The cPanel & WHM Log Files
Overview
This document describes the location of some the common log files in cPanel & WHM, Webmail, and MySQL®. This document also provides examples of each log file. If you have a self-managed Cloud Hosting or Dedicated Server Hosting, this article can help you with managing your server.
General
/var/log/messages
This file contains the login attempts and general error messages for the following services:
- FTP
- The nameserver daemons:
named
orbind
- MyDNS
Warning:We deprecated the MyDNS and NSD nameservers in cPanel & WHM version 78 and plan to remove them a future release. We strongly recommend that you migrate to PowerDNS. For more information, read our cPanel Deprecation Plan documentation. - PowerDNS
- NSD
- The SSH daemon (
sshd
). - The Courier mail server.
Warning:We removed the Courier mail server in cPanel & WHM version 54. The Courier mail server only exists for cPanel & WHM version 11.52 and earlier. - The Dovecot mail server.
1 2 3 4 | Nov 3 08:41:10 vm5 proftpd[684684]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session opened. Nov 3 08:41:10 vm5 proftpd[684684]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session closed. Nov 3 08:46:12 vm5 proftpd[684753]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session opened. Nov 3 08:46:12 vm5 proftpd[684753]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session closed. |
/var/log/secure
This file contains the login attempts for the SSH daemon (sshd
).
1 2 3 4 5 6 | Jul 5 08:50:04 colin sshd[29856]: Accepted password for root from 10.7.6.162 port 57893 ssh2 Jul 5 08:50:05 colin sshd[29856]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 5 15:00:17 colin sshd[29856]: Received disconnect from 10.7.6.162: 11: disconnected by user Jul 5 15:00:17 colin sshd[29856]: pam_unix(sshd:session): session closed for user root Jul 6 07:57:10 colin sshd[24129]: Accepted password for root from 10.7.6.162 port 55983 ssh2 Jul 6 07:57:10 colin sshd[24129]: pam_unix(sshd:session): session opened for user root by (uid=0) |
cPanel & WHM services
/home/username/.cpanel/logs
This directory contains records of errors within a user’s task queue.
1 2 | Processing /home/username/example... Already had it. |
/usr/local/cpanel/logs/access_log
This file contains records of when a cPanel & WHM user accesses their account.
The system displays these records in a standardized text format, called the Common Log Format. Each line displays log information in the following syntax:
- IP Address — The client’s IP address (for example,
192.168.0.20
). - User-identified — An unused user identification protocol field. cPanel & WHM log files always display one of the following values in this field:
proxy
for a service subdomain’s log files.- A dash (
-
) for all other domain types.
- User — A valid cPanel & WHM account name or an email address (for example,
skipperdan
). - Time — The date and time when the visitor accessed your website, in
MM/DD/YYYY:HH:MM:SS -ZZZZ
format, where:MM
represents the month.DD
represents the date.YYYY
represents the year.HH
represents the hour.mm
represents the minute.SS
represents the second.-zzzz
represents the timezone, in UTC format. For example:10/21/1985:16:42:23 -0000
- Client request — The web request that the client issued to the server (for example,
GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0
). - HTTP Status — The result of the HTTP request (for example,
200
). For more information, read Wikipedia’s List of HTTP status codes documentation. - Response Size — The size of the object returned to the client, in bytes (for example,
1500
). - Referrer — The web address from which the visitor navigated to the resource (for example,
ftp://cpanel.com
). - User Agent — The browser that the visitor used to access cPanel & WHM (for example,
Safari
). - Authentication method — The method that authenticated the request, where:
a
represents Access Key/Hash.b
represents HTTP Basic Authentication.s
represents Session cookie.o
represents OpenID Connect. For example:s
- The
X-Forwarded-For
header — The IP address of the client when the user makes a connection request via service subdomains (proxy domains) (for example,X-Forwarded: for:192.0.2.60
). - Service port — The server port number that the client accessed in the request (for example,
2083
).
