Overview

WHM / cPanel-based servers make server management easy by providing centralized logging for troubleshooting, system monitoring, and systems auditing. Every cPanel server keeps key log files in predictable locations, making it easier to identify and resolve issues across services.

This article outlines the most common log files you may need, including Apache, Exim, MariaDB / MySQL, PHP-FPM, cron, FTP, SSH, and WHM / cPanel-specific logs.

To access these logs, you must log into your server using SSH and navigate the filesystem using the command line.

Parameters / Features

Apache: Apache is the web server commonly used on cPanel servers. Each site has its own logs for traffic and errors.
Exim: Exim is the Mail Transfer Agent (MTA) on cPanel servers.
MariaDB / MySQL: MariaDB is the default database engine for cPanel. Logs are crucial for database error detection and query troubleshooting.
Cron: Automates scheduled tasks on cPanel servers.
cPanel: WHM / cPanel itself logs interactions with WHM, webmail, and cPanel services.

Essential Commands for Reading Logs

You don’t need to be a command-line expert to read logs. These four simple commands will handle almost every situation:

less: The best and safest way to browse a large log file. It lets you scroll up and down without loading the entire file into memory. (Example: sudo less /var/log/syslog)

tail: Shows you the last 10 lines of a file, which is perfect for seeing the most recent events. Use tail -f to watch a log file in real-time as new entries are added. (Example: sudo tail -f /var/log/nginx/error.log)

grep: Your most powerful troubleshooting tool. It searches for specific keywords within a file, allowing you to instantly find lines containing “error,” “failed,” or a specific IP address. (Example: sudo grep “Failed password” /var/log/auth.log)

zcat / zless: As logs get old, a process called “log rotation” compresses them into .gz archives to save space. You can’t read these with cat or less. Instead, use zcat or zless to view their contents without decompressing them first. (Example: sudo zless /var/log/syslog.2.gz)

Common Use Cases / Examples

Purpose	Log File	Common Use Cases	Example Command
Apache Global Access Log	`/usr/local/apache/logs/access_log`	Review HTTP requests or monitoring traffic patterns.	`sudo tail -f /usr/local/apache/logs/access_log`
Apache Global Error Log	`/usr/local/apache/logs/error_log`	Review HTTP errors to debug apache-level issues.	`sudo tail -f /usr/local/apache/logs/error_log`
Apache Domain-specific logs	`/usr/local/apache/domlogs`	Reviewing HTTP requests per-domain to debug website errors or monitor traffic patterns.	`cat /usr/local/apache/domlogs/example.com`
Global Cron log	`/var/log/cron`	Monitor scheduled tasks to debug errors and verify execution.	`grep "username" /var/log/cron`
FTP and SSH log all connections. FTP tracks uploads, and downloads.	`/var/log/messages`	Troubleshooting failed file transfers or ssh connections. Monitoring user FTP or SSH activity.	`grep "ftp" /var/log/messages` `grep "sshd" /var/log/secure`
Authentication log	`/var/log/secure`	Audit login attempts and privilege escalations to investigate potential security threats	`grep "Failed password" /var/log/secure`
Exim Main email log	`/var/log/exim_mainlog`	Troubleshoot incoming / outgoing email transactions and delivery failures.	`grep "example.com" /var/log/exim_mainlog`
Exim rejected mail log	`/var/log/exim_rejectlog`	Review any rejected mail connection or spam attempts.	`tail -f /var/log/exim_rejectlog`
General mail log	`/var/log/maillog`	Audit mail activity across all services and identify server-level mail errors.	`grep "example.com" /var/log/maillog`
MariaDB / MySQL error log	`/var/lib/mysql/{hostname}.err`	Check for errors while troubleshooting a database.	`grep "ERROR" /var/lib/mysql/$(hostname).err`
MariaDB / MySQL slow query log (if enabled)	`/var/lib/mysql/{hostname}-slow.log`	Identify slow or failing queries.	`grep -A 1 'Query_time: [1-9][0-9]' /var/lib/mysql/$(hostname)-slow.log`
MariaDB / MySQL general log (if enabled)	`/var/lib/mysql/{hostname}-general.log`	Audit every single SQL statement received. Review what the database is doing in real-time.	`grep -i -C 5 'wp_posts' /var/lib/mysql/$(hostname)-general.log`
PHP-FPM Per-Version Error log	`/opt/cpanel/ea-php*/root/usr/var/log/php-fpm/error.log`	Debugging PHP runtime errors.	`tail -f /opt/cpanel/ea-php82/root/usr/var/log/php-fpm/error.log`
PHP-FPM Per-user log	`/opt/cpanel/ea-php*/root/usr/var/log/php-fpm/{user}.log`	Monitor PHP-FPM pool performance or troubleshoot site-specific errors.	`grep -i "fatal error" /opt/cpanel/ea-php82/root/usr/var/log/php-fpm/cpanel_user.log`
WHM / cPanel Access log	`/usr/local/cpanel/logs/access_log`	Audit WHM / cPanel access attempts.	`grep "POST /login" /usr/local/cpanel/logs/access_log \| awk '{print $1}' \| sort \| uniq -c \| sort -nr`
WHM / cPanel Error log	`/usr/local/cpanel/logs/error_log`	Troubleshoot WHM / cPanel control panel issues.	`tail -f -n 50 /usr/local/cpanel/logs/error_log`
WHM / cPanel Login log	`/usr/local/cpanel/logs/login_log`	Troubleshooting failed logins.	`tail -f /usr/local/cpanel/logs/login_log`
WHM / cPanel Session log	`/usr/local/cpanel/logs/session_log`	Audit user activities while they are logged into cPanel.	`grep "cpanel_user" /usr/local/cpanel/logs/session_log`
WHM / cPanel cPHulk log	`/usr/local/cpanel/logs/cphulkd.log`	Detecting brute-force attacks with cPHulk.	`grep "failed" /usr/local/cpanel/logs/cphulkd.log`
WHM / cPanel Backup log	`/usr/local/cpanel/logs/cpbackup`	Troubleshooting failed backups.	`grep -i "fail\|error" $(ls -t /usr/local/cpanel/logs/cpbackup/* \| head -n 1)`
WHM / cPanel AutoSSL log	`/usr/local/cpanel/logs/autossl_log`	Monitoring backup and AutoSSL activities.	`grep "example.com" /usr/local/cpanel/logs/autossl_log \| tail -n 20`