Page tree
Skip to end of metadata
Go to start of metadata

Overview

This document describes the location of all of the log files in cPanel & WHM, Webmail, and MySQL®. This document also provides examples of each log file.

Notes:

  • The directories and files in this document reflect unaltered configurations on CentOS, CloudLinux™, RedHat Enterprise Linux (RHEL), and Amazon Linux.
  • You can alter a log file's location with a configuration file.

General

FilepathDescriptionExample
/var/log/messages

This file contains the login attempts and general error messages for the following services:

  • FTP
  • The nameserver daemons
    • named or bind.
    • MyDNS
    • PowerDNS
    • NSD
  • The SSH daemon (sshd).
  • The Courier mail server.

    Warning:

    We removed the Courier mail server in cPanel & WHM version 54. The Courier mail server only exists for cPanel & WHM version 11.52 and earlier.

  • The Dovecot® mail server.
 Click to view...
Nov  3 08:41:10 vm5 proftpd[684684]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session opened.
Nov  3 08:41:10 vm5 proftpd[684684]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session closed.
Nov  3 08:46:12 vm5 proftpd[684753]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session opened.
Nov  3 08:46:12 vm5 proftpd[684753]: 10.1.100.35 (127.0.0.1[127.0.0.1]) - FTP session closed.
/var/log/secureThis file contains the login attempts for the SSH daemon (sshd).
 Click to view...
Jul  5 08:50:04 colin sshd[29856]: Accepted password for root from 10.7.6.162 port 57893 ssh2
Jul  5 08:50:05 colin sshd[29856]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul  5 15:00:17 colin sshd[29856]: Received disconnect from 10.7.6.162: 11: disconnected by user
Jul  5 15:00:17 colin sshd[29856]: pam_unix(sshd:session): session closed for user root
Jul  6 07:57:10 colin sshd[24129]: Accepted password for root from 10.7.6.162 port 55983 ssh2
Jul  6 07:57:10 colin sshd[24129]: pam_unix(sshd:session): session opened for user root by (uid=0)

cPanel & WHM services

Files

The following table lists the log files for cPanel & WHM:

FilepathDescriptionExample
/home/username/.cpanel/logs This directory contains records of errors within a user's task queue.
 Click to view...
Processing /home/username/example...
  Already had it.
/usr/local/cpanel/logs/access_log

This file contains records of when a cPanel & WHM user accesses their account.

The system displays these records in a standardized text format, called the Common Log Format. Each line displays log information in the following syntax:

 Click to view...
FieldDescriptionExample
IP AddressThe client's IP address.
192.168.0.20
User-identifier

An unused user identification protocol field.

-

Important:

cPanel & WHM log files always displays a dash (-) for this field.

UserA valid cPanel & WHM account name or an email address.skipperdan
Time

The date and time when the visitor accessed your website, in MM/DD/YYYY:HH:MM:SS -ZZZZ format, where:

  • MM represents the month.
  • DD represents the date.
  • YYYY represents the year.
  • HH represents the hour.
  • mm represents the minute.
  • SS represents the second.
  • -zzzz represents the timezone, in UTC format.
10/21/1985:16:42:23 -0000
Client requestThe web request that the client issued to the server.GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0
HTTP Status

The result of the HTTP request.

For more information, read Wikipedia's List of HTTP status codes documentation.

 200
Response SizeThe size of the object returned to the client, in bytes.1500 
Referrer

The web address from which the visitor navigated to the resource.

ftp://cpanel.com
User Agent

The browser that the visitor used to access cPanel & WHM.

Safari
Authentication methodThe method used to authenticate the request, where:
  • a represents Access Key/Hash.
  • b represents HTTP Basic Authentication.
  • s represents Session cookie.
  • o represents OpenID Connect.
s

The X-Forwarded-For header

The IP address of the client when the user makes a connection request via service subdomains (proxy domains).

X-Forwarded: for:192.0.2.60
Service portThe server port number that the client accessed in the request.2083
 Click to view...
192.168.0.20 - example [10/08/2016:13:37:32 -0000] "GET /cpsess1234567890/frontend/paper_lantern/index.html HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "s" "-" 2083
/usr/local/cpanel/build/locale_database_logThis file contains information about when a user edits a locale.
 Click to view...
[2014-09-28 02:55:26 -0500] info [build_locale_databases] Finished updating and modifying locales databases
[2014-09-29 02:54:16 -0500] info [build_locale_databases] Begin update of locale databases
/usr/local/cpanel/logs/api_tokens_log This file contains WHM's API tokens logs.
 Click to view...
[2017-02-07 19:07:13 -0600] info [whostmgrd] HTTP Status: ['200'], User: ['kingrichard'], Token Name: ['robin_of_loxley'], Request: ['GET /scripts2/reloadbind_local?dnsuniqid=baa HTTP/1.0']
[2017-02-07 19:07:13 -0600] info [whostmgrd] HTTP Status: ['200'], User: ['princejohn'], Token Name: ['sherrif_of_rottingham'], Request: ['GET /scripts2/reloadbind_local?dnsuniqid=baa HTTP/1.0']
[2017-02-07 19:07:13 -0600] info [whostmgrd] HTTP Status: ['200'], User: ['ahsneeze'], Token Name: ['ahchoo'], Request: ['GET /scripts2/reloadbind_local?dnsuniqid=baa HTTP/1.0']
/usr/local/cpanel/logs/cpdavd_error_log
This file contains WebDisk's error logs.
 Click to view...
Starting PID 11197: cpdavd - accepting connections on 2077 and 2078
Starting PID 11080: cpdavd - accepting connections on 2077 and 2078
/usr/local/cpanel/logs/cpdavd_session_logThis file contains Web Disk's activity logs.
 Click to view...
[2015-11-18 14:38:51 -0600] info [cpdavd] 162.158.64.218 NEW _dav_:mUG2YFqewzo7GzVm app=cpdavd - accepting connections on 2077 2078 2079 and 2080,method=/usr/local/cpanel/libexec/cpdavd:main			
[2015-11-18 14:38:51 -0600] info [cpdavd] 162.158.64.216 NEW _dav_:m9MlWdxVqpyemmP6 app=cpdavd - accepting connections on 2077 2078 2079 and 2080,method=/usr/local/cpanel/libexec/cpdavd:main	
[2015-11-18 14:38:51 -0600] info [cpdavd] 162.158.64.218 NEW _dav_:YZEJy7lEsXSxyz3Y app=cpdavd - accepting connections on 2077 2078 2079 and 2080,method=/usr/local/cpanel/libexec/cpdavd:main
/usr/local/cpanel/logs/cpgreylistd.logThis file contains the Greylisting daemon's (cpgreylistd) activity logs.
 Click to view...
[2015-10-30 11:05:39 -0500] info [cpgreylistd] Purged old records from DB. Record(s) removed: 0
[2015-10-30 12:05:39 -0500] info [cpgreylistd] Purged old records from DB. Record(s) removed: 0
/usr/local/cpanel/logs/cphulkd_errors.logThis file contains the Brute Force Protection daemon's (cphulkd) error logs.
 Click to view...
[2015-08-26 12:14:29 -0500] info [cphulkd] 221257 The system encountered an error while processing a request: Broken pipe
[2015-08-26 12:14:29 -0500] info [cphulkd] 221262 The system encountered an error while processing a request: Broken pipe
/usr/local/cpanel/logs/cphulkd.logThis file contains the cphulkd daemon's activity logs.
 Click to view...
[2015-10-20 03:27:14 -0500] info [cphulkd] 258355 processor shutdown via SIGTERM with pid 258355
[2015-10-20 03:27:44 -0500] info [cphulkd] 131586 processor startup with pid 131586
/usr/local/cpanel/logs/cpwrapd_logThis file contains the cPanel & WHM service manager daemon's (cpsrvd) activity logs.
 Click to view...
[1985-10-21 10:18:11 -0500] info [cpsrvd] user - [action]=[fetch] [function]=[SORTEDRESELLERSUSERS] [module]=[reseller] [namespace]=[Cpanel] [version]=[2.3]
[2015-10-21 10:18:11 -0500] info [cpsrvd] user - [action]=[run] [function]=[HASDIGEST] [module]=[security] [namespace]=[Cpanel] [version]=[2.3]
/usr/local/cpanel/logs/dnsadmin_logThis file contains dnsadmin request logs.
 Click to view...
[2015-10-21 13:33:19 -0500] info [dnsadmin] Reset reseller cache 'domain1'.
[2015-10-21 13:33:19 -0500] info [dnsadmin] Reset reseller cache 'example'.
/usr/local/cpanel/logs/error_logThis file contains the cPanel account's error logs (for example, a fatal error or timeout occurred while processing this directive error).
 Click to view...
Cpanel::Exception::new("Cpanel::Exception::ModSecurity::VendorUpdateUnnecessary", HASH(0x13222cb8)) called at /usr/local/cpanel/Cpanel/Exception.pm line 57
    Cpanel::Exception::create("ModSecurity::VendorUpdateUnnecessary", HASH(0x13222cb8)) called at /usr/local/cpanel/Whostmgr/ModSecurity/VendorList.pm line 285
/usr/local/cpanel/logs/incoming_http_requests.logThis file contains the logs of connection requests to the cPanel account's server.
 Click to view...
[15421][10/29/2009:17:14:21 -0000][headerparser 0]:Host: 127.0.0.1:2087
[15421][10/29/2009:17:14:21 -0000][headerparser 0]:Accept: */*
[15421][10/29/2009:17:14:21 -0000][headerparser 0]:Authorization: Basic *censored*
[15421][10/29/2009:17:14:21 -0000][headerparser 0]:Content-Type: application/x-www-form-urlencoded
[15421][10/29/2009:17:14:21 -0000][headerparser 0]:Content-Length: 34
[15421][10/29/2009:17:14:21 -0000][killconnection]
[15421][10/29/2009:17:14:21 -0000][killconnection exit]
/usr/local/cpanel/logs/license_logThis file contains the cPanel account's license update logs and license errors.
 Click to view...
Thu Oct 29 19:11:05 2015: Using full manual DNS resolution
Thu Oct 29 19:11:05 2015: Trying server 192.168.0.20
Thu Oct 29 19:11:05 2015: Server 192.168.0.20 on port 2089 returned:
/usr/local/cpanel/logs/login_logThis file contains the login attempts to the cpsrvd daemon.
 Click to view...
192.168.0.20 - user [07/10/2013:18:43:00 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
192.168.0.21 - user [07/10/2013:18:43:14 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
192.168.0.22 - user [07/15/2013:16:21:50 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
/usr/local/cpanel/logs/queueprocd.logThis file contains the cPanel TaskQueue Processing daemon's (queueprocd) logs.
 Click to view...
[2015-10-20 03:27:31 -0500] info [queueprocd] cPanel TaskQueue Processing Daemon starting.
Starting update of 35 locales in parallel ...
Updating "aa" locale ...
 ... "aa" complete.
Updating "ar" locale ...
 ... "ar" complete.
/usr/local/cpanel/logs/safeapacherestart_logThis file contains information about each time that Apache restarted on the server.

 

 Click to view...
[2015-10-20 03:23:07 -0500] info [safeapacherestart] Restart elapsed seconds: 2
[2015-10-30 12:57:47 -0500] info [safeapacherestart] Restart elapsed seconds: 5
/usr/local/cpanel/logs/session_logThis file contains logs of a user's activities while they are logged into the cPanel account.
 Click to view...
[2015-10-29 09:27:35 -0500] info [cpsrvd] 12.3.14.75 NEW root:tvf32S0eomRni4nplg7OMXgj1kS8Jx3jhSeccZPRyHwsMIENmyhcxE17NCBDllTk address=12.3.14.75,app=whostmgrd,creator=root,method=handle_form_login,path=form,possessed=0
[2015-10-30 12:24:06 -0500] info [cpsrvd] 14.2.19.78 NEW user:TIg1FiIdR6eTnKtYr7VmYGKpYB9srb0yvjHkkA1PeYOB6Y2naymPktSsjAob3pX0 address=14.2.19.78,app=cpaneld,creator=user,method=handle_form_login,path=form,possessed=0
/usr/local/cpanel/logs/setupdbmap_logThis file contains the cPanel account's database-related activities.
 Click to view...
[2014-05-06 02:57:08 -0500] info [setupdbmap] Begin setupdbmap
[2014-05-06 02:57:08 -0500] info [setupdbmap] Updating MySQL users
[2014-05-06 02:57:09 -0500] info [setupdbmap] Processing MySQL databases and database users ...
[2014-05-06 02:57:09 -0500] info [setupdbmap] Finished with MySQL users
/usr/local/cpanel/logs/stats_logThis file contains the bandwidth statistics for all of the server's cPanel accounts.
 Click to view...
[2015-10-30 12:12:30 -0500] Process bandwidth for domain1
[2015-10-30 12:12:30 -0500] Process bandwidth for domain2
[2015-10-30 12:12:30 -0500] Process bandwidth for domain3
/usr/local/cpanel/logs/tailwatchd_logThis file contains the Tailwatch Driver's (tailwatchd) logs.
 Click to view...
[131557] [2015-10-30 13:00:00 -0500] [Cpanel::TailWatch::Eximstats] Resetting email limits to new starttime of 1446228000
[131557] [2015-10-30 14:00:00 -0500] [Cpanel::TailWatch::Eximstats] Resetting email limits to new starttime of 1446231600
/usr/local/cpanel/logs/panic_logThis file contains a cPanel account's severe error logs.

Warning:

This file should not contain any entries. If this file contains entries, thoroughly investigate the entries and contact your hosting provider.

/usr/local/cpanel/logs/php-fpm/error.log

This file contains the PHP-FPM implementation's errors. These errors include errors for the cpsrvd and cpdavd services.

Note:

This file does not include errors for customer sites.

 Click to view...
[06-Nov-2015 08:52:18] ERROR: [pool no] please specify user and group other than root
[06-Nov-2015 08:52:18] ERROR: FPM initialization failed
[06-Nov-2015 08:55:32] ERROR: [pool no] please specify user and group other than root
[06-Nov-2015 08:55:32] ERROR: FPM initialization failed
[06-Nov-2015 08:57:52] ERROR: [pool no] please specify user and group other than root
[06-Nov-2015 08:57:52] ERROR: FPM initialization faile
/var/cpanel/php-fpm/USER/logs/slow.log

This file contains scripts that run unusually slow for a user.

Note:

USER represents the cPanel account name.

 

 

/var/cpanel/php-fpm/USER/logs/error.log

This file contains the user's error logs.

Note:

USER represents the cPanel account name.

 Click to view...
15-Oct-2015 16:58:14 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 6689761 bytes) in Unknown on line 0
[15-Oct-2015 17:10:33 America/Chicago] PHP Fatal error: Call to a member function write() on a non-object in /usr/local/cpanel/3rdparty/php/54/lib/php/Horde/Imap/Client/Socket.php on line 4336
[23-Oct-2015 16:21:19 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 72 bytes) in /usr/local/cpanel/base/3rdparty/squirrelmail/functions/imap_messages.php on line 204
[25-Oct-2015 13:01:16 America/Chicago] PHP Fatal error: Call to a member function write() on a non-object in /usr/local/cpanel/3rdparty/php/54/lib/php/Horde/Imap/Client/Socket.php on line 4336
[11-Nov-2015 17:24:29 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 32 bytes) in /usr/local/cpanel/base/3rdparty/squirrelmail/functions/imap_messages.php on line 204
[30-Nov-2015 14:06:07 America/Chicago] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 72 bytes) in /usr/local/cpanel/3rdparty/php/54/lib/php/Horde/Imap/Client/Cache/Backend/Cache.php on line 493
/var/cpanel.bandwidth.cacheThis file contains the cached bandwidth history for each cPanel account on your server.
 Click to view...
bucktopia.com
xtest1
domain1
domain4
/var/cpanel/accounting.logThis file contains records of cPanel account actions, such as creation and deletion.
 Click to view...
Thu Jun 11 13:33:19 2015:ADDRESELLER:root:root:example.com:example
Fri Oct 30 12:57:29 2015:CHANGEOWNER:root:root:example.com:example:root:example
/var/log/chkservd.logThis file contains the service status logs.
 Click to view...
[2015-11-02 13:52:20 -0500] Service check ....queueprocd [[check command:+][socket connect:N/A]]...named [[check command:+][socket connect:N/A]]...mysql [[check command:+][socket connect:N/A]]...imap [[socket_service_auth:1][check command:+][socket connect:+]]...ftpd [[check command:+][socket connect:+]]...entropychat [[check command:N/A][socket connect:N/A]]...cpsrvd [[http_service_auth:1][check command:N/A][socket connect:+]]...cpanellogd [[check command:+][socket connect:N/A]]...clamd [[check command:+][socket connect:N/A]]...Done
/var/log/cpanel-install.logThis file contains the cPanel & WHM installation logs.
 Click to view...
2013-07-09 16:39:57  152 (DEBUG):   - ssystem [END]
2013-07-09 16:39:57  151 ( INFO):  - Enabling sshd
2013-07-09 16:39:57  152 (DEBUG):   - ssystem [BEGIN]: /sbin/chkconfig --level 35 sshd on
2013-07-09 16:39:57  152 (DEBUG):   - ssystem [END]
2013-07-09 16:39:57  488 ( INFO): Enabling cphulkd ...
2013-07-09 16:39:57  495 ( INFO): Done
2013-07-09 16:39:57  167 ( INFO): cPanel install finished in 69 minutes and 29 seconds!

