Introduction
Some generic data can be found within the cPanel access log. Using the following technique can help you become familiar with what kinds of actions are associated with the logs that you find in the /usr/local/cpanel/logs/access_log .
Procedure
First, you'll need to decide what kind of information you would like to know. For example, you could decide to monitor logs related to logging into webmail.
First login to the server via SSH as the root user.
Then in your browser navigate to the webmail login page for your server and put in the username and password of a valid email user but do not login yet.
Then, via SSH, tail the access log with the following command:
tail -fn0 /usr/local/cpanel/logs/access_log
Among many requests, one that you'll see is similar to the following:
10.1.1.1 - testemail%40cptest.tld [09/15/2020:15:03:07 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://10.1.1.1:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" "-" "-" 2096
You'll notice that the log has a "POST /login/?login" on port "2096" for the testemail@40cptest.tld user. Looking for that in the access_log would be a good indicator that a user used that exact method to login to webmail.
There are other methods of logging into webmail, so looking for this kind of access log will only reveal logins for that specific login method.
For example, logging into webmail via the "Check Mail" button in the cPanel interface does not post to the /login url.
It is not possible to fully audit all user actions through the access log because the actions taken are often very generic.
If you are looking for a feature that provides more fine-grained/detailed logging, you would need to create a feature request at: