First of all, some of these locations do change as cPanel release new versions.

If you are unable to see what you are looking for, use the "find" command or "locate" to track it down.

Here are some of the locations of all of the log files in cPanel & WHM, Webmail, and MySQL.

While a log file's location can be altered with a configuration file, the directories and files below reflect unaltered configurations on CentOS, CloudLinux, RedHat Enterprise Linux (RHEL), and Amazon Linux.

To access them, cd to the location and "cat, tail, grep" or whatever else you use to read files.

Personally, I use .bash_profile aliases to make this easier.


GENERAL 
/var/log/messages  contains the login attempts and general error messages for the following services

 

  • FTP
  • the nameserver daemons
  • named or bind.
  • MyDNS
  • PowerDNS
  • NSD
  • the SSH daemon (sshd)
  • the Dovecot mail server

 

 
/var/log/secure   contains the login attempts for the SSH daemon (sshd). 





cPanel & WHM SERVICES 
/home/username/.cpanel/logs  a directory that contains records of errors within a user's task queue. 
/usr/local/cpanel/logs/access_log   contains records of when a cPanel & WHM user accesses their account. 
/usr/local/cpanel/build/locale_database_log  contains information about when a user edits a locale. 
/usr/local/cpanel/logs/api_tokens_log  contains WHM's API tokens logs. 
/usr/local/cpanel/logs/cpdavd_error_log  contains WebDisk's error logs. 
/usr/local/cpanel/logs/cpdavd_session_log  contains Web Disk's activity logs. 
/usr/local/cpanel/logs/cpgreylistd.log  contains the Greylisting daemon's (cpgreylistd) activity logs. 
/usr/local/cpanel/logs/cphulkd_errors.log  contains the Brute Force Protection daemon's (cphulkd) error logs. 
/usr/local/cpanel/logs/cphulkd.log  contains the cphulkd daemon's activity logs. 
/usr/local/cpanel/logs/cpwrapd_log  contains the cPanel & WHM service manager daemon's (cpsrvd) activity logs. 
/usr/local/cpanel/logs/dnsadmin.log  contains dnsadmin request logs. 
/usr/local/cpanel/logs/error_log  contains the cPanel account's error logs. 
/usr/local/cpanel/logs/incoming_http_requests.log  contains the logs of connection requests to the cPanel account's server. 
/usr/local/cpanel/logs/license_log  contains the cPanel account's license update logs and license errors. 
/usr/local/cpanel/logs/login_log  contains the login attempts to the cpsrvd daemon. 
/usr/local/cpanel/logs/queueprocd.log  contains the cPanel TaskQueue Processing daemon's (queueprocd) logs. 
/usr/local/cpanel/logs/safeapacherestart_log  contains information about each time that Apache restarted on the server.
/usr/local/cpanel/logs/session_log  contains logs of a user's activities while they are logged into the cPanel account. 
/usr/local/cpanel/logs/setupdbmap_log  contains the cPanel account's database-related activities. 
/usr/local/cpanel/logs/stats_log  contains the bandwidth statistics for all of the server's cPanel accounts. 
/usr/local/cpanel/logs/tailwatchd_log   contains the Tailwatch Driver's (tailwatchd) logs. 
/usr/local/cpanel/logs/panic_log  contains a cPanel account's severe error logs. 
/usr/local/cpanel/logs/php-fpm/error.log  contains the PHP-FPM implementation's errors. These errors include errors for the cpsrvd and cpdavd services. It does not include errors for customer sites. 
/var/cpanel/php-fpm/USER/logs/slow.log  contains scripts that run unusually slow for a user where "USER" represents the cPanel account name. 
/var/cpanel/php-fpm/USER/logs/error.log  contains the user's error logs where "USER" represents the cPanel account name. 
/var/cpanel.bandwidth.cache   contains the cached bandwidth history for each cPanel account on your server.
/var/cpanel/accounting.log  contains records of cPanel account actions, such as creation and deletion. 
/var/log/chkservd.log  contains the service status logs. 
/var/log/cpanel-install.log  contains the cPanel & WHM installation logs. 

   



DIRECTORIES
/usr/local/cpanel/logs/cpbackup  the directory containing the cPanel backup log files.  
/usr/local/cpanel/logs/cpbackup_transporter  contains the cPanel Backup Transporter's log files. 
/usr/local/cpanel/logs/easy/apache  contains the EasyApache build log files. 
/usr/local/cpanel/logs/update_analysis  contains the update process's .tar files. 
/var/cpanel/bandwidth/username  contains each account's bandwidth usage logs.

username represents your account's username.

