Cpanel log files and its locations complete guide.
cpanel log files location are very important in all cpanel servers needs to know the location of key files. Due to this consistency, one always knows where to look for log files for all services running on a cPanel server.
cPanel Log Files and Their Locations
cPanel Log File Locations
Apache
Apache is the web server that is typically utilized by c Panel. On c Panel servers, Apache does write to a rather high number of logs, as each site has its own traffic log.
/usr/local/apache/logs/access_log/usr/local/apache/logs/error_log/usr/local/apache/domlogscPanel log file
Cpanel does log all http traffic to WHM, webmail, and c Panel access. All c Panel logs are located in the /usr/local/cpanel/logs directory.
/usr/local/cpanel/logs/access_log/usr/local/cpanel/logs/error_logFTP log file
Regardless of the FTP daemon in use, c Panel does log connections, uploads, and downloads. However, FTP does not have its own log file. It is instead threaded into the system side messages log file.
/var/log/messagesSSH log file
Secure Shell (SSH) is a secure way of logging into a server remotely from another computer. On almost all servers, the SSH service will be logging into the secure and system-side messages log files.
/var/log/secure
/var/log/messagesAll authentication-related SSH transactions are recorded in secure & commands issued over an SSH connection will be logged in messages.
AutoSSL Logs
Each AutoSSL run log will be a directory that contains both text and JSON of the AutoSSL check and would be the first place to go to in case of SSL issues.
/var/cpanel/logs/autossl/Backup Logs
These logs help track the status and progress of each scheduled cPanel backup, including errors and other backup-related events.
/usr/local/cpanel/logs/cpbackup/Login Logs
The following logs will be useful if you want to narrow down who accessed certain cPanel services.
The session_log helps track successful session logins to the cPanel services, the IP that accessed it, and for how long the session lasted.
/usr/local/cpanel/logs/session_logThe login_log shows you all the failed logins to various cPanel services, the IP in question, and the reason for failure.
/usr/local/cpanel/logs/login_logCron Logs
This is the first thing to look for when you have any cron job issues. It will list the user, the time that the cron ran, and the specific command executed by the cron, among other errors.
/var/log/cronModSecurity Logs
ModSecurity is an open-source web application firewall (WAF) that protects your web applications from attacks.
ModSecurity hits will also be in the main Apache error log file, containing enough information for whitelisting rules. But that log can also be full of other background noise. This log will only show ModSecurity hits and be more verbose and easier to read.
/var/log/apache2/modsec_audit.logPHP-FPM Logs
PHP-FPM (FastCGI Process Manager) is the most modern PHP handler currently. It will often cause your site to hang in case it needs to protect the rest of the server from overload, so it’s one of the first things you should check in similar situations.
Depending upon the PHP version, they are located in different directories. For the following directory path, replace XX with the PHP version number your site uses currently.
/opt/cpanel/ea-phpXX/root/usr/var/log/php-fpmThe following error log is separate from the one for your sites. Many cPanel services use PHP-FPM as their handler, so any related issues to that will be stored here.
/usr/local/cpanel/logs/php-fpm/error.logCSF log file
While not a part of cPanel, the ConfigServer Firewall (CSF) is a powerful firewall built around iptables that have been implemented on servers to enhance overall security and protect against various threats.
The lfd.log file is the main log file for the Login Failure Daemon (LFD) process, which is a ConfigServer Firewall (CSF) component dedicated to brute force protection. By examining the lfd.log file, you can track repeated failed login attempts, what IP address was blocked, and which service it was trying to access.
/var/log/lfd.logThe csf.deny file is where you will find a list of IP addresses and Classless Inter-Domain Routing (CIDR) blocks that are denied access to the server. This file is updated by the CSF system whenever an IP address or range is identified as posing a threat, such as multiple failed login attempts or triggering a rule in the firewall.
/etc/csf/csf.denyThe csf.allow log is another important configuration file containing a list of IP addresses explicitly allowed access to the server. This file grants specific IP addresses unrestricted access to the server, bypassing the firewall’s rules and filters. This log is where you should place your IP address, but you should generally be cautious about which IP addresses you allow through this file.
/etc/csf/csf.allowEmail Logs
The mail log file is a more general email log file that mainly shows the Dovecot authentication logs for all POP3/IMAP connections.
/var/log/maillogExim is the Mail Transfer Agent (MTA) that cPanel utilizes. The exim_mainlog contains all interactions that Exim handles, which are both incoming and outgoing mail transactions.
/var/log/exim_mainlogThe exim_rejectlog contains all connection attempts that were denied. This information is also logged in the exim_mainlog.
/var/log/exim_rejectlogThere are tons of Exim cheat sheets and other information on Exim’s logs just a Google search away.
Roundcube
Roundcube is a webmail client that allows users to access their email through a web interface. Logs here help track user activity, errors, and any potential issues with the webmail client.
/var/cpanel/roundcube/log/cPHulk
cPHulk is a cPanel brute force solution for cPanel services that blocks IP addresses or limits logins to users exceeding a certain number of failed login attempts.
The cphulkd_errors.log file is where you will find errors if the cPHulk has issues or is conflicting with another server component.
/usr/local/cpanel/logs/cphulkd_errors.logIn the cphulkd.log, you will find the IP address, the service affected, amount of authentication failures, and the time the IP address was blocked.
/usr/local/cpanel/logs/cphulkd.logMySQL
The exact name depends on your server hostname. The MySQL log will provide information, such as database authentication issues and various startup errors. This log can contain quite a lot of useful information for troubleshooting database issues.
/var/lib/mysql/{SERVER_NAME}.errImunify
Imunify is a security solution for Linux web servers that gained popularity recently due to its ease of use and impressive detection rate. If you need help with the Imunify plugin, you can gain more information from the logs stored in this directory.
/var/log/imunify360/