Directories

The following table lists the log directories for cPanel & WHM:

Directory pathDescriptionExample
/usr/local/cpanel/logs/cpbackupThis directory contains the cPanel backup log files.
 Click to view...
1445324403.log  
1445497204.log
1445925603.log  
1446098403.log
/usr/local/cpanel/logs/cpbackup_transporterThis directory contains the cPanel Backup Transporter's log files.
 Click to view...
cpbackup_transporter.1446102630.log
cpbackup_transporter.1446102672.log
/usr/local/cpanel/logs/easy/apacheThis directory contains the EasyApache build log files.
 Click to view...
build.1439814755.env  build.1439820240.env  
/usr/local/cpanel/logs/update_analysisThis directory contains the update process's .tar files.
 Click to view...
2015-08-20T08:15:06Z.tar.gz  
2015-09-13T08:15:07Z.tar.gz  
2015-10-07T08:15:10Z.tar.gz
/var/cpanel/bandwidth/username

This directory contains each account's bandwidth usage logs.

Note:

In this directory, username represents your account's username.

 Click to view...
fredfred-smtp-rate.rrd  barney-all-rate.rrd
/var/cpanel/logsThis directory contains account transfer log files and other, miscellaneous log files.
 Click to view...
cpaddonsup.1444377665.txt  
cpaddonsup.1445155265.txt  
cpaddonsup.1445932864.txt

/var/cpanel/updatelogs

 

This directory contains the system's update log files.

 

 Click to view...
update.1446018721.log
update.1446191521.log  
update.1446367921.log
/var/cpanel/logs/mysql_upgrade.logThis directory contains the account's MySQL upgrade logs.
 Click to view...
unattended_background_upgrade.error  
unattended_background_upgrade.log  
unattended_background_upgrade.output
unattended_background_upgrade.result
/var/cpanel/horde/logThis directory contains the log files for Horde.
 Click to view...
horde_.log  horde_stesares.log
/var/cpanel/squirrelmailThis directory contains the log files for SquirrelMail.
 Click to view...
./  ../  version

 

 

/var/cpanel/roundcube/logThis directory contains the log files for Roundcube Webmail.
 Click to view...
roundcube_.log
/var/cpanel/transfer_session

This directory contains subdirectories for transfer and restore sessions.

Each transfer and restore session's subdirectory contains the session's log files in a line-delimited JSON format. Each log file contains the following information:

 Click to view
KeyTypeDescriptionPossible valuesExample
pidintegerThe process ID under which the command in the log entry ran.An integer value.14538
indentintegerThe level of indentation to display.A valid positive integer.1
typestringThe type of log file entry.
  • out
  • warn
  • success
  • failure
  • control
control
partialBooleanWe do not currently use this key.0 is the only possible value.0
contentshashA hash of transfer or restore session information.This hash contains the action, child_number, dangerous_items, item, item_name, item_type, local_item, logfile, message, msg, queue, skipped_items, and warnings keys.

action

string

The action for the system to execute.

The log file contains this key in the content hash.

A valid string.start-item

child_number

integer

The number of child processes in the transfer or restore process.

The log file contains this key in the content hash.

A positive integer.1

dangerous_items

integer

The number of items in the transferred or restored account that the system flagged as potentialy dangerous.

The log file contains this key in the content hash.

A positive integer.1

item

string

The name of the account to restore or transfer.

The log file contains this key in the content hash.

A string value.cptech

item_name

string

The name of the item to transfer or restore.

The log file contains this key in the content hash.

A string value.Account

item_type

string

The specific item to transfer or restore.

The log file contains this key in the content hash.

A string value.cptech

local_item

string

The item to restore locally.

The log file contains this key in the content hash.

A string value.AccountLocal

logfile

string

The absolute filepath for the log file.

The log file contains this key in the content hash.

A valid absolute filepath.item-RESTORE_AccountLocal_cptech

message

string

A message about the transfer or restore process.

The log file contains this key in the content hash.

A string value.null

msg

string

Additional information about the transfer or restore process.

The log file contains this key in the content hash.

A string value.



null

queue

string

The process that the system performed on the account.

The log file contains this key in the content hash.

  • TRANSFER
  • RESTORE
RESTORE

skipped_items

integer

The items in the account that the transfer or restore process skipped.

The log file contains this key in the content hash.

A positive integer.1

warnings

integer

The number of warnings that the system returned during the transfer or restore process.

The log file contains this key in the content hash.

