Atom Feed
Comments Atom Feed

Similar Articles

2009-10-31 14:46
SMART stats on Cacti (via SNMP)
2009-10-31 11:03
Linux (Debian, Ubuntu) SNMP basics
2011-12-22 09:30
Peak Network Bandwidth for Cacti
2011-11-16 20:12
OpenVz User Beancounters (UBC) on Cacti via SNMP
2015-01-08 22:58
Nginx on Cacti via SNMP

Recent Articles

2019-07-28 16:35
git http with Nginx via Flask wsgi application (git4nginx)
2018-05-15 16:48
Raspberry Pi Camera, IR Lights and more
2017-04-23 14:21
Raspberry Pi SD Card Test
2017-04-07 10:54
DNS Firewall (blackhole malicious, like Pi-hole) with bind9
2017-03-28 13:07
Kubernetes to learn Part 4

Glen Pitt-Pladdy :: Blog

Dovecot stats on Cacti (via SNMP)

As promised in the comments about the Postfix stats article, this posting kicks off support for Dovecot stats with Cacti, extending the original Postfix only stats.

This uses my Universal Log Analyser providing a plugin for Dovecot. You will need to get this installed and working before you can use the plugin here, and have it running from a cron job every 5 minutes (or whatever your sample times is for Cacti) so that it can parse the logs.

At this stage I am only producing stats for IMAP, but with the nice consistent log format it should be easy to add POP3 and SIEVE later.

Dovecot Plugin

Throw in your plugin directory for the Universal Log Analyser, and add "dovecot" as a module to the command line so that this module gets loaded.

Download: Universal Log Analyser plugin and Cacti template for Dovecot are on GitHub

Not much more to it than that. The remainder of the article assumes your stats file is /var/local/snmp/mail so if it isn't you will need to tweak things to match your install.

It's worth checking the stats file to verify that dovecot stats are in fact being picked up by the plugin.

SNMP Scripts

First, ensure that your SNMP is configured and working as described in my SNMP basics article.

These provide the link for snmpd to pick up the stats and assuming they are in /etc/snmp the config in /etc/snmp/snmpd.conf is:

extend dovecotauth /etc/snmp/dovecot-stats-auth
extend dovecotdeliver /etc/snmp/dovecot-stats-deliver
extend dovecotimapcrypto /etc/snmp/dovecot-stats-imap-crypto
extend dovecotimapdata /etc/snmp/dovecot-stats-imap-data
extend dovecotimapdisconnect /etc/snmp/dovecot-stats-imap-disconnect
extend dovecotimaplogin /etc/snmp/dovecot-stats-imap-login
extend dovecotimaploginmethod /etc/snmp/dovecot-stats-imap-loginmethod
extend dovecotpop3crypto /etc/snmp/dovecot-stats-pop3-crypto
extend dovecotpop3data /etc/snmp/dovecot-stats-pop3-data
extend dovecotpop3disconnect /etc/snmp/dovecot-stats-pop3-disconnect
extend dovecotpop3login /etc/snmp/dovecot-stats-pop3-login
extend dovecotpop3loginmethod /etc/snmp/dovecot-stats-pop3-loginmethod
extend dovecotmanagesievecrypto /etc/snmp/dovecot-stats-managesieve-crypto
extend dovecotmanagesievedata /etc/snmp/dovecot-stats-managesieve-data
extend dovecotmanagesievedisconnect /etc/snmp/dovecot-stats-managesieve-disconnect
extend dovecotmanagesievelogin /etc/snmp/dovecot-stats-managesieve-login
extend dovecotmanagesieveloginmethod /etc/snmp/dovecot-stats-managesieve-loginmethod
extend dovecotsessions /etc/snmp/dovecot-stats-sessions

Extension scripts for snmpd are named dovecot-stats-* - put them in a suitable place.... like /etc/snmp

You should be able to run these scripts manually and they should spit back the current info from the stats file. Remember to restart snmpd so that the new config is picked up and we should be ready to go.

Cacti Template

Import this into your Cacti and add graphs as usual.