192.168.0.20 - example [10/08/2016:13:37:32 -0000] "GET /cpsess1234567890/frontend/paper_lantern/index.html HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "s" "-" 2083
/usr/local/cpanel/build/locale_database_log
This file contains information about when a user edits a locale.
1 2 | [2014-09-28 02:55:26 -0500] info [build_locale_databases] Finished updating and modifying locales databases [2014-09-29 02:54:16 -0500] info [build_locale_databases] Begin update of locale databases |
/usr/local/cpanel/logs/api_tokens_log
This file contains WHM’s API tokens logs.
1 2 3 | [2017-02-07 19:07:13 -0600] info [whostmgrd] HTTP Status: ['200'], User: ['kingrichard'], Token Name: ['robin_of_loxley'], Request: ['GET /scripts2/reloadbind_local?dnsuniqid=baa HTTP/1.0'] [2017-02-07 19:07:13 -0600] info [whostmgrd] HTTP Status: ['200'], User: ['princejohn'], Token Name: ['sherrif_of_rottingham'], Request: ['GET /scripts2/reloadbind_local?dnsuniqid=baa HTTP/1.0'] [2017-02-07 19:07:13 -0600] info [whostmgrd] HTTP Status: ['200'], User: ['ahsneeze'], Token Name: ['ahchoo'], Request: ['GET /scripts2/reloadbind_local?dnsuniqid=baa HTTP/1.0'] |
/usr/local/cpanel/logs/cpdavd_error_log
This file contains the Web Disk feature’s error logs.
1 2 | Starting PID 11197: cpdavd - accepting connections on 2077 and 2078 Starting PID 11080: cpdavd - accepting connections on 2077 and 2078 |
/usr/local/cpanel/logs/cpdavd_session_log
This file contains the Web Disk feature’s activity logs.
1 2 3 | [2015-11-18 14:38:51 -0600] info [cpdavd] 162.158.64.218 NEW _dav_:mUG2YFqewzo7GzVm app=cpdavd - accepting connections on 2077 2078 2079 and 2080,method=/usr/local/cpanel/libexec/cpdavd:main [2015-11-18 14:38:51 -0600] info [cpdavd] 162.158.64.216 NEW _dav_:m9MlWdxVqpyemmP6 app=cpdavd - accepting connections on 2077 2078 2079 and 2080,method=/usr/local/cpanel/libexec/cpdavd:main [2015-11-18 14:38:51 -0600] info [cpdavd] 162.158.64.218 NEW _dav_:YZEJy7lEsXSxyz3Y app=cpdavd - accepting connections on 2077 2078 2079 and 2080,method=/usr/local/cpanel/libexec/cpdavd:main |
/usr/local/cpanel/logs/cpgreylistd.log
This file contains the Greylisting daemon’s (cpgreylistd
) activity logs.
1 2 | [2015-10-30 11:05:39 -0500] info [cpgreylistd] Purged old records from DB. Record(s) removed: 0 [2015-10-30 12:05:39 -0500] info [cpgreylistd] Purged old records from DB. Record(s) removed: 0 |
/usr/local/cpanel/logs/cphulkd_errors.log
This file contains the Brute Force Protection daemon’s (cphulkd
) error logs.
1 2 | [2015-08-26 12:14:29 -0500] info [cphulkd] 221257 The system encountered an error while processing a request: Broken pipe [2015-08-26 12:14:29 -0500] info [cphulkd] 221262 The system encountered an error while processing a request: Broken pipe |
/usr/local/cpanel/logs/cphulkd.log
This file contains the cphulkd
daemon’s activity logs.
1 2 | [2015-10-20 03:27:14 -0500] info [cphulkd] 258355 processor shutdown via SIGTERM with pid 258355 [2015-10-20 03:27:44 -0500] info [cphulkd] 131586 processor startup with pid 131586 |
/usr/local/cpanel/logs/cpwrapd_log
This file contains the cPanel & WHM service manager daemon’s (cpsrvd
) activity logs.