A positive integer.2

 Click to view...
 {
  "data": {
    "log":
 
"{\"pid\":\"14358\",\"contents\":{\"action\":\"start\",\"child_number\":0},\"type\":\"control\"}\n{\"pid\":\"14358\",\"contents\":{\"msg\":\"copyacct\",\"action\":\"initiator\",\"child_number\":0},\"type\":\"control\"}\n{\"pid\":\"14358\",\"contents\":{\"msg\":\"1.6\",\"action\":\"version\",\"child_number\":0},\"type\":\"control\"}\n{\"pid\":\"14358\",\"contents\":{\"msg\":\"3\",\"action\":\"queue_count\",\"queue\":\"TRANSFER\",\"child_number\":0},\"type\":\"control\"}\n{\"pid\":\"14358\",\"contents\":{\"msg\":\"3\",\"action\":\"queue_count\",\"queue\":\"RESTORE\",\"child_number\":0},\"type\":\"control\"}\n{\"pid\":\"14358\",\"contents\":{\"msg\":\"vm5.docs.cpanel.net\",\"action\":\"remotehost\",\"child_number\":0},\"type\":\"control\"}\n{\"pid\":\"14360\",\"contents\":{\"item_type\":\"AccountRemoteRoot\",\"item\":\"fredfred\",\"action\":\"start\",\"queue\":\"TRANSFER\",\"item_name\":\"Account\",\"child_number\":1},\"type\":\"control\"}\n{\"pid\":\"14360\",\"contents\":{\"msg\":\"item-TRANSFER_AccountRemoteRoot_fredfred\",\"item_type\":\"AccountRemoteRoot\",\"item\":\"fredfred\",\"item_name\":\"Account\",\"action\":\"process-item\",\"queue\":\"TRANSFER\",\"child_number\":1,\"logfile\":\"item-TRANSFER_AccountRemoteRoot_fredfred\"},\"type\":\"control\"}\n{\"pid\":\"14361\",\"contents\":{\"item_type\":\"AccountRemoteRoot\",\"item\":\"colin\",\"action\":\"start\",\"queue\":\"TRANSFER\",\"item_name\":\"Account\",\"child_number\":2},\"type\":\"control\"}\n{\"pid\":\"14361\",\"contents\":{\"msg\":\"item-TRANSFER_AccountRemoteRoot_colin\",\"item_type\":\"AccountRemoteRoot\",\"item\":\"colin\",\"item_name\":\"Account\",\"action\":\"process-item\",\"queue\":\"TRANSFER\",\"child_number\":2,\"logfile\":\"item-TRANSFER_AccountRemoteRoot_colin\"},\"type\":\"control\"}\n{\"pid\":\"14362\",\"contents\":{\"item_type\":\"AccountRemoteRoot\",\"item\":\"stacy\",\"action\":\"start\",\"queue\":\"TRANSFER\",\"item_name\":\"Account\",\"child_number\":3},\"type\":\"control\"}\n{\"pid\":\"14362\",\"contents\":{\"msg\":\"item-TRANSFER_AccountRemoteRoot_stacy\",\"item_type\":\"AccountRemoteRoot\",\"item\":\"stacy\",\"item_name\":\"Account\",\"action\":\"process-item\",\"queue\":\"TRANSFER\",\"child_number\":3,\"logfile\":\"item-TRANSFER_AccountRemoteRoot_stacy\"},\"type\":\"control\"}\n{\"pid\":\"14362\",\"contents\":{\"msg\":{\"warnings\":0,\"dangerous_items\":0,\"contents\":{\"dangerous_items\":null,\"altered_items\":null},\"skipped_items\":0,\"altered_items\":0,\"message\":null},\"item_type\":\"AccountRemoteRoot\",\"item\":\"stacy\",\"item_name\":\"Account\",\"action\":\"success-item\",\"queue\":\"TRANSFER\",\"child_number\":3,\"logfile\":\"item-TRANSFER_AccountRemoteRoot_stacy\"},\"type\":\"control\"}\n{\"pid\":\"14361\",\"contents\":{\"msg\":{\"warnings\":0,\"dangerous_items\":0,\"contents\":{\"dangerous_items\":null,\"altered_items\":null},\"skipped_items\":0,\"altered_items\":0,\"message\":null},\"item_type\":\"AccountRemoteRoot\",\"item\":\"colin\",\"item_name\":\"Account\",\"action\":\"success-item\",\"queue\":\"TRANSFER\",\"child_number\":2,\"logfile\":\"item-TRANSFER_AccountRemoteRoot_colin\"},\"type\":\"control\"}\n{\"pid\":\"14363\",\"contents\":{\"item_type\":\"AccountRemoteRoot\",\"item\":\"stacy\",\"action\":\"start\",\"queue\":\"RESTORE\",\"item_name\":\"Account\",\"child_number\":1},\"type\":\"control\"}\n{\"pid\":\"14363\",\"contents\":{\"msg\":\"item-RESTORE_AccountRemoteRoot_stacy\",\"item_type\":\"AccountRemoteRoot\",\"item\":\"stacy\",\"item_name\":\"Account\",\"action\":\"process-item\",\"queue\":\"RESTORE\",\"child_number\":1,\"logfile\":\"item-RESTORE_AccountRemoteRoot_stacy\"},\"type\":\"control\"}\n{\"pid\":\"14365\",\"contents\":{\"item_type\":\"AccountRemoteRoot\",\"item\":\"colin\",\"action\":\"start\",\"queue\":\"RESTORE\",\"item_name\":\"Account\",\"child_number\":2},\"type\":\"control\"}\n{\"pid\":\"14365\",\"contents\":{\"msg\":\"item-RESTORE_AccountRemoteRoot_colin\",\"item_type\":\"AccountRemoteRoot\",\"item\":\"colin\",\"item_name\":\"Account\",\"action\":\"process-item\",\"queue\":\"RESTORE\",\"child_number\":2,\"logfile\":\"item-RESTORE_AccountRemoteRoot_colin\"},\"type\":\"control\"}\n{\"pid\":\"14360\",\"contents\":{\"msg\":{\"warnings\":0,\"dangerous_items\":0,\"contents\":{\"dangerous_items\":null,\"altered_items\":null},\"skipped_items\":0,\"altered_items\":0,\"message\":null},\"item_type\":\"AccountRemoteRoot\",\"item\":\"fredfred\",\"item_name\":\"Account\",\"action\":\"success-item\",\"queue\":\"TRANSFER\",\"child_number\":1,\"logfile\":\"item-TRANSFER_AccountRemoteRoot_fredfred\"},\"type\":\"control\"}\n{\"pid\":\"14360\",\"contents\":{\"action\":\"complete\",\"queue\":\"TRANSFER\",\"child_number\":1},\"type\":\"control\"}\n{\"pid\":\"14362\",\"contents\":{\"action\":\"complete\",\"queue\":\"TRANSFER\",\"child_number\":3},\"type\":\"control\"}\n{\"pid\":\"14361\",\"contents\":{\"action\":\"complete\",\"queue\":\"TRANSFER\",\"child_number\":2},\"type\":\"control\"}\n{\"pid\":\"14363\",\"contents\":{\"msg\":{\"warnings\":2,\"dangerous_items\":0,\"contents\":{\"dangerous_items\":[],\"altered_items\":[]},\"skipped_items\":10,\"altered_items\":0,\"message\":null},\"item_type\":\"AccountRemoteRoot\",\"item\":\"stacy\",\"item_name\":\"Account\",\"action\":\"success-item\",\"queue\":\"RESTORE\",\"child_number\":1,\"logfile\":\"item-RESTORE_AccountRemoteRoot_stacy\"},\"type\":\"control\"}\n{\"pid\":\"14363\",\"contents\":{\"item_type\":\"AccountRemoteRoot\",\"item\":\"fredfred\",\"action\":\"start\",\"queue\":\"RESTORE\",\"item_name\":\"Account\",\"child_number\":1},\"type\":\"control\"}\n{\"pid\":\"14363\",\"contents\":{\"msg\":\"item-RESTORE_AccountRemoteRoot_fredfred\",\"item_type\":\"AccountRemoteRoot\",\"item\":\"fredfred\",\"item_name\":\"Account\",\"action\":\"process-item\",\"queue\":\"RESTORE\",\"child_number\":1,\"logfile\":\"item-RESTORE_AccountRemoteRoot_fredfred\"},\"type\":\"control\"}\n{\"pid\":\"14365\",\"contents\":{\"msg\":{\"warnings\":4,\"dangerous_items\":1,\"contents\":{\"dangerous_items\":[[[\"Mysql\",\"_restore_mysql\",104],\"MySQL:
 Skipping grants for these MySQL databases: colin_%. These databases 
don't exist in the 
archive.\",null]],\"altered_items\":[[[\"Mysql\",\"_update_dbname\",437],\"mySQL
 database \u201ccolin_testdatabase\u201d restored as 
\u201ctestdatabase\u201d\",[\"Rename\",\"\/scripts5\/rename_mysql_db\",{\"new\":\"testdatabase\",\"orig\":\"colin_testdatabase\"}]],[[\"Mysql\",\"_update_dbuser_name\",348],\"mySQL
 user \u201ccolin\u201d restored as 
\u201ccolin\u201d\",[\"Rename\",\"\/scripts5\/rename_mysql_user\",{\"new\":\"colin\",\"orig\":\"colin\"}]]]},\"skipped_items\":10,\"altered_items\":1,\"message\":null},\"item_type\":\"AccountRemoteRoot\",\"item\":\"colin\",\"item_name\":\"Account\",\"action\":\"success-item\",\"queue\":\"RESTORE\",\"child_number\":2,\"logfile\":\"item-RESTORE_AccountRemoteRoot_colin\"},\"type\":\"control\"}\n{\"pid\":\"14363\",\"contents\":{\"msg\":{\"warnings\":2,\"dangerous_items\":0,\"contents\":{\"dangerous_items\":[],\"altered_items\":[]},\"skipped_items\":11,\"altered_items\":0,\"message\":null},\"item_type\":\"AccountRemoteRoot\",\"item\":\"fredfred\",\"item_name\":\"Account\",\"action\":\"success-item\",\"queue\":\"RESTORE\",\"child_number\":1,\"logfile\":\"item-RESTORE_AccountRemoteRoot_fredfred\"},\"type\":\"control\"}\n{\"pid\":\"14363\",\"contents\":{\"action\":\"complete\",\"queue\":\"RESTORE\",\"child_number\":1},\"type\":\"control\"}\n{\"pid\":\"14365\",\"contents\":{\"action\":\"complete\",\"queue\":\"RESTORE\",\"child_number\":2},\"type\":\"control\"}\n{\"pid\":\"14358\",\"contents\":{\"action\":\"complete\",\"child_number\":0},\"type\":\"control\"}\n"
  },
  "metadata": {
    "version": 1,
    "reason": "OK",
    "result": "1",
    "command": "fetch_transfer_session_log"
  }
}

