Locations of Common cPanel Log Files
One of the nice things about cPanel-based servers is the way that they keep the location of key files in the same place across all the various cPanel versions. Due to this consistency, one always knows where to look for log files for all services running on a cPanel server.
Overview of cPanel Log Files and Their Locations
cPanel stores logs in different server file system areas based on their specific function, such as backup, backup transfer, webmail, or access logs. Below, explore the most common log types, where you can find them, and what kind of information can be found within them when you are having issues, such as logging into your cPanel.
cPanel Log File Locations
Apache
Apache is the web server that is typically utilized by cPanel. On cPanel servers, Apache does write to a rather high number of logs, as each site has its own traffic log.
/usr/local/apache/logs/access_log
The access_log is used to log all http requests to either the hostname of the server, requests directed at the server's IPs, or sites that resolve to the server but are no longer hosted on it.
/usr/local/apache/logs/error_log
On cPanel servers, all Apache errors, regardless of site, are logged in the error_log.
/usr/local/apache/domlogs
Within the domlogs folder, each site on the server will have its own log file. These files will be the fully qualified domain name for the domain, i.e. domain.com, liquidweb.com. All http traffic to a site will be logged in this log file.
cPanel
Cpanel does log all http traffic to WHM, webmail, and cPanel access. All cPanel logs are located in the /usr/local/cpanel/logs directory.
/usr/local/cpanel/logs/access_log
This access_log contains all traffic to WHM, cPanel, and webmail over http.
/usr/local/cpanel/logs/error_log
This error_log contains all errors that occur when accessing a cPanel-related site over http or https.
FTP
Regardless of the FTP daemon in use, cPanel does log connections, uploads, and downloads. However, FTP does not have its own log file. It is instead threaded into the system side messages log file.
/var/log/messages
All FTP transactions are recorded in messages. They are, however, interwoven with all other system messages that are logged in this file.
SSH
Secure Shell (SSH) is a secure way of logging into a server remotely from another computer. On almost all servers, the SSH service will be logging into the secure and system-side messages log files.
/var/log/secure
/var/log/messages
All authentication-related SSH transactions are recorded in secure & commands issued over an SSH connection will be logged in messages.
AutoSSL Logs
Each AutoSSL run log will be a directory that contains both text and JSON of the AutoSSL check and would be the first place to go to in case of SSL issues.
/var/cpanel/logs/autossl/
Backup Logs
These logs help track the status and progress of each scheduled cPanel backup, including errors and other backup-related events.
/usr/local/cpanel/logs/cpbackup/
Login Logs
The following logs will be useful if you want to narrow down who accessed certain cPanel services.
The session_log helps track successful session logins to the cPanel services, the IP that accessed it, and for how long the session lasted.
/usr/local/cpanel/logs/session_log
The login_log shows you all the failed logins to various cPanel services, the IP in question, and the reason for failure.
/usr/local/cpanel/logs/login_log
Cron Logs
This is the first thing to look for when you have any cron job issues. It will list the user, the time that the cron ran, and the specific command executed by the cron, among other errors.
/var/log/cron
ModSecurity Logs
ModSecurity is an open-source web application firewall (WAF) that protects your web applications from attacks.
ModSecurity hits will also be in the main Apache error log, containing enough information for whitelisting rules. But that log can also be full of other background noise. This log will only show ModSecurity hits and be more verbose and easier to read.
/var/log/apache2/modsec_audit.log
PHP-FPM Logs
PHP-FPM (FastCGI Process Manager) is the most modern PHP handler currently. It will often cause your site to hang in case it needs to protect the rest of the server from overload, so it's one of the first things you should check in similar situations.
Depending upon the PHP version, they are located in different directories. For the following directory path, replace XX with the PHP version number your site uses currently.
/opt/cpanel/ea-phpXX/root/usr/var/log/php-fpm
The following error log is separate from the one for your sites. Many cPanel services use PHP-FPM as their handler, so any related issues to that will be stored here.