1 2 | [1985-10-21 10:18:11 -0500] info [cpsrvd] user - [action]=[fetch] [function]=[SORTEDRESELLERSUSERS] [module]=[reseller] [namespace]=[Cpanel] [version]=[2.3] [2015-10-21 10:18:11 -0500] info [cpsrvd] user - [action]=[run] [function]=[HASDIGEST] [module]=[security] [namespace]=[Cpanel] [version]=[2.3] |
/usr/local/cpanel/logs/dnsadmin_log
This file contains dnsadmin
request logs.
1 2 | [2015-10-21 13:33:19 -0500] info [dnsadmin] Reset reseller cache 'domain1'. [2015-10-21 13:33:19 -0500] info [dnsadmin] Reset reseller cache 'example'. |
/usr/local/cpanel/logs/error_log
This file contains general cPanel & WHM errors (for example, a fatal error or timeout occurred while processing this directive
error).
1 2 | Cpanel::Exception::new("Cpanel::Exception::ModSecurity::VendorUpdateUnnecessary", HASH(0x13222cb8)) called at /usr/local/cpanel/Cpanel/Exception.pm line 57 Cpanel::Exception::create("ModSecurity::VendorUpdateUnnecessary", HASH(0x13222cb8)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 285 |
/usr/local/cpanel/logs/incoming_http_requests.log
This file contains the logs of connection requests to the cPanel account’s server.
1 2 3 4 5 6 7 | [15421][10/29/2009:17:14:21 -0000][headerparser 0]:Host: 127.0.0.1:2087 [15421][10/29/2009:17:14:21 -0000][headerparser 0]:Accept: */* [15421][10/29/2009:17:14:21 -0000][headerparser 0]:Authorization: Basic *censored* [15421][10/29/2009:17:14:21 -0000][headerparser 0]:Content-Type: application/x-www-form-urlencoded [15421][10/29/2009:17:14:21 -0000][headerparser 0]:Content-Length: 34 [15421][10/29/2009:17:14:21 -0000][killconnection] [15421][10/29/2009:17:14:21 -0000][killconnection exit] |
/usr/local/cpanel/logs/license_log
This file contains the server’s license update logs and license errors.
1 2 3 | Thu Oct 29 19:11:05 2015: Using full manual DNS resolution Thu Oct 29 19:11:05 2015: Trying server 192.168.0.20 Thu Oct 29 19:11:05 2015: Server 192.168.0.20 on port 2089 returned: |
/usr/local/cpanel/logs/login_log
This file contains the login attempts to the cpsrvd
daemon.
1 2 3 | 192.168.0.20 - user [07/10/2013:18:43:00 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist) 192.168.0.21 - user [07/10/2013:18:43:14 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist) 192.168.0.22 - user [07/15/2013:16:21:50 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect |
/usr/local/cpanel/logs/queueprocd.log
This file contains the cPanel TaskQueue Processing daemon’s (queueprocd
) logs.
1 2 3 4 5 6 | [2015-10-20 03:27:31 -0500] info [queueprocd] cPanel TaskQueue Processing Daemon starting. Starting update of 35 locales in parallel ... Updating "aa" locale ... ... "aa" complete. Updating "ar" locale ... ... "ar" complete. |
/usr/local/cpanel/logs/safeapacherestart_log
This file contains information about each time that Apache restarted on the server.
1 2 | [2015-10-20 03:23:07 -0500] info [safeapacherestart] Restart elapsed seconds: 2 [2015-10-30 12:57:47 -0500] info [safeapacherestart] Restart elapsed seconds: 5 |
/usr/local/cpanel/logs/session_log
This file contains logs of a user’s activities while they are logged in to the cPanel account.
