Skip to main content
We are aware of an issue after updating cPanel that causes cPanel SOLR to not start. Please see the following article for more information and updates:
Recent update including tzdata-java causes cPanel SOLR to not start.

How to interpret cPanel and WHM access logs

Austin Lowery
  • Updated

Introduction

Some generic data can be found within the cPanel access log. Using the following technique can help you become familiar with the kinds of actions associated with the logs entries found in /usr/local/cpanel/logs/access_log.

 

Procedure

You need to decide what kind of information you would like to know. The example presented in this article assumes you are looking for information about logging into Webmail.

  1. Login to the server via SSH or "Terminal" in WHM as the 'root' user.
  2. Tail the access log with the following command: 
    tail -fn0 /usr/local/cpanel/logs/access_log
  3. In your browser, navigate to the webmail login page for your server and put in the username and password of a valid email user.
  4. Review the tail output in the SSH or "Terminal" screen. Among the entries will be one that is similar to the following, which has a "POST /login/?login" on port "2096" for the testemail%40cptest.tld (testemail@cptest.tld) user.
    10.1.1.1 - testemail%40cptest.tld [09/15/2020:15:03:07 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://10.1.1.1:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" "-" "-" 2096
  5. Grep the access_log to search for "POST /login/?login" and the results filter for the webmail port and username to show logins for that user from the Webmail login page. Email addresses in the access_log are URL-encoded, so searches that include email addresses need to replace the '@' symbol in the email address with '%40'.
    grep "POST /login/?login" /usr/local/cpanel/logs/access_log | grep ":2096" | grep username%40domain.tld
    Please note that this will only show logins performed through the  Webmail login page. Logging into Webmail via the "Check Mail" button in the cPanel interface does not post to the /login URL.

It is not possible to fully audit all user actions through the access log because the actions taken are often very generic. If you are looking for a feature that provides more fine-grained/detailed logging, you would need to create a feature request.

How to submit a feature request

 

Additional Resources

cPanel & WHM services Files

Related articles

Comments

0 comments

Article is closed for comments.