 
/var/cpanel/logs  contains account transfer log files and other, miscellaneous log files. 
/var/cpanel/updatelogs  contains the system's update log files. 
/var/cpanel/logs/mysql_upgrade.log  contains the account's MySQL upgrade logs. 
/var/cpanel/horde/log contains the log files for Horde. 
/var/cpanel/squirrelmail  contains the log files for SquirrelMail. 
/var/cpanel/roundcube/log  contains the log files for Roundcube Webmail. 
/var/cpanel/transfer_session  contains subdirectories for transfer and restore sessions.

each transfer and restore session's subdirectory contains the session's log files in a line-delimited JSON format.

 
/etc/apache2/logs/domlogs  contains the FTP transaction logs for all of the cPanel account's domains which exist on webservers that run Easy Apache 4. 

   



FTP 
/etc/apache2/logs/domlogs/ftpxferlog  contains the FTP transaction logs for all of the cPanel account's users who run EasyApache 4





MAIL 
/var/log/exim_mainlog  contains Exim's mail receipt and delivery logs for the cPanel account's domains.
/var/log/exim_rejectlog  contains a log of messages that the system rejected due to ACLs. 
/var/log/exim_paniclog  contains Exim's severe error logs.

Warning: this file should not contain any entries. If this file contains entries, thoroughly investigate the entries and contact your hosting provider.

 
/var/log/maillog  contains IMAP and POP3 login attempts, transactions, fatal errors, and Apache SpamAssassin™ scores. 

   



MEMORY USAGE 
/var/log/dcpumon/YYYY/MMM/DD  contains the login attempts and general error messages for the following services

 

  • YYYY represents a subdirectory that contains a process's logs by month.
  • MMM represents a subdirectory within the YYYY directory that contains a process's logs for each day of a month.
  • DD represents a subdirectory that contains a process's log for a specific day of the month.

To interpret the data, use the /usr/local/cpanel/bin/dcpumonview file.

 

 
/var/log/munin  contains the account's Munin logs.

Munin is a cPanel plugin that displays information about CPU, Exim, Apache, MySQL usage, and other information with the rrdtool utility.

 

To troubleshoot this problem, perform the following steps:

  1. check to make sure that the nightly cron maintenance runs, and that there is a crontab entry for Munin.
  2. check the /var/lib/munin and /var/log/munin files. munin:munin must own the files in both directories.

    If munin:munin does not own the files in the /var/log/munin directory, the log files will update, but the graphs that Munin displays will not update.

  3. correct the permissions issue by running the following commands as the root user: chown -R munin:munin /var/log/munin chown -R munin:munin /var/lib/munin
  4. to run Munin manually from the command line, run the following command:

    sudo -u munin munin-cron

  5. there should be new entries in the /var/log/munin/munin-update file and no errors in the log file. The graphs will update when you refresh the Munin display in WHM.

 

   



MySQL 
/var/lib/mysql/HOSTNAME.err  contains information about the cPanel account's MySQL databases and errors where the "HOSTNAME" represents the server's hostname.

   



WEBSERVERS 
/etc/apache2/logs/domlogs/DOMAIN  contains information about when a visitor accessed a domain that exists on a web server that runs EasyApache 4.
  • DOMAIN represents a domain on the cPanel account.
  • cPanel users can download their access logs in cPanel's Raw Access interface (cPanel >> Home >> Metrics >> Raw Access).
/var/log/apache2/modsec_audit.log

If the Apache MPM_ITK module or Mod_Ruid2 is enabled, you can access the logs in the /usr/local/apache/modsec_audit/user directory.

 		 contains the log information for ModSecurity™. 
/var/log/apache2/suexec_log  contains information about suExec audit logs. This is useful, for example, to diagnose internal server errors that do not produce relevant information in the error log. 
/var/log/apache2/suphp_log  contains information about the suPHP Apache module audit logs. This is useful, for example, to diagnose internal server errors that do not produce relevant information in the error log. 
/var/log/apache2/mod_jk.log  contains the Tomcat connection logs. 
/var/log/apache2/error_log  contains the error logs for web servers and CGI Applications. 

   


Tomcat 
/var/log/easy-tomcat7/localhost-access_log  contains the Tomcat access logs.
/var/log/easy-tomcat7/catalina.err contains the Tomcat7 error logs.
/var/log/easy-tomcat7/catalina.out  contains the Tomcat7 output logs.
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How To Access cPanel/WHM Via Command Line As The Root User

It is true that cPanel & WHM automates many of the server administration tasks that you may...
How To Resolve Empty cPanel CPU/Concurrent Usage Snapshot

When a CloudLinux user hits LVE limits, appropriate faults are generated and lvestats package...
How To Implement cPanel Firewalls On AWS & Google Cloud

If you are using a public cloud such as AWS, Google Cloud Platform, Microsoft Azure, Alibabacloud...
How To Check Your cPanel & WHM Server Ports As An Admin

For a Linux instance, follow these steps to verify the security group rule: Connect to a Linux...
How To Configure cPanel Firewall Configuration In The Cloud

Learn how to configure cPanel firewalls in most cloud platforms or use other security tools to...