1 2 | [2015-10-29 09:27:35 -0500] info [cpsrvd] 12.3.14.75 NEW root:tvf32S0eomRni4nplg7OMXgj1kS8Jx3jhSeccZPRyHwsMIENmyhcxE17NCBDllTk address=12.3.14.75,app=whostmgrd,creator=root,method=handle_form_login,path=form,possessed=0 [2015-10-30 12:24:06 -0500] info [cpsrvd] 14.2.19.78 NEW user:TIg1FiIdR6eTnKtYr7VmYGKpYB9srb0yvjHkkA1PeYOB6Y2naymPktSsjAob3pX0 address=14.2.19.78,app=cpaneld,creator=user,method=handle_form_login,path=form,possessed=0 |
/usr/local/cpanel/logs/setupdbmap_log
This file contains the cPanel account’s database-related activities.
1 2 3 4 | [2014-05-06 02:57:08 -0500] info [setupdbmap] Begin setupdbmap [2014-05-06 02:57:08 -0500] info [setupdbmap] Updating MySQL users [2014-05-06 02:57:09 -0500] info [setupdbmap] Processing MySQL databases and database users ... [2014-05-06 02:57:09 -0500] info [setupdbmap] Finished with MySQL users |
/usr/local/cpanel/logs/stats_log
This file contains the bandwidth statistics for all of the server’s cPanel accounts.
1 2 3 | [2015-10-30 12:12:30 -0500] Process bandwidth for domain1 [2015-10-30 12:12:30 -0500] Process bandwidth for domain2 [2015-10-30 12:12:30 -0500] Process bandwidth for domain3 |
/usr/local/cpanel/logs/tailwatchd_log
This file contains the Tailwatch Driver’s (tailwatchd
) logs.
1 2 | [131557] [2015-10-30 13:00:00 -0500] [Cpanel::TailWatch::Eximstats] Resetting email limits to new starttime of 1446228000 [131557] [2015-10-30 14:00:00 -0500] [Cpanel::TailWatch::Eximstats] Resetting email limits to new starttime of 1446231600 |
/usr/local/cpanel/logs/panic_log
This file contains a cPanel account’s severe error logs.
/usr/local/cpanel/logs/php-fpm/error.log
This file contains PHP-FPM implementation errors. These errors include errors for the cpsrvd
and cpdavd
services.
Note:
This file does not include errors for customer sites.
1 2 3 4 5 6 | [06-Nov-2015 08:52:18] ERROR: [pool no] please specify user and group other than root [06-Nov-2015 08:52:18] ERROR: FPM initialization failed [06-Nov-2015 08:55:32] ERROR: [pool no] please specify user and group other than root [06-Nov-2015 08:55:32] ERROR: FPM initialization failed [06-Nov-2015 08:57:52] ERROR: [pool no] please specify user and group other than root [06-Nov-2015 08:57:52] ERROR: FPM initialization failed |
/var/cpanel/php-fpm/USER/logs/slow.log
This file contains scripts that run unusually slow for a user.
Note:
USER
represents the cPanel account name.
/var/cpanel/php-fpm/USER/logs/error.log
This file contains the user’s error logs.
Note:
USER
represents the cPanel account name.
1 2 3 4 5 6 | [15-Oct-2015 16:58:14 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 6689761 bytes) in Unknown on line 0 [15-Oct-2015 17:10:33 America/Chicago] PHP Fatal error: Call to a member function write() on a non-object in /usr/local/cpanel/3rdparty/php/54/lib/php/Horde/Imap/Client/Socket.php on line 4336 [23-Oct-2015 16:21:19 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 72 bytes) in /usr/local/cpanel/base/3rdparty/squirrelmail/functions/imap_messages.php on line 204 [25-Oct-2015 13:01:16 America/Chicago] PHP Fatal error: Call to a member function write() on a non-object in /usr/local/cpanel/3rdparty/php/54/lib/php/Horde/Imap/Client/Socket.php on line 4336 [11-Nov-2015 17:24:29 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 32 bytes) in /usr/local/cpanel/base/3rdparty/squirrelmail/functions/imap_messages.php on line 204 [30-Nov-2015 14:06:07 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 72 bytes) in /usr/local/cpanel/3rdparty/php/54/lib/php/Horde/Imap/Client/Cache/Backend/Cache.php on line 493 |
/var/cpanel.bandwidth.cache
This file contains the cached bandwidth history for each cPanel account on your server.