After that, assuming everything is working then after a couple data samples content should start to appear on the graphs.

If not then check the data at each step: the stats file, SNMP scripts, snmpwalk from the Cacti server, check Cacti Poller log for errors, and try Cacti in debug mode for graphs and data sources to see if that shows anything.

I will post example graphs once my ones are mature enough to have some useful data on them.

The Graphs

Dovecot Crytogrphy Stats with Cacti

Dovecot Data Stats with Cacti

Dovecot Disconnect Stats with Cacti

Dovecot Login Stats with Cacti

Dovecot Login Stats with Cacti

Dovecot Auth Error Stats with Cacti

Dovecot Delivery Stats with Cacti


Glen Pitt-Pladdy Image  2011-08-30 07:15 :: Glen Pitt-Pladdy

See some comments on the SNMP basics post regarding tweaking this plugin for different format (dedicated) logs on different systems.

Daniele Palumbo Image  2012-02-08 17:12 :: Daniele Palumbo


i have this errors:
unknown dovecot: Feb  5 04:03:00 mail dovecot: POP3( Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
unknown dovecot: Feb  8 15:22:58 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<>, method=PLAIN, rip=XX.XXX.XXX.X, lip=XXX.XXX.X.XX

the version is:
20110626 (the last i guess).


Glen Pitt-Pladdy Image  2012-02-08 19:58 :: Glen Pitt-Pladdy

Thanks for the report - I had not tested pop3 on a live setup as my servers only run imap so it is really useful to get these reports. I have released a new version tonight which should understand these lines and adds an additional "login Aborted" graph.

Let me know if you discover any further lines it does not understand.

Daniele Palumbo Image  2012-02-09 15:48 :: Daniele Palumbo

Hi again,

seems only that two errors for dovecot (i will look later at postfix, but anyway strings does not go to stderr).

Instead, i've found a bug in the template, it look for "dovecotpop3isconnect" instead of "dovecotpop3disconnect".
I have already patched the file, but how can i send it to you?


Glen Pitt-Pladdy Image  2012-02-09 16:08 :: Glen Pitt-Pladdy

Good to hear that the scripts are working better.

Cacti can be have problems re-importing templates so it's best I make the changes in cacti and re-export the templates. I have found the typos you spotted (well done!) and have released a new template. The new template should have a MD5 checksum of 6e8f655721539da3d17c2a7f22e0b23d - if you keep getting the old one then you may need to force reload without cache (shift-F5 in many browsers).

Alex Image  2012-07-25 17:42 :: Alex

Jul 25 18:22:03 XXXXX dovecot: auth-worker(default): mysql: Connected to localhost (XXXXX)

I don't speak enough PERL for adding the needed code. :(
Can you build an update, please?

Mny Tnx

Glen Pitt-Pladdy Image  2012-07-26 15:48 :: Glen Pitt-Pladdy

Thanks for submitting the unhandled line. I've just released version 20120726 which should handle those lines.

Tomek Image  2013-06-03 19:13 :: Tomek

Hi, I have one more unhandled line:
Jun  3 20:38:14 chaos dovecot: pop3-login: Login: user=<tomek>, method=PLAIN, rip=, lip=xx.xx.xx.xx, mpid=24423, TLS, session=<ur1xRETeEADAqACH>
Please help :)

Glen Pitt-Pladdy Image  2013-06-22 13:56 :: Glen Pitt-Pladdy

I think these relate to newer versions of dovecot (eg. in Debian wheezy) and with starting to upgrade my servers I'm starting to see similar. I will release an update shortly to handle the new formats/info in these lines and others. Busy testing it right now....

