Introduction
cPanel doesn't specifically log when an email account is created. However, it will be logged if the account was created with the "Send a welcome email with instructions to set up a mail client" option. So you can then use the error log to find when the email account was created and cross references the time it was created with the access log to find the IP address of the user who created the account.
Procedure
- Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
- Grep the error log for
Mail::ClientConfig
and grep the output for the email user.[root@server ~]cPs# grep Mail::ClientConfig /usr/local/cpanel/logs/error_log|grep emailuser@
Please note that part of the domain name is masked in the log, so you cannot grep for the full email address.
[2023-04-19 11:46:35 -0100] info [cpwrapd] Mail::ClientConfig Notification => emailuser@domai***** via EMAIL [eventimportance => High (1)] - Note the time of the notification email in the previous command.
- Grep the access log for
add_pop
and grep the output for the cPanel username.[root@server ~]cPs# zgrep add_pop /usr/local/cpanel/logs/access_log|grep cpuser
203.0.113.2 - cpuser [04/19/2023:12:46:30 -0000] "POST /cpsess7569175489/execute/Email/add_pop HTTP/1.1" 200 0 "https://server.domain.tld:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0" "s" "-" 2083
203.0.113.2 - cpuser [06/14/2023:09:28:23 -0000] "POST /cpsess8733239430/execute/Email/add_pop HTTP/1.1" 200 0 "https://server.domain.tld:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0" "s" "-" 2083
203.0.113.2 - cpuser [06/06/2024:10:05:08 -0000] "POST /cpsess0721113728/execute/Email/add_pop HTTP/1.1" 200 0 "https://server.domain.tld:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0" "s" "-" 2083 - The entry with the same timestamp as the notification email begins with the IP address of the user who created the email account.
Please note that the time stamps in the access log use the UTC timezone, while the timestamps in the error log use the server's timezone.