1 2 3 4 | bucktopia.com xtest1 domain1 domain4 |
/var/cpanel/accounting.log
This file contains records of cPanel account actions, such as creation and deletion.
1 2 | Thu Jun 11 13:33:19 2015:ADDRESELLER:root:root:example.com:example Fri Oct 30 12:57:29 2015:CHANGEOWNER:root:root:example.com:example:root:example |
/var/log/chkservd.log
This file contains the service status logs.
[2015-11-02 13:52:20 -0500] Service check ....queueprocd [[check command:+][socket connect:N/A]]...named [[check command:+][socket connect:N/A]]...mysql [[check command:+][socket connect:N/A]]...imap [[socket_service_auth:1][check command:+][socket connect:+]]...ftpd [[check command:+][socket connect:+]]...entropychat [[check command:N/A][socket connect:N/A]]...cpsrvd [[http_service_auth:1][check command:N/A][socket connect:+]]...cpanellogd [[check command:+][socket connect:N/A]]...clamd [[check command:+][socket connect:N/A]]...Done
/var/log/cpanel-install.log
This file contains the cPanel & WHM installation logs.
1 2 3 4 5 6 7 | 2013-07-09 16:39:57 152 (DEBUG): - ssystem [END] 2013-07-09 16:39:57 151 ( INFO): - Enabling sshd 2013-07-09 16:39:57 152 (DEBUG): - ssystem [BEGIN]: /sbin/chkconfig --level 35 sshd on 2013-07-09 16:39:57 152 (DEBUG): - ssystem [END] 2013-07-09 16:39:57 488 ( INFO): Enabling cphulkd ... 2013-07-09 16:39:57 495 ( INFO): Done 2013-07-09 16:39:57 167 ( INFO): cPanel install finished in 69 minutes and 29 seconds! |
Directories
/usr/local/cpanel/logs/cpbackup
This directory contains the cPanel backup log files.
1 2 3 4 | 1445324403.log 1445497204.log 1445925603.log 1446098403.log |
/usr/local/cpanel/logs/cpbackup_transporter
This directory contains the cPanel Backup Transporter’s log files.
1 2 | cpbackup_transporter.1446102630.log cpbackup_transporter.1446102672.log |
/usr/local/cpanel/logs/easy/apache
This directory contains the EasyApache build log files.
build.1439814755.env build.1439820240.env
/usr/local/cpanel/logs/update_analysis
This directory contains the update process’s .tar
files.
1 2 3 | 2015-08-20T08:15:06Z.tar.gz 2015-09-13T08:15:07Z.tar.gz 2015-10-07T08:15:10Z.tar.gz |
/var/cpanel/bandwidth/username
This directory contains each account’s bandwidth usage logs.
Note:
In this directory, username
represents your account’s username.
fredfred-smtp-rate.rrd barney-all-rate.rrd
/var/cpanel/logs
This directory contains account transfer log files and other, miscellaneous log files.
1 2 3 | cpaddonsup.1444377665.txt cpaddonsup.1445155265.txt cpaddonsup.1445932864.txt |
/var/cpanel/updatelogs
This directory contains the system’s update log files.
1 2 3 | update.1446018721.log update.1446191521.log update.1446367921.log |
/var/cpanel/logs/mysql_upgrade.log
This directory contains the account’s MySQL upgrade logs.
Note:
In cPanel & WHM version 78 and later, the log files use the mysql.YYYYMMDD-hhmmss
naming convention with the following designators:
YYYY
— Four-digit year.MM
— Two-digit monthDD
— Two-digit day.hh
— Two-digit hour.mm
— Two-digit minute.ss
— Two-digit second.