Alex Image  2013-06-24 07:04 :: Alex

Hi, I have another unhandled line:

/etc/snmp/uloganalyser-plugin/ 20120501:192 /var/log/mail.log:7842 unknown dovecot: Jun 24 08:45:03 XXXXXXX dovecot: deliver(XX@XXX.XX): sieve: msgid=<XX@XXX.XX>: forwarded to <xx@xxx.xx>

Many thanks for your work :)

Vlad Image  2013-09-20 11:39 :: Vlad

First of all, thanks for your great work! Below I have a few more examples of errors: 20121115:157 /var/log/mail_test.log:489 unknown dovecot: Sep 15 06:28:45 mc1 dovecot: imap-login: Login: user=<xxxxxx@xxxxxx>, method=PLAIN, rip=, lip=, mpid=27826, secured, session=<ROj3hWTmSQCsFtyb> 20121115:157 /var/log/mail_test.log:471 unknown dovecot: Sep 15 06:28:45 mc1 dovecot: pop3-login: Login: user=<xxxxx@xxxxxx>, method=PLAIN, rip=, lip=, mpid=27833, secured, session=<J0n3hWTmMACsFtyb> 20121115:157 /var/log/mail_test.log:389 unknown dovecot: Sep 15 06:28:01 mc1 dovecot: managesieve-login: Login: user=<xxxxx@xxxxxx>, method=PLAIN, rip=, lip=, mpid=27835, secured, session=<UUFQg2Tm8ACsFtya>

Glen Pitt-Pladdy Image  2013-09-21 07:26 :: Glen Pitt-Pladdy

Actually this is all covered in my development version (been updating it for Wheezy) so I've done some extra testing on that and released that today. It should cover a whole load of things in newer versions of Dovecot. The main changes are, dovecot-stats-deliver and of course the Cacti template which may be messy to update.

Vlad Image  2013-10-07 12:13 :: Vlad

Thanks for the update! Most of the things work fine, besides the cacti template. Can I use the old cacti template with your new scripts?

Andreas Image  2013-10-22 14:59 :: Andreas


It seems my post here two days ago is not show so I'll try it again. I am running dovecot 2.1.17. The only graph that is drawn with the Dovecot stats on Cacti tarball 20130920 is the session-graph. Where could it start to check if all the needed stuff is found and paths are right?


Travis Image  2013-10-23 14:13 :: Travis


I don't see a link to the cacti template in the article.  Am I missing something?


Glen Pitt-Pladdy Image  2013-10-24 18:55 :: Glen Pitt-Pladdy

Andreas - I am running 2.1.7 so the version is good. The data goes into the stats file specified (if you are using the example in the uloganalyser post then /var/local/snmp/mail). What is unique about the sessions is that they are picked up from doveadm, whereas everything else is from parsing log files which should be a big clue to what part is not working and where to investigate.

Glen Pitt-Pladdy Image  2013-10-24 18:58 :: Glen Pitt-Pladdy

Travis - the template is in the tarball along with all the plugin (you will still need uloganalyser from the other article), scripts and other bits needed to set this up: cacti_host_template_dovecot.xml

Travis Brown Image  2013-10-27 01:48 :: Travis Brown

Thanks Glen! I am not sure how I missed that before.

Mitch Image  2013-11-06 14:36 :: Mitch

Thanks for all your work on this!

I'm trying to import into the tarball 20131027 into Cacti 0.8.7i and I'm getting "Error: XML: Hash version does not exist". All the data, graph and host templates import but there is no name on any of them.

Am I missing something obvious?

Mitch Image  2013-11-06 14:52 :: Mitch

I have the same problem with the Cacti file for postfix also.

Glen Pitt-Pladdy Image  2013-11-06 18:55 :: Glen Pitt-Pladdy

This is very likely because the version these were done on is 0.8.8a and your version doesn't know about that. It's possible the ugly stuff in my "Cacti hack for forward compatibility" article will help (or really mess things up), otherwise I expect you will have to upgrade.

