How to know last login from all e-mail accounts within a Cpanel domain?

Lucas Nascimento

• June 12, 2020 14:20

Hi Guys! one of my clients raised this question, since they're starting a cleanup in all their 180 e-mail accounts. They asked me if we could check the last login date of all accounts, or at least, check all the accounts that logged in within the last three months. I already searched other threads that were about the same subject, and they recommended searching logs within cPanel, but since they are from 6, 7 and even 9 years ago, looks that they are outdated, since I tried to follow the recommendations, but haven't found even the folders indicated. Please, if anyone could help, I would be thankful. :) Lucas

• 

  hmaddy

  • June 12, 2020 20:59

  Expecting a good answer from cpanel teams

  0
• 

  cPanelLauren

  • June 16, 2020 06:07

  You can find the logins for cPanel/WHM/Webmail in the login_log at /usr/local/cpanel/logs/access_log
  a webmail login entry looks like: - lauren%40mydomain.tld [06/16/2020:05:24:02 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://server.mydomain.tld:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" "-" "-" 2096
  These logs are present for as long as log rotation allows them to be (just depends on what you've got set) You can also see ALL logins for POP/IMAP and webmail access in /var/log/maillog
  If you're saying that the logs go back too far it's pretty easy to check within a timeframe - something like this would do it for the last two hours and you can pipe in a grep for a specific user awk -vDate=`date -d'now-2 hours' +[%d/%b/%Y:%H:%M:%S` '$4 > Date {print Date, $0}' /var/log/maillog |grep user@domain.tld
  This will do specific timeframes, I've piped a grep for a specific email account and another for Login: sed -n '/Jun 14 03:10:/, /Jun 16 00:54:05/p' /var/log/maillog |grep lauren@mydomain.us |grep Login
  

  0
• 

  Lucas Nascimento

  • June 16, 2020 14:52

  You can find the logins for cPanel/WHM/Webmail in the login_log at /usr/local/cpanel/logs/access_log
  a webmail login entry looks like: - lauren%40mydomain.tld [06/16/2020:05:24:02 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://server.mydomain.tld:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" "-" "-" 2096
  These logs are present for as long as log rotation allows them to be (just depends on what you've got set) You can also see ALL logins for POP/IMAP and webmail access in /var/log/maillog
  If you're saying that the logs go back too far it's pretty easy to check within a timeframe - something like this would do it for the last two hours and you can pipe in a grep for a specific user awk -vDate=`date -d'now-2 hours' +[%d/%b/%Y:%H:%M:%S` '$4 > Date {print Date, $0}' /var/log/maillog |grep user@domain.tld
  This will do specific timeframes, I've piped a grep for a specific email account and another for Login: sed -n '/Jun 14 03:10:/, /Jun 16 00:54:05/p' /var/log/maillog |grep lauren@mydomain.us |grep Login
  

  
  Hi Lauren! First of all, I thank you for your response! My problem, though, is that I cannot find any of these paths you indicated. I have WHM access, and a cPanel account bonded to it, as the main domain account, but in this account's cPanel, I cannot locate the folders you have indicated. Do I have to search for it somewhere inside WHM, not in cPanel? Or am I missing something? I recorded a screen capture to prove what I'm talking about... I find a "var" folder, but not "var > log > maillog"

  0
• 

  cPanelLauren

  • June 16, 2020 16:34

  Hi @Lucas Nascimento I see. These log files aren't accessible through your cPanel account as they contain data for all accounts on the server. Your profile indicates you're a root administrator and as such we assume you have root access to the server - you'd be able to get this data by accessing the server using the CLI as the root user.

  0
• 

  Lucas Nascimento

  • June 16, 2020 20:02

  Hi Lauren! Thank you for your help! I found the WHM terminal and accessed it. Following root@example.com", but it returned me the same error message the article shows... in this caso, should I contact my hosting company? Thank you again!

  0
• 

  keat63

  • June 17, 2020 09:26

  CSF (the firewall people) have a free file manager for WHM, called 'configserver explorer' I guess it can be dangerous if you don't know what you are doing but is a very handy tool for things like this. Or connect via SFTP as the root user.

  0
• 

  cPanelLauren

  • June 18, 2020 05:28

  If it gave you connection refused then, yes I would say to contact your hosting provider - it may be that the ssh port isn't open or SSH is listening on another port

  0
• 

  Lucas Nascimento

  • June 20, 2020 20:37

  Lauren, thank you for your response! I'll reach them so.

  0
• 

  froi-manila

  • July 17, 2022 06:09

  I came across this thread as I have a customer who also requires the same. However, this about 2,900 email accounts :) All are under a single domain. Any idea of such command that will list successful logins of all email accounts from the past 'x' number of days and perhaps print it to a text file? Thanks guys

  0
• 

  cPRex Jurassic Moderator

  • July 18, 2022 16:46

  @froi-manila - you'll have to make something custom for that. I'd recommend logging into an email account while watching the log file to get an idea of what a normal login looks like. Then you can create a command to search for similar entries in the log file, possibly sorting by date or just ignoring older data you don't want.

  0

Please sign in to leave a comment.