1 2 3 4 | unattended_background_upgrade.error unattended_background_upgrade.log unattended_background_upgrade.output unattended_background_upgrade.result |
/var/cpanel/horde/log
This directory contains the log files for Horde.
horde_.log horde_stesares.log
/var/cpanel/squirrelmail
This directory contains the log files for SquirrelMail.
Note:
We deprecated SquirrelMail and its functionality in cPanel & WHM version 76 and removed it in cPanel & WHM version 78.
./ ../ version
/home/username/logs/roundcube
This directory contains the log files for Roundcube Webmail with a SQLite backend.
roundcube_.log
/var/cpanel/roundcube/log
This directory contains the log files for Roundcube Webmail with a MySQL backend.
roundcube_.log
FTP
Files
/usr/local/apache/domlogs/ftpxferlog
This file contains the FTP transfer logs for users on webservers that run EasyApache 3.
Note:
We removed EasyApache 3 in cPanel & WHM version 78. For more information, read the cPanel Deprecation Plan.
1 2 3 | user user1 user2 |
/etc/apache2/logs/domlogs/ftpxferlog
This file contains the FTP transfer logs for users on webservers that run EasyApache 4.
1 2 3 | user user1 user2 |
Directories
/usr/local/apache/domlogs
This directory contains the FTP transaction logs for domains which exist on webservers that run EasyApache 3.
Note:
We removed EasyApache 3 in cPanel & WHM version 78. For more information, read the cPanel Deprecation Plan.
1 2 3 4 | domain1/ example.com domain1.com domain1.com-bytes_log |
/etc/apache2/logs/domlogs
This directory contains the FTP transaction logs for domains which exist on webservers that run EasyApache 4.
1 2 3 4 | domain1/ example.com domain1.com domain1.com-bytes_log |
Files
/var/log/exim_mainlog
This file contains Exim’s mail receipt and delivery logs for the cPanel account’s domains.
1 2 3 | 2015-12-07 09:23:14 [3428] luggage-1234Bz-Rm H=mailhost.domain.com [192.168.0.20]:58241 I=[1.0.0.127]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)" |
/var/log/exim_rejectlog
This file contains a log of messages that the system rejected due to ACLs.
For more information, read our Exim Configuration Manager Basic Editor documentation.
1 2 3 4 | 2015-12-4 08:27:23 refused relay (host) to <[email protected]> from <[email protected]> H=113-43-173-020.user.example.net (smtp.example.com) [192.168.0.20] |
/var/log/exim_paniclog
This file contains Exim’s severe error logs.
Warning:
This file should not contain any entries. If this file contains entries, thoroughly investigate the entries and contact your hosting provider.
/var/log/maillog
This file contains IMAP and POP3 login attempts, transactions, fatal errors, and Apache SpamAssassin™ scores.
1 2 | Nov 3 10:21:30 vm5 dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__orpl7flalajte5t7ahgq2joard0s3szcmltatifzmb_iqv...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=735381, secured, session=<1adZSaUjRwB/AAAB> Nov 3 10:21:30 vm5 dovecot: imap(__cpanel__service__auth__imap__orpl7flalajte5t7ahgq2joard0s3szcmltatifzmb_iqvmragspbfcr3dkrhmzd |
Directories
/var/spool/exim/input
This directory contains a log of queued incoming email messages. The system separates these logs in to subdirectories that correspond to the number or letter with which the sender’s name begins.
1 2 3 4 5 | 1WEayg-0011QH-IC-D 1XABSg-003GTw-28-D 1XDGag-001MGL-6R-D 1XGLEg-0032BQ-6A-D 1XJn6g-001kuC-5n-D |
/usr/local/cpanel/3rdparty/mailman/logs
This directory contains the account’s Mailman logs.
./ ../ bounce error locks mischief post qrunner smtp smtp-failure subscribe vette
Memory usage
/var/log/dcpumon/YYYY/MMM/DD
This file contains information about the processes that consume the most CPU and memory.