Alessio Image  2014-04-30 13:06 :: Alessio

Hi Glen,

I have found an issue with my dovecot log format (2.2.12): 20131027:419 /root/mail.log.0:191 unknown dovecot: Apr 29 23:59:59 pop01 dovecot: imap(, session=<HPjxVzX4XgBdLtmW>: Disconnected: Logged out in=564 out=11430 20131027:419 /root/mail.log.0:194 unknown dovecot: Apr 29 23:59:59 pop01 dovecot: pop3(, session=<98OajTX4eAC8Dqbj>: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0, bytes=12/43

the difference from my log and your "regex" for log out is that my log starts with session=

I understand that this problem can be fixed by editing this line in

elsif ( $line =~ s/^(Disconnected)[:\s]*// or $line =~ s/^(proxy)\([^\)]+\): disconnecting [\da-f\.:]+ // )

but I'm not able, can you help me?


Alessio Image  2014-04-30 21:03 :: Alessio

Hi Glen,

I solved the previous problem moving "session" at the end of the line but now your plugin is not any more able to count the in/out bytes.

Here a sample of my "Disconnected" log:

Apr 30 23:01:02 pop01eeh dovecot: imap( Disconnected: Logged out in=640 out=3883 session=<ACSb2Ej4iABtqHHz>
Apr 30 23:01:02 pop01eeh dovecot: pop3( Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0, bytes=12/43, session=<jAaa2Ej4cAAuLOvd>

Can you help me?

Glen Pitt-Pladdy Image  2014-04-30 21:17 :: Glen Pitt-Pladdy

What version of Dovecot and distro are you running? How have you changed the log format?

Alessio Image  2014-05-05 14:54 :: Alessio

Hi Glen,

I'm running Dovecot 2.2.12 build from source with a small change to logout format:

# Logout POP
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, bytes=%i/%o, session=<%{session}>

# Logout IMAP
imap_logout_format = in=%i out=%o session=<%{session}>

I added the "session" to logout for a law requirement (match the login and logout session).

Glen Pitt-Pladdy Image  2014-05-06 07:29 :: Glen Pitt-Pladdy

Hi, I's not practical for me to support customized log formats with this tool, however with some basic knowledge of Perl and regex you should be able to tweak the script to match your customization.

skeletor Image  2014-12-16 08:56 :: skeletor

Sub analyse at module doesn't return any data. Sub wrapup works. What i am doing wrong?

Glen Pitt-Pladdy Image  2014-12-22 15:54 :: Glen Pitt-Pladdy

That's not really enough information to go on. Sub analyse is only called on new lines being found by uloganalyser, and then it filters the lines as per the regex. Currently working fine for me on Debian Wheezy, but if you are running something different or have changed log formats then you will need to debug and adapt the plugin for your needs.

voytek Image  2015-02-12 07:14 :: voytek

thanks again for such great tools, all running well here.

if I want to upgrade my installation to the latest scripts you have here:

is it just sufficient to download latest tarball above, OR, do I also need to re-download templates, and, re import over 'old' ones ?

I'll just start with tarball..

Glen Pitt-Pladdy Image  2015-02-12 20:18 :: Glen Pitt-Pladdy

That depends a lot on where you are starting from. I've tried to keep the *-stats scripts as consistent as possible so newer ones just add more additional metrics. The uloganalyser plugins should have minimal impact between versions and at most just add more metrics for the *-stats scripts to pick up.

If Cacti templates have changed since the version you have been running then it's a much more tricky subject. Here weird stuff might happen when you import a newer templates. The safest way is to purge all old templates and graphs and start clean otherwise it's down to luck and manual clean-up afterwards if anything goes wrong. It's one area that I've seen some really messy stuff with Cacti.

Voytek Eymont Image  2018-01-22 11:18 :: Voytek Eymont


in the page above, 3 lines with loginmethod are doubled up, I think. in the download file, they are OK (but I screen scrapped from here, hence noticed)

thanks again for these pages and utilities,


Glen Pitt-Pladdy Image  2018-01-22 22:41 :: Glen Pitt-Pladdy

Thanks for pointing that out - hopefully all correct now

Yves Image  2018-05-28 16:39 :: Yves

Great job.
Small glitch. The dovecot plugin auth section is not parsing correctly failed login.
Everything is tag under dovecot:auth:disallowedchar instead of unknow user and password mismatch.