FTP

Files

FilepathDescriptionExample
/usr/local/apache/domlogs/ftpxferlogThis file contains the FTP transaction logs for all of the cPanel account's users who run EasyApache 3.
 Click to view...
user
user1
user2 
/etc/apache2/logs/domlogs/ftpxferlogThis file contains the FTP transaction logs for all of the cPanel account's users who run EasyApache 4.
 Click to view...
user
user1
user2 

 

 

Directories

Directory pathDescriptionExample
/usr/local/apache/domlogsThis directory contains the FTP transaction logs for all of the cPanel account's domains which exist on webservers that run Easy Apache 3.
 Click to view...
domain1/
example.com
domain1.com
domain1.com-bytes_log
/etc/apache2/logs/domlogsThis directory contains the FTP transaction logs for all of the cPanel account's domains which exist on webservers that run Easy Apache 4.
 Click to view...
domain1/
example.com
domain1.com
domain1.com-bytes_log

 

 

Mail

Files

FilepathDescriptionExample
/var/log/exim_mainlogThis file contains Exim's mail receipt and delivery logs for the cPanel account's domains.
 Click to view...
2015-12-07 09:23:14 [3428] luggage-1234Bz-Rm H=mailhost.domain.com 
[192.168.0.20]:58241 I=[1.0.0.127]:25 Warning: "SpamAssassin as 
theuser detected message as NOT spam (0.0)"
/var/log/exim_rejectlog

This file contains a log of messages that the system rejected due to ACLs.

