Introduction
You may need to determine when a forwarder was added. The following procedure will provide the log entry for the forward being added, showing the time it was added and the IP address of the user who added the forwarder.
Procedure
cPanel logs when a forwarded is added with the "doaddfwd" command. Depending on how the forwarder was added, there is a different level of information logged. The logs can tell when a forwarder was added, and by whom, but will not indicate the information about the forwarder itself.
- Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
- Grep the access log for "doaddfwd" and review the results:
grep doaddfwd /usr/local/cpanel/logs/access_log
- If the forwarder was added through the cPanel account, the username will show up in the results:
10.0.0.1 - $USERNAME [01/01/20XX:00:00:00 -0000] "GET /cpsess###/frontend/jupiter/mail/addfwd.html HTTP/1.1" 200 0 "https://$HOSTNAME:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0" "s" "-" 2083
- If the forwarder was added through the email address' webmail login, the email address will be logged instead:
10.0.0.1 - $USER%40$DOMAIN.TLD [01/01/20XX:00:00:00 -0000] "GET /cpsess###/webmail/jupiter/mail/addfwd.html HTTP/1.1" 200 0 "https://$HOSTNAME:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0" "s" "-" 2096
Comments
0 comments
Article is closed for comments.