/usr/local/cpanel/logs/php-fpm/error.log
CSF
While not a part of cPanel, the ConfigServer Firewall (CSF) is a powerful firewall built around iptables that have been implemented on servers to enhance overall security and protect against various threats.
The lfd.log file is the main log file for the Login Failure Daemon (LFD) process, which is a ConfigServer Firewall (CSF) component dedicated to brute force protection. By examining the lfd.log file, you can track repeated failed login attempts, what IP address was blocked, and which service it was trying to access.
/var/log/lfd.log
The csf.deny file is where you will find a list of IP addresses and Classless Inter-Domain Routing (CIDR) blocks that are denied access to the server. This file is updated by the CSF system whenever an IP address or range is identified as posing a threat, such as multiple failed login attempts or triggering a rule in the firewall.
/etc/csf/csf.deny
The csf.allow log is another important configuration file containing a list of IP addresses explicitly allowed access to the server. This file grants specific IP addresses unrestricted access to the server, bypassing the firewall's rules and filters. This log is where you should place your IP address, but you should generally be cautious about which IP addresses you allow through this file.
/etc/csf/csf.allow
Email Logs
The mail log file is a more general email log file that mainly shows the Dovecot authentication logs for all POP3/IMAP connections.
/var/log/maillog
Exim is the Mail Transfer Agent (MTA) that cPanel utilizes. The exim_mainlog contains all interactions that Exim handles, which are both incoming and outgoing mail transactions.
/var/log/exim_mainlog
The exim_rejectlog contains all connection attempts that were denied. This information is also logged in the exim_mainlog.
/var/log/exim_rejectlog
There are tons of Exim cheat sheets and other information on Exim's logs just a Google search away.
Roundcube Logs
Roundcube is a webmail client that allows users to access their email through a web interface. Logs here help track user activity, errors, and any potential issues with the webmail client.
/var/cpanel/roundcube/log/
cPHulk Logs
cPHulk is a cPanel brute force solution for cPanel services that block IP addresses or limits logins to users exceeding a certain number of failed login attempts.
The cphulkd_errors.log file is where you will find errors if the cPHulk has issues or is conflicting with another server component.
/usr/local/cpanel/logs/cphulkd_errors.log
In the cphulkd.log, you will find the IP address, the service affected, amount of authentication failures, and the time the IP address was blocked.
/usr/local/cpanel/logs/cphulkd.log
MySQL Logs
The exact name depends on your server hostname. The MySQL log will provide information, such as database authentication issues and various startup errors. This log can contain quite a lot of useful information for troubleshooting database issues.
/var/lib/mysql/{SERVER_NAME}.err
Imunify Logs
Imunify is a security solution for Linux web servers that gained popularity recently due to its ease of use and impressive detection rate. If you need help with the Imunify plugin, you can gain more information from the logs stored in this directory.
/var/log/imunify360/
Get More From Your Hosting Provider!
We pride ourselves on being The Most Helpful Humans In Hosting™! If you aren't receiving the hosting support you need, it may be time to find a new hosting provider.
Liquid Web's sales and support teams are available 24 hours a day, 7 days a week, 365 days a year. Contact us today to get started or upgrade your existing infrastructure.
Related Articles:

About the Author: Freddy Reese
Freddy works in the Liquid Web Managed Hosting Support team with a strong passion for all things related to Linux administration, cybersecurity, and aviation. In his free time, he likes to keep up with the latest news on topics ranging from fusion to space technologies. His hobbies include automating all kinds of stuff using Arduino/Raspberry Pi, learning and flying around in flight simulators, playing with his dog Chupko, swimming at nearby beaches, and staying physically and mentally healthy by going to the gym.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
Latest Articles
How to Install WordPress on Linux (AlmaLinux)
Read ArticleWhat is CentOS? Everything You Need to Know
Read ArticleWhat is CentOS? Everything You Need to Know
Read ArticleRedis as Cache: How It Works and Why You Should Use It
Read ArticleRefer-a-Friend Program for Website Hosting: Get $100 for Each Friend!
Read Article