Locations of Common cPanel Log Files

Reading Time: 5 minutes

One of the nice things about cPanel-based servers is the way that they keep the location of key files in the same place across all the various cPanel versions.  Due to this consistency, one always knows where to look for log files for all services running on a cPanel server.

Overview of cPanel Log Files and Their Locations

cPanel stores logs in different server file system areas based on their specific function, such as backup, backup transfer, webmail, or access logs. Below, explore the most common log types, where you can find them, and what kind of information can be found within them when you are having issues, such as logging into your cPanel.

Locations of Common Log Files on cPanel Servers

cPanel Log File Locations

Apache

Apache is the web server that is typically utilized by cPanel.  On cPanel servers, Apache does write to a rather high number of logs, as each site has its own traffic log.

/usr/local/apache/logs/access_log

The access_log is used to log all http requests to either the hostname of the server, requests directed at the server's IPs, or sites that resolve to the server but are no longer hosted on it.

/usr/local/apache/logs/error_log

On cPanel servers, all Apache errors, regardless of site, are logged in the error_log.

/usr/local/apache/domlogs

Within the domlogs folder, each site on the server will have its own log file.  These files will be the fully qualified domain name for the domain, i.e. domain.com, liquidweb.com.  All http traffic to a site will be logged in this log file.

cPanel

Cpanel does log all http traffic to WHM, webmail, and cPanel access.  All cPanel logs are located in the /usr/local/cpanel/logs directory.

/usr/local/cpanel/logs/access_log

This access_log contains all traffic to WHM, cPanel, and webmail over http.

/usr/local/cpanel/logs/error_log

This error_log contains all errors that occur when accessing a cPanel-related site over http or https.

FTP

Regardless of the FTP daemon in use, cPanel does log connections, uploads, and downloads.  However, FTP does not have its own log file. It is instead threaded into the system side messages log file.

/var/log/messages

All FTP transactions are recorded in messages.  They are, however, interwoven with all other system messages that are logged in this file.

SSH

Secure Shell (SSH) is a secure way of logging into a server remotely from another computer. On almost all servers, the SSH service will be logging into the secure and system-side messages log files.

/var/log/secure
/var/log/messages

All authentication-related SSH transactions are recorded in secure & commands issued over an SSH connection will be logged in messages.

AutoSSL Logs

Each AutoSSL run log will be a directory that contains both text and JSON of the AutoSSL check and would be the first place to go to in case of SSL issues.

/var/cpanel/logs/autossl/

Backup Logs

These logs help track the status and progress of each scheduled cPanel backup, including errors and other backup-related events.

/usr/local/cpanel/logs/cpbackup/

Login Logs

The following logs will be useful if you want to narrow down who accessed certain cPanel services.

The session_log helps track successful session logins to the cPanel services, the IP that accessed it, and for how long the session lasted.

/usr/local/cpanel/logs/session_log

The login_log shows you all the failed logins to various cPanel services, the IP in question, and the reason for failure.

/usr/local/cpanel/logs/login_log

Cron Logs

This is the first thing to look for when you have any cron job issues. It will list the user, the time that the cron ran, and the specific command executed by the cron, among other errors.

/var/log/cron

ModSecurity Logs

ModSecurity is an open-source web application firewall (WAF) that protects your web applications from attacks.

ModSecurity hits will also be in the main Apache error log, containing enough information for whitelisting rules. But that log can also be full of other background noise. This log will only show ModSecurity hits and be more verbose and easier to read.

/var/log/apache2/modsec_audit.log

PHP-FPM Logs

PHP-FPM (FastCGI Process Manager) is the most modern PHP handler currently. It will often cause your site to hang in case it needs to protect the rest of the server from overload, so it's one of the first things you should check in similar situations.

Depending upon the PHP version, they are located in different directories. For the following directory path, replace XX with the PHP version number your site uses currently.

/opt/cpanel/ea-phpXX/root/usr/var/log/php-fpm

The following error log is separate from the one for your sites. Many cPanel services use PHP-FPM as their handler, so any related issues to that will be stored here.

/usr/local/cpanel/logs/php-fpm/error.log

CSF

While not a part of cPanel, the ConfigServer Firewall (CSF) is a powerful firewall built around iptables that have been implemented on servers to enhance overall security and protect against various threats.

The lfd.log file is the main log file for the Login Failure Daemon (LFD) process, which is a ConfigServer Firewall (CSF) component dedicated to brute force protection. By examining the lfd.log file, you can track repeated failed login attempts, what IP address was blocked, and which service it was trying to access.

/var/log/lfd.log

The csf.deny file is where you will find a list of IP addresses and Classless Inter-Domain Routing (CIDR) blocks that are denied access to the server. This file is updated by the CSF system whenever an IP address or range is identified as posing a threat, such as multiple failed login attempts or triggering a rule in the firewall.

/etc/csf/csf.deny

The csf.allow log is another important configuration file containing a list of IP addresses explicitly allowed access to the server. This file grants specific IP addresses unrestricted access to the server, bypassing the firewall's rules and filters. This log is where you should place your IP address, but you should generally be cautious about which IP addresses you allow through this file.

/etc/csf/csf.allow

Email Logs

The mail log file is a more general email log file that mainly shows the Dovecot authentication logs for all POP3/IMAP connections.

/var/log/maillog

Exim is the Mail Transfer Agent (MTA) that cPanel utilizes. The exim_mainlog contains all interactions that Exim handles, which are both incoming and outgoing mail transactions.

/var/log/exim_mainlog

The exim_rejectlog contains all connection attempts that were denied. This information is also logged in the exim_mainlog.

/var/log/exim_rejectlog

There are tons of Exim cheat sheets and other information on Exim's logs just a Google search away.

Roundcube Logs

Roundcube is a webmail client that allows users to access their email through a web interface. Logs here help track user activity, errors, and any potential issues with the webmail client.

/var/cpanel/roundcube/log/

cPHulk Logs

cPHulk is a cPanel brute force solution for cPanel services that blocks IP addresses or limits logins to users exceeding a certain number of failed login attempts.

The cphulkd_errors.log file is where you will find errors if the cPHulk has issues or is conflicting with another server component.

/usr/local/cpanel/logs/cphulkd_errors.log

In the cphulkd.log, you will find the IP address, the service affected, amount of authentication failures, and the time the IP address was blocked.

/usr/local/cpanel/logs/cphulkd.log

MySQL Logs

The exact name depends on your server hostname. The MySQL log will provide information, such as database authentication issues and various startup errors. This log can contain quite a lot of useful information for troubleshooting database issues.

/var/lib/mysql/{SERVER_NAME}.err

Imunify Logs

Imunify is a security solution for Linux web servers that gained popularity recently due to its ease of use and impressive detection rate. If you need help with the Imunify plugin, you can gain more information from the logs stored in this directory.

/var/log/imunify360/

Get More From Your Hosting Provider

We pride ourselves on being The Most Helpful Humans In Hosting™! If you aren't receiving the hosting support you need, it may be time to find a new hosting provider.

Liquid Web's sales and support teams are available 24 hours a day, 7 days a week, 365 days a year. Contact us today to get started or upgrade your existing infrastructure.

Avatar for Freddy Reese

About the Author: Freddy Reese

Freddy works in the Liquid Web Managed Hosting Support team with a strong passion for all things related to Linux administration, cybersecurity, and aviation. In his free time, he likes to keep up with the latest news on topics ranging from fusion to space technologies. His hobbies include automating all kinds of stuff using Arduino/Raspberry Pi, learning and flying around in flight simulators, playing with his dog Chupko, swimming at nearby beaches, and staying physically and mentally healthy by going to the gym.

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article