For more information, read our Exim Configuration Manager - Basic Editor documentation.

 Click to view...
2015-12-4 08:27:23 refused relay (host) to 
<user@example.com> from <example@user.com>
H=113-43-173-020.user.example.net (smtp.example.com) 
[192.168.0.20]
/var/log/exim_paniclogThis file contains Exim's severe error logs.

Warning:

This file should not contain any entries. If this file contains entries, thoroughly investigate the entries and contact your hosting provider.

/var/log/maillog

This file contains IMAP and POP3 login attempts, transactions, fatal errors, and Apache SpamAssassin™ scores.

 Click to view...
Nov  3 10:21:30 vm5 dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__orpl7flalajte5t7ahgq2joard0s3szcmltatifzmb_iqv...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=735381, secured, session=<1adZSaUjRwB/AAAB>
Nov  3 10:21:30 vm5 dovecot: imap(__cpanel__service__auth__imap__orpl7flalajte5t7ahgq2joard0s3szcmltatifzmb_iqvmragspbfcr3dkrhmzd): Disconnected: Logged out in=11, out=434, bytes=11/434

Directories

Directory pathDescriptionExample
/var/spool/exim/input

This directory contains a log of queued incoming email messages. For more information, read our Mail Queue Manager documentation.

The system separates these logs in to subdirectories that correspond to the number or letter with which the sender's name begins.

 Click to view...
1WEayg-0011QH-IC-D
1XABSg-003GTw-28-D
1XDGag-001MGL-6R-D
1XGLEg-0032BQ-6A-D
1XJn6g-001kuC-5n-D
1YPpqg-001CeH-Gf-D
1WEayg-0011QH-IC-H
1XABSg-003GTw-28-H
1XDGag-001MGL-6R-H
1XGLEg-0032BQ-6A-H
1XJn6g-001kuC-5n-H
1YPpqg-001CeH-Gf-H
/usr/local/cpanel/3rdparty/mailman/logsThis directory contains the account's Mailman logs.
 Click to view...
./  ../  bounce  error  locks  mischief  post  qrunner  smtp  smtp-failure  subscribe  vette

Memory usage

FilepathDescriptionExample
/var/log/dcpumon/YYYY/MMM/DD

This file contains information about the processes that consume the most CPU and memory.

  • YYYY represents a subdirectory that contains a process's logs by month.
  • MMM represents a subdirectory within the YYYY directory that contains a process's logs for each day of a month.
  • DD represents a subdirectory that contains a process's log for a specific day of the month.

Note:

To interpret the data, use the /usr/local/cpanel/bin/dcpumonview file.

 Click to view...
eximstats=0=0=0.456462908976875=0.002==0.001==0=
mailman=0.0664235356972792=5.17983251838002=0=12.0=/usr/local/cpanel/3rdparty/bin/python -S /usr/local/cpanel/3rdparty/mailman/cron/checkdbs=6.5=[python]=0.5=crond
mailnull=0=0.0561016968838195=0=0.002==0.001==0=
mysql=0=8.99548891392477=0=0.002==0.001==0=
named=0=0.311152278191386=0=0.002==0.001==0=
nobody=0=2.77735281478296=0=0.002==0.001==0=
root=5.87086377309829=24.591731611285=2=90.5=/usr/lib/rpm/rpmd --rebuilddb --verbose --verbose --verbose=43.0=cpanellogd - waiting for child to process logs=41.0=/usr/bin/python /usr/sbin/statsnotifer check-admin
/var/log/munin

This file contains the account's Munin logs.

Munin is a cPanel plugin that displays information about CPU, Exim, Apache, MySQL usage, and other information with the rrdtool utility.

 Click to view...
munin-html.log
munin-limits.log
munin-update.log

MySQL

FilepathDescriptionExample
/var/lib/mysql/HOSTNAME.err

This file contains information about the cPanel account's MySQL databases and errors.

Note:

HOSTNAME represents the server's hostname.

 Click to view...
151030  2:57:10 [Note] InnoDB: Waiting for purge to start
151030  2:57:10 [Note] InnoDB:  Percona XtraDB (http://www.percona.com) 5.6.26-74.0 started; log sequence number 145713856
151030  2:57:10 [Note] Plugin 'FEEDBACK' is disabled.
151030  2:57:10 [Note] Server socket created on IP: '::'.
151030  2:57:11 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.0.22-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MariaDB Server

Webservers

Apache

Note:

If your system manages many domains, we recommend that you enable piped logging to reduce the number of log files that Apache manages. Piped logging allows you to pipe Apache access logs to a separate process so that Apache does not need to restart every time that it processes the logs.

  • You can enable piped logging in the Piped Log Configuration section of WHM's Apache Configuration interface (WHM >> Home  >> Service Configuration >> Apache Configuration).
  • As of cPanel & WHM version 74, we now enable piped logging by default on new installations of cPanel & WHM
FilepathDescriptionExample
/usr/local/apache/domlogs/DOMAIN

This directory contains the log data for the user's account, which exists on a webserver that runs EasyApache 3.

The system creates this directory when the cPanel Log Rotation Configuration (cpanellogd) daemon compresses and archives the data that resides in the /usr/local/apache/logs/domlogs/domain-ssl_log and the /usr/local/apache/domlogs/domain files. This process begins when the /usr/local/cpanel/scripts/upcp script runs and the system analyzes the log data.

Note:

You can also perform this process for individual users with the /usr/local/cpanel/runweblogs command.