YYYY
represents a subdirectory that contains a process’s logs by month.MMM
represents a subdirectory within theYYYY
directory that contains a process’s logs for each day of a month.DD
represents a subdirectory that contains a process’s log for a specific day of the month.
Note:
To interpret the data, use the /usr/local/cpanel/bin/dcpumonview
file.
1 2 3 4 5 6 7 | ximstats=0=0=0.456462908976875=0.002==0.001==0= mailman=0.0664235356972792=5.17983251838002=0=12.0=/usr/local/cpanel/3rdparty/bin/python -S /usr/local/cpanel/3rdparty/mailman/cron/checkdbs=6.5=[python]=0.5=crond mailnull=0=0.0561016968838195=0=0.002==0.001==0= mysql=0=8.99548891392477=0=0.002==0.001==0= named=0=0.311152278191386=0=0.002==0.001==0= nobody=0=2.77735281478296=0=0.002==0.001==0= root=5.87086377309829=24.591731611285=2=90.5=/usr/lib/rpm/rpmd --rebuilddb --verbose --verbose --verbose=43.0=cpanellogd - waiting for child to process logs=41.0=/usr/bin/python /usr/sbin/statsnotifer check-admin |
/var/log/munin
This file contains the account’s Munin logs. Munin is a plugin that displays information about CPU, Exim, Apache, MySQL usage, and other information with the rrdtool
utility.
1 2 3 | munin-html.log munin-limits.log munin-update.log |
MySQL
/var/log/mysqld.log
This file contains information about the cPanel account’s MySQL databases and errors in MySQL 5.7 and later and MariaDB 10.3 and later.
Note:
HOSTNAME
represents the server’s hostname.
1 2 3 4 5 6 | 151030 2:57:10 [Note] InnoDB: Waiting for purge to start 151030 2:57:10 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.26-74.0 started; log sequence number 145713856 151030 2:57:10 [Note] Plugin 'FEEDBACK' is disabled. 151030 2:57:10 [Note] Server socket created on IP: '::'. 151030 2:57:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '10.0.22-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server |
/var/lib/mysql/HOSTNAME.err
This file contains information about the cPanel account’s MySQL databases and errors in MySQL 5.6 and earlier and MariaDB 10.2 and earlier.
Note:
HOSTNAME
represents the server’s hostname.
1 2 3 4 5 6 | 151030 2:57:10 [Note] InnoDB: Waiting for purge to start 151030 2:57:10 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.26-74.0 started; log sequence number 145713856 151030 2:57:10 [Note] Plugin 'FEEDBACK' is disabled. 151030 2:57:10 [Note] Server socket created on IP: '::'. 151030 2:57:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '10.0.22-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server |
Webservers
Apache
Note:
If your system manages many domains, we recommend that you enable piped logging to reduce the number of log files that Apache manages. Piped logging allows you to pipe Apache access logs to a separate process so that Apache does not need to restart every time that it processes the logs.
- You can enable piped logging in the Piped Log Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration).
- As of cPanel & WHM version 74, we enable piped logging by default on new installations of cPanel & WHM.
/usr/local/apache/domlogs/username
This directory contains the log data for the user’s account, which exists on a webserver that runs EasyApache 3.
Note:
We removed EasyApache 3 in cPanel & WHM version 78. For more information, read the cPanel Deprecation Plan.
The system creates this directory when the cPanel Log Rotation Configuration (cpanellogd
) daemon compresses and archives the data that resides in the /usr/local/apache/domlogs/domain-ssl_log
and the /usr/local/apache/domlogs/domain
files. This process begins when the /usr/local/cpanel/scripts/upcp
script runs and the system analyzes the log data.
Note:
You can also perform this process for individual users with the /usr/local/cpanel/scripts/runweblogs
command.
