovecot-pop3
     LOGFILE /var/log/hobbit/dovecot-pop3
     INTERVAL 1m

[dovecot-imap]
     ENVFILE $HOBBITCLIENTHOME/etc/hobbitclient.cfg
     CMD $HOBBITCLIENTHOME/ext/dovecot-imap
     LOGFILE /var/log/hobbit/dovecot-imap
     INTERVAL 1m
...

After that you have to restart the hobbit-client.

Now we declare a graph format on the central xymon server:

/etc/xymon/graphs.cfg

...
[dovecot-pop3]
     TITLE dovecot-pop3
     YAXIS #
     DEF:dovecotpop3=dovecot-pop3.rrd:dovecotpop3:AVERAGE
     LINE2:dovecotpop3#00CCCC:Dovecotpop3
     GPRINT:dovecotpop3:LAST:Dovecotpop3 \: %5.1lf%s (cur)
     GPRINT:dovecotpop3:MAX: \: %5.1lf%s (max)
     GPRINT:dovecotpop3:MIN: \: %5.1lf%s (min)
     GPRINT:dovecotpop3:AVERAGE: \: %5.1lf%s (avg)\n
[dovecot-imap]
     TITLE dovecot-imap
     YAXIS #
     DEF:dovecotimap=dovecot-imap.rrd:dovecotimap:AVERAGE
     LINE2:dovecotimap#00CCCC:Dovecotimap
     GPRINT:dovecotimap:LAST:Dovecotimap \: %5.1lf%s (cur)
     GPRINT:dovecotimap:MAX: \: %5.1lf%s (max)
     GPRINT:dovecotimap:MIN: \: %5.1lf%s (min)
     GPRINT:dovecotimap:AVERAGE: \: %5.1lf%s (avg)\n
...

Also add/edit lines in /etc/xymon/xymonserver.cfg:

...
#add this
NCV_dovecot-pop3="*:GAUGE"
NCV_dovecot-imap="*:GAUGE"
#edit this
TEST2RRD="...,...,dovecot-imap=ncv,dovecot-pop3=ncv"
GRAPHS="...,...,dovecot-imap,dovecot-pop3"
...

Finally, one last edit: /etc/xymon/hosts.cfg ( I wanted to have the graphs only in the trends section )

...
group mailcluster
page MAILCLUSTER mailcluster
2.3.4.5 log.mailcluster.example # conn ssh NOCOLUMNS:dovecot-imap,dovecot-lmtp,dovecot-pop3,.. TRENDS:*,vmstat:vmstat1|vmstat5,...
...

This is not the optimal solution - but it works for me. Alternative implementations with dovecot and xymon are welcome

Robert Schetterer, 10. January 2013