May 28 12:34:48 xxxxxxxxxxxx dovecot: auth-worker(15299): sql(,,<4Z5TsUZtP8zUbhFN>): unknown user
May 28 12:34:49 xxxxxxxxxxxx dovecot: auth-worker(15299): sql(,,<4Z5TsUZtP8zUbhFN>): unknown user
May 28 12:34:51 xxxxxxxxxxxx dovecot: auth-worker(15299): sql(,,<4Z5TsUZtP8zUbhFN>): unknown user
May 28 12:34:52 xxxxxxxxxxxx dovecot: auth-worker(15299): sql(,,<4Z5TsUZtP8zUbhFN>): Password mismatch

I can provide more logs if needed

Glen Pitt-Pladdy Image  2018-05-28 18:57 :: Glen Pitt-Pladdy

Thanks for the report. Are there any other lines that relate to these? I need to know in order to ensure that I avoid duplicate counting authentication failures. These could be something like "auth: sql(testuser, unknown user" so I need to work out if they are already being counted some other way (so I just need to ignore them) or if these are new scenarios that need counting. I'll get this fixed when I know which is is.

Yves Image  2018-05-29 11:09 :: Yves

contact me by mail i'll give you a raw log file

Glen Pitt-Pladdy Image  2018-05-29 21:04 :: Glen Pitt-Pladdy

I want to avoid sharing log files as it's fraught with legal issues. Can you just tell me if there are other log entries relating to these and what they are (redacted) so I can ensure we don't double count or miss out counting these events. If it's easier you can also raise a bug report with this info on GitHub. Thanks!

Yves Image  2018-05-30 14:58 :: Yves

Github is a better place ;)

issue #12

Voytek Eymont Image  2020-05-11 00:52 :: Voytek Eymont

many thanks for your work!
I have dovecot logging to it's own dovecot.log and not maillog, so, I run into separate output like
/etc/snmp/uloganalyser /var/log/dovecot.1 /var/log/dovecot.log /var/local/snmp/maild dovecot

that works, but then I noticed stats file is also specified in *-stats-* , so I also should edit all dovecot-stats-* files ?
I think it worked even before I edited stats to correct stats file ?
I have edited now to reflect correct file

Voytek Eymont Image  2020-05-12 07:18 :: Voytek Eymont

on my newly installed Dovecot stats, I have 23 graphs on Cacti/Dovecot, BUT, only get data in just two, POP3 sessions and IMAP sessions,
and, only collect this data, how to troubleshoot this ?
Dovecot has standard log, EXCEPT, it's own log

# grep log_path *.conf
dovecot.conf:log_path = /var/log/dovecot.log
dovecot.conf:    log_path = /var/log/sieve.log

# cat /var/local/snmp/maild
repeatline=May 12 17:09:53 pop3(<21683></khrtghghglI8OTMgHi>: Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/57, size=11673542

Glen Pitt-Pladdy Image  2020-05-17 07:45 :: Glen Pitt-Pladdy

Since all this does is match log lines against patterns, the thing to determine is if there are lines matching any other scenarios being logged. From there I'd look at the path logs take. If you log via syslog then maybe you have filters or log levels or other config that excludes the logs that are being parsed.

Looking at the output of doveconf the only thing that are obvious to me that might make a difference is that I have "auth_verbose = yes" but otherwise everything else is default. You might also find that some of the default format configs have changed between versions and does not have some info that is collected for graphs.

I would personally start debugging by selecting one graph that was working before and then go back to the stats file for that, and then the plugin code that collects that and see if I can find log lines containing the patterns or a new equivalent. The plugins are written to make noise about anything they don't recognise so most likely the info is no longer logged.

Glen Pitt-Pladdy Image  2020-05-17 07:51 :: Glen Pitt-Pladdy

Ah, sorry, I just noticed you posted 2 messages. Yes, if you need to change the location of the stats file then it will need changing everywhere.

The way this works is that the log analyser and plugins generate stats from the logs and put them in the specified file, then the individual *-stats-* files just grep the relevant stat out of the stats file for smtpd to return.

Note: Identity details will be stored in a cookie. Posts may not appear immediately