The system also performs the following actions:
- Adds a link to the
/usr/local/apache/domlogs/username
directory in the/home/username/access_logs
directory. - Adds a symlink to the log data backup file in the user’s
/home/username/logs
directory during the archive process.- This symlink allows you to access this file while the system archives the file.
- The symlink’s name reflects the log file’s name, and may contain a
.bkup
file extension.
Note:
domain
represents a domain on the cPanel account.username
represents the cPanel account’s username.
1 2 3 4 | 94.228.34.208 - - [19/Nov/2015:08:45:09 -0600] "GET /robots.txt HTTP/1.1" 302 235 "-" "robots" 94.228.34.208 - - [19/Nov/2015:08:45:09 -0600] "GET /cgi-sys/suspendedpage.cgi HTTP/1.1" 200 7314 "-" "robots" 94.228.34.208 - - [19/Nov/2015:08:45:10 -0600] "GET /forums/forumdisplay.php?f=5 HTTP/1.1" 302 239 "-" "magpie-crawler/1.1 (U; Linux amd64; en-GB; +" 94.228.34.208 - - [19/Nov/2015:08:45:10 -0600] "GET /cgi-sys/suspendedpage.cgi?f=5 HTTP/1.1" 200 7314 "-" "magpie-crawler/1.1 (U; Linux amd64; en-GB; +" |
/var/log/apache2/modsec_audit.log
This file contains the log information for ModSecurity®.
Important:
If the Apache MPM_ITK module or Mod_Ruid2 is enabled, you can access the logs in the /usr/local/apache/modsec_audit/user
directory.
1 | ModSecurity: Audit log: Failed to lock global mutex: Identifier removed [hostname "www.somedomain.co.uk"] [uri "/index.<a href="http://endlessgeek.com/glossary/php/" title="Glossary: PHP" data-tooltip="PHP Hypertext Processor - originally Personal Home Page" class="glossaryLink ">php</a>"] [unique_id "U61fRE1KBCIADWZddE8AAAAP"] |
/var/log/apache2/suexec_log
This file contains information about suEXEC audit logs. This is useful, for example, to diagnose internal server errors that do not produce relevant information in the error log.
Note:
You can also view Apache’s error logs in cPanel’s Errors interface (cPanel >> Home >> Metrics >> Errors).
1 | [Wed Nov 04 09:55:01 2015] [error] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/RESPONSE-80-CORRELATION.conf"] [line "35"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5): Request Missing a User Agent Header"] [tag "Host: "] [hostname "example.com"] [uri "/whm-server-status"] [unique_id "VjoqVQoBZCMAA7qYOM4AAAAF"] |
/var/log/apache2/suphp_log
This file contains information about the suPHP Apache module audit logs. This is useful, for example, to diagnose internal server errors that do not produce relevant information in the error log.
1 2 3 4 5 6 7 | [Sat Sep 12 22:16:39 2015] [info] Executing "/home/test/public_html/member.php" as UID 563, GID 563 [Sat Sep 12 22:16:39 2015] [info] Executing "/home/test/public_html/member.php" as UID 563, GID 563 [Sat Sep 12 22:16:42 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554 [Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/member.php" as UID 563, GID 563 [Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554 [Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554 [Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554 |
/var/log/apache2/mod_jk.log
This file contains the Tomcat connection logs.
1 2 | [Mon Dec 07 12:49:33 2015][1234:274957687980737] [info] ajp_handle_cping_cpong::jk_ajp_common.c (913): timeout in reply [Mon Dec 07 12:49:33 2015][8534:1058674928674576] [info] ajp_handle_cping_cpong::jk_ajp_common.c (913): timeout in reply |
/var/log/apache2/error_log
This file contains the error logs for webservers and CGI Applications.
[Wed Nov 04 09:55:01 2015] [error] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/RESPONSE-80-CORRELATION.conf"] [line "35"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5): Request Missing a User Agent Header"] [tag "Host: "] [hostname "example.com"] [uri "/whm-server-status"] [unique_id "VjoqVQoBZCMAA7qYOM4AAAAF"]