Tracking down dovecot IMAP user bandwidth usage

Question

One of my customers is using massive amounts of bandwidth, it appears to be related to IMAP and not their actual website.

There is a logfile /var/log/maillog which logs each IMAP connection and the amount of bytes sent/read to the client:

I'm trying to put together a little shell script that will count each users bandwidth so we can figure out which email account it is.

Oct  1 10:43:00 web1 dovecot: IMAP(user1@userdomain.com): Disconnected: Logged out bytes=363/4407
Oct  1 10:43:00 web1 dovecot: IMAP(user1@userdomain.com): Disconnected: Logged out bytes=63/492
Oct  1 10:43:00 web1 dovecot: IMAP(user2@userdomain.com): Disconnected: Logged out bytes=386/15378
Oct  1 10:43:00 web1 dovecot: IMAP(user2@userdomain.com): Disconnected: Logged out bytes=63/509
Oct  1 10:43:20 web1 dovecot: IMAP(user3@userdomain.com): Disconnected: Logged out bytes=345/3044
Oct  1 10:43:20 web1 dovecot: IMAP(user3@userdomain.com): Disconnected: Logged out bytes=63/492
Oct  1 10:43:20 web1 dovecot: IMAP(user4@userdomain.com): Disconnected: Logged out bytes=784/40163
Oct  1 10:43:20 web1 dovecot: IMAP(user4@userdomain.com): Disconnected: Logged out bytes=63/622

Logging format is:

# IMAP logout format string:
#  %i - total number of bytes read from client
#  %o - total number of bytes sent to client
#imap_logout_format = bytes=%i/%o

So it should just add both of the last fields and include the email address:

I found the following script, but I'm not using directadmin, but should be able to come up with something similar, however I've not been able to get it to work properly.

http://forum.directadmin.com/showthread.php?t=36588

Anyone have any ideas?

Thanks in advance!

Matthew Ife · Accepted Answer · 2013-10-01T20:47:04.883

0

This script might work. Well, worked for me using the example output you provided.

#!/usr/bin/python
import os
import sys
import re

logline = re.compile(".+?dovecot: IMAP\((.+?)\): Disconnected: Logged out bytes=(\d+)/(\d+)")
matched = 0
totallines = 0
results = {}

if __name__ == "__main__":
  if len(sys.argv) < 2:
    print "Need logfile to continue"

  logfile = open(sys.argv[1])
  for line in logfile.readlines():
    totallines += 1
    log = logline.match(line)
    if log:
      matched += 1
      user, inb, outb = log.group(1), int(log.group(2)), int(log.group(3))
      if user in results:
        results[user][0] += inb
        results[user][1] += outb
      else:
        results[user] = [inb, outb]
    else:
      continue

  print "Matched {0} of {1} lines".format(matched, totallines)
  for k in results.keys():
    r = results[k]
    print "{0}: {1}/{2} Total: {3}".format(k, r[0], r[1], r[0]+r[1])

edited Oct 01 '13 at 20:47

answered Oct 01 '13 at 18:32

Matthew Ife

23,357
3
55
72

Mlfe - thanks! This has me almost there. I'm hoping to have it add up the last two columns for a total: currently the output is user1@domain.com: 6051572/500683407 so it would be user1@domain.com: 6051572 + 500683407 = 506734979. Your help is very much appreciated, I'm tried modifying your code to achieve this but my python skills are ultra lame. Thanks. – enochroot Oct 01 '13 at 20:37
I modified the code, I didn't test it though. Note most providers will charge for egress bandwidth only (outbound). – Matthew Ife Oct 01 '13 at 20:47
Thank you much kind sir - you have saved the day, cheers to you! – enochroot Oct 01 '13 at 22:11

Tracking down dovecot IMAP user bandwidth usage

1 Answers1