How do I determine if a cPanel user changed their password using the cPanel interface?

Question

How do I determine if a cPanel user changed their password using the cPanel interface?

Answer

If a user's password was changed via cPanel, the action will be logged in cPanel's session log.

/usr/local/cpanel/logs/session_log

1. Access the server's command line as the root user via SSH or Terminal in WHM.

2. Search the /usr/local/cpanel/logs/session_log file for password_change and the cPanel username:

   # [root@server ~]# grep "password_change" /usr/local/cpanel/logs/session_log | grep $username
   [20XX-01-01 00:00:00 +0000] info [whostmgr] 203.0.113.2 PURGE $username:KuEsGRPc2WpIAqn1 password_change
   [20XX-10-01 00:00:00 +0000] info [whostmgr] 203.0.113.2 PURGE $username:3WdEcDFQYVV8I6pm password_change

Note: $username in the above command must be replaced with the cPanel username you are searching for.