Skip to main content

cPanel and WHM access log syntax

Eetion Narcisse
  • Updated

Introduction

The access logs, located at /usr/local/cpanel/logs/access_log, show information that may be useful to review in some circumstances as described in our article, How to interpret cPanel and WHM access logs.

 

Procedure

Within our documentation, The cPanel & WHM Log Files, the following table exists to explain the syntax of cPanel and WHM access logs:

  • IP Address — The client’s IP address (for example, 192.168.0.20).

  • User-identified — An unused user identification protocol field. cPanel & WHM log files always display one of the following values in this field:

    • proxy for a service subdomain’s log files.

    • A dash (-) for all other domain types.

  • User — A valid cPanel & WHM account name or an email address (for example, skipperdan).

  • Time — The date and time when the visitor accessed your website, in MM/DD/YYYY:HH:MM:SS -ZZZZ format, where:

    • MM represents the month.
    • DD represents the date.
    • YYYY represents the year.
    • HH represents the hour.
    • mm represents the minute.
    • SS represents the second.
    • -zzzz represents the timezone, in UTC format. For example: 10/21/1985:16:42:23 -0000

  • Client request — The web request that the client issued to the server (for example, GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0).

  • HTTP Status — The result of the HTTP request (for example, 200). For more information, read Wikipedia’s List of HTTP status codes documentation.

  • Response Size — The size of the object returned to the client, in bytes (for example, 1500).

  • Referrer — The web address from which the visitor navigated to the resource (for example, ftp://cpanel.com).

  • User Agent — The browser that the visitor used to access cPanel & WHM (for example, Safari).

  • Authentication method — The method that authenticated the request, where:

    • a represents Access Key/Hash.
    • b represents HTTP Basic Authentication.
    • s represents Session cookie.
    • o represents OpenID Connect. For example: s

  • The X-Forwarded-For header — The IP address of the client when the user makes a connection request via service subdomains (proxy domains) (for example, X-Forwarded: for:192.0.2.60).

  • Service port — The server port number that the client accessed in the request (for example, 2083).

Related articles