Skip to main content

Conflicting tech notes history of logins

Comments

3 comments

  • cPanelLauren
    Hello, In reference to the first statements:
    There are currently no features in cPanel & WHM that allow you to see a history report of actions performed by the root user. This activity is logged to the cPanel access log (/usr/local/cpanel/logs/access_log).

    The access log will tell you what was accessed through the UI but it won't be able to tell you all the actions of the root user, in fact it will list some actions that aren't named distinctively - it also does not list actions taken outside the UI so there's not a full "history" report. Something to understand about the login_log - this is logging logins and attempted logins - reading this log correctly is imperative. If you see an IP address you don't recognize normally what I'll do is look for all of the requests from that IP. For example: [root@server ~]# grep 91.221.70.80 /usr/local/cpanel/logs/login_log |grep cptech [2019-11-28 16:24:41 -0600] info [cpaneld] 91.221.70.80 - cptechsu "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptechsu (has_cpuser_file failed) [2019-12-03 11:16:28 -0600] info [cpaneld] 91.221.70.80 - cptechsu "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptechsu (has_cpuser_file failed) [2019-12-03 13:20:51 -0600] info [cpaneld] 91.221.70.80 - cptechsu "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptechsu (has_cpuser_file failed) [2020-01-12 02:35:28 -0600] info [cpaneld] 91.221.70.80 - cptechsu "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptechsu (has_cpuser_file failed) [2020-03-07 19:18:42 -0600] info [cpaneld] 91.221.70.80 - cptechsu "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptechsu (has_cpuser_file failed) [2020-03-15 01:26:40 -0500] info [cpaneld] 91.221.70.80 - cptechsu "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptechsu (has_cpuser_file failed) [2020-03-21 12:22:12 -0500] info [cpaneld] 91.221.70.80 - cptechsu "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptechsu (has_cpuser_file failed) [2020-03-25 12:51:37 -0500] info [cpaneld] 91.221.70.80 - cptech "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user cptech (has_cpuser_file failed)
    This is a user that doesn't exist on my system For you that log clearly shows a login attempt which receives a 401 (unauthorized) the other two are GET requests which are just trying to retrieve a specific page not submit data to it (like a username/password)
    0
  • jeffschips
    Ah, ok. Much clearer now. If, however, the file called login_log is also showing web requests it's a bit of a misnomer for that log file name as it's also showing attemtmpts other than logins. I guess in a way, though, you do need a file that logs more than logins and then you do as suggested, grep it for further clarifiction. Thanks for clearing this up.
    0
  • cPanelLauren
    Well, logins are web requests though. You log into cPanel through cPsrvd which essentially is a customized version of apache, it's actually really similar to logging in to a CMS system in some ways (just a really really complex one) - those are all login attempts or requests for the page associated i Other than that I'm glad that cleared things up :)
    0

Please sign in to leave a comment.