One of the nice things about cPanel-based servers is the way that they keep the location of key files in the same place across all the various cPanel versions. Due to this consistency, one always knows where to look for log files for all services running on a cPanel server.
Overview of cPanel Log Files and Their Locations
cPanel stores logs in different server file system areas based on their specific function, such as backup, backup transfer, webmail, or access logs. Below, explore the most common log types, where you can find them, and what kind of information can be found within them when you are having issues, such as logging into your cPanel.
cPanel Log File Locations
Apache is the web server that is typically utilized by cPanel. On cPanel servers, Apache does write to a rather high number of logs, as each site has its own traffic log.
The access_log is used to log all http requests to either the hostname of the server, requests directed at the server's IPs, or sites that resolve to the server but are no longer hosted on it.
On cPanel servers, all Apache errors, regardless of site, are logged in the error_log.
Within the domlogs folder, each site on the server will have its own log file. These files will be the fully qualified domain name for the domain, i.e. domain.com, liquidweb.com. All http traffic to a site will be logged in this log file.
Cpanel does log all http traffic to WHM, webmail, and cPanel access. All cPanel logs are located in the /usr/local/cpanel/logs directory.
This access_log contains all traffic to WHM, cPanel, and webmail over http.
This error_log contains all errors that occur when accessing a cPanel-related site over http or https.
Regardless of the FTP daemon in use, cPanel does log connections, uploads, and downloads. However, FTP does not have its own log file. It is instead threaded into the system side messages log file.
All FTP transactions are recorded in messages. They are, however, interwoven with all other system messages that are logged in this file.
Secure Shell (SSH) is a secure way of logging into a server remotely from another computer. On almost all servers, the SSH service will be logging into the secure and system-side messages log files.
All authentication-related SSH transactions are recorded in secure & commands issued over an SSH connection will be logged in messages.
Each AutoSSL run log will be a directory that contains both text and JSON of the AutoSSL check and would be the first place to go to in case of SSL issues.
These logs help track the status and progress of each scheduled cPanel backup, including errors and other backup-related events.
The following logs will be useful if you want to narrow down who accessed certain cPanel services.
The session_log helps track successful session logins to the cPanel services, the IP that accessed it, and for how long the session lasted.
The login_log shows you all the failed logins to various cPanel services, the IP in question, and the reason for failure.
This is the first thing to look for when you have any cron job issues. It will list the user, the time that the cron ran, and the specific command executed by the cron, among other errors.
ModSecurity is an open-source web application firewall (WAF) that protects your web applications from attacks.
ModSecurity hits will also be in the main Apache error log, containing enough information for whitelisting rules. But that log can also be full of other background noise. This log will only show ModSecurity hits and be more verbose and easier to read.
PHP-FPM (FastCGI Process Manager) is the most modern PHP handler currently. It will often cause your site to hang in case it needs to protect the rest of the server from overload, so it's one of the first things you should check in similar situations.
Depending upon the PHP version, they are located in different directories. For the following directory path, replace XX with the PHP version number your site uses currently.
The following error log is separate from the one for your sites. Many cPanel services use PHP-FPM as their handler, so any related issues to that will be stored here.
While not a part of cPanel, the ConfigServer Firewall (CSF) is a powerful firewall built around iptables that have been implemented on servers to enhance overall security and protect against various threats.
The lfd.log file is the main log file for the Login Failure Daemon (LFD) process, which is a ConfigServer Firewall (CSF) component dedicated to brute force protection. By examining the lfd.log file, you can track repeated failed login attempts, what IP address was blocked, and which service it was trying to access.
The csf.deny file is where you will find a list of IP addresses and Classless Inter-Domain Routing (CIDR) blocks that are denied access to the server. This file is updated by the CSF system whenever an IP address or range is identified as posing a threat, such as multiple failed login attempts or triggering a rule in the firewall.
The csf.allow log is another important configuration file containing a list of IP addresses explicitly allowed access to the server. This file grants specific IP addresses unrestricted access to the server, bypassing the firewall's rules and filters. This log is where you should place your IP address, but you should generally be cautious about which IP addresses you allow through this file.
The mail log file is a more general email log file that mainly shows the Dovecot authentication logs for all POP3/IMAP connections.
Exim is the Mail Transfer Agent (MTA) that cPanel utilizes. The exim_mainlog contains all interactions that Exim handles, which are both incoming and outgoing mail transactions.
The exim_rejectlog contains all connection attempts that were denied. This information is also logged in the exim_mainlog.
There are tons of Exim cheat sheets and other information on Exim's logs just a Google search away.
Roundcube is a webmail client that allows users to access their email through a web interface. Logs here help track user activity, errors, and any potential issues with the webmail client.
cPHulk is a cPanel brute force solution for cPanel services that block IP addresses or limits logins to users exceeding a certain number of failed login attempts.
The cphulkd_errors.log file is where you will find errors if the cPHulk has issues or is conflicting with another server component.
In the cphulkd.log, you will find the IP address, the service affected, amount of authentication failures, and the time the IP address was blocked.
The exact name depends on your server hostname. The MySQL log will provide information, such as database authentication issues and various startup errors. This log can contain quite a lot of useful information for troubleshooting database issues.
Imunify is a security solution for Linux web servers that gained popularity recently due to its ease of use and impressive detection rate. If you need help with the Imunify plugin, you can gain more information from the logs stored in this directory.
Get More From Your Hosting Provider!
Liquid Web's sales and support teams are available 24 hours a day, 7 days a week, 365 days a year. Contact us today to get started or upgrade your existing infrastructure.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.