The system also performs the following actions:

  • Adds a link to the /usr/local/apache/domlogs/username directory in the /home/username/access_logs directory.
  • Adds a symlink to the log data backup file in the user's  /home/username/logs  directory during the archive process. This symlink allows you to access this file while the system archives the file.
    • The symlink's name reflects the log file's name, and may contain a .bkup file extension.

Notes:

  • DOMAIN represents a domain on the cPanel account.
  • username represents the cPanel account's username.
 Click to view...
94.228.34.208 - - [19/Nov/2015:08:45:09 -0600] "GET /robots.txt HTTP/1.1" 302 235 "-" "robots"
94.228.34.208 - - [19/Nov/2015:08:45:09 -0600] "GET /cgi-sys/suspendedpage.cgi HTTP/1.1" 200 7314 "-" "robots"	
94.228.34.208 - - [19/Nov/2015:08:45:10 -0600] "GET /forums/forumdisplay.php?f=5 HTTP/1.1" 302 239 "-" "magpie-crawler/1.1 (U; Linux amd64; en-GB; +"		
94.228.34.208 - - [19/Nov/2015:08:45:10 -0600] "GET /cgi-sys/suspendedpage.cgi?f=5 HTTP/1.1" 200 7314 "-" "magpie-crawler/1.1 (U; Linux amd64; en-GB; +"
/etc/apache2/logs/domlogs/DOMAIN

This directory contains the log data for the user's account, which exists on a webserver that runs EasyApache 4.

The system creates this directory when the cPanel Log Rotation Configuration (cpanellogd) daemon compresses and archives the data that resides in the /etc/apache2/logs/domlogs/domain-ssl_log and the /etc/apache2/domlogs/domain files. This process begins when the /usr/local/cpanel/scripts/upcp script runs and the system analyzes the log data.

Note:

You can also perform this process for individual users with the /usr/local/cpanel/runweblogs command.

The system also performs the following actions:

  • Adds a link to the /usr/local/apache/domlogs/username directory in the /home/username/access_logs directory.
  • Adds a symlink to the log data backup file in the user's  /home/username/logs  directory during the archive process. This symlink allows you to access this file while the system archives the file.
    • The symlink's name reflects the log file's name, and may contain a .bkup file extension.

Notes:

  • username represents the cPanel account's username.
  • domain represents a domain on the cPanel account.
 

/var/log/apache2/modsec_audit.log

Important:

If the Apache MPM_ITK module or Mod_Ruid2 is enabled, you can access the logs in the /usr/local/apache/modsec_audit/user directory.

This file contains the log information for ModSecurity™.
 Click to view...
ModSecurity: Audit log: Failed to lock global mutex: Identifier removed [hostname "www.somedomain.co.uk"] [uri "/index.<a href="http://endlessgeek.com/glossary/php/" title="Glossary: PHP"  data-tooltip="PHP Hypertext Processor - originally Personal Home Page"  class="glossaryLink ">php</a>"] [unique_id "U61fRE1KBCIADWZddE8AAAAP"]
/var/log/apache2/suexec_log

This file contains information about suEXEC audit logs. This is useful, for example, to diagnose internal server errors that do not produce relevant information in the error log.

 Click to view...
[Wed Nov 04 09:55:01 2015] [error] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/RESPONSE-80-CORRELATION.conf"] [line "35"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5): Request Missing a User Agent Header"] [tag "Host: "] [hostname "example.com"] [uri "/whm-server-status"] [unique_id "VjoqVQoBZCMAA7qYOM4AAAAF"] 


Note:

You can also view Apache's error logs in cPanel's Errors interface (cPanel >> Home >> Metrics >> Errors).

/var/log/apache2/suphp_logThis file contains information about the suPHP Apache module audit logs. This is useful, for example, to diagnose internal server errors that do not produce relevant information in the error log.
 Click to view...
[Sat Sep 12 22:16:39 2015] [info] Executing "/home/test/public_html/member.php" as UID 563, GID 563		
[Sat Sep 12 22:16:39 2015] [info] Executing "/home/test/public_html/member.php" as UID 563, GID 563	
[Sat Sep 12 22:16:42 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554	
[Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/member.php" as UID 563, GID 563		
[Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554	
[Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554		
[Sat Sep 12 22:16:43 2015] [info] Executing "/home/test/public_html/forums/index.php" as UID 554, GID 554
/var/log/apache2/mod_jk.logThis file contains the Tomcat connection logs.
 Click to view...
[Mon Dec 07 12:49:33 2015][1234:274957687980737] [info] ajp_handle_cping_cpong::jk_ajp_common.c (913): timeout in reply
[Mon Dec 07 12:49:33 2015][8534:1058674928674576] [info] ajp_handle_cping_cpong::jk_ajp_common.c (913): timeout in reply
/var/log/apache2/error_log

This file contains the error logs for webservers and CGI Applications.

 Click to view...
[Wed Nov 04 09:55:01 2015] [error] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/RESPONSE-80-CORRELATION.conf"] [line "35"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5): Request Missing a User Agent Header"] [tag "Host: "] [hostname "example.com"] [uri "/whm-server-status"] [unique_id "VjoqVQoBZCMAA7qYOM4AAAAF"] 

Tomcat

FilepathDescriptionExample
/var/log/easy-tomcat7/localhost-access_logThis file contains the Tomcat access logs.
 Click to view...
2015-11-28.txt

/var/log/easy-tomcat7/catalina.err


This file contains the Tomcat7 error logs.

For more information, read our Introduction to Tomcat documentation.

 Click to view...
WARNING: Problem with directory [/var/lib/tomcat7/lib], exists: [false], isDirectory: [false], canRead: [false]
Dec 01, 2015 6:46:53 AM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/var/lib/tomcat7/lib], exists: [false], isDirectory: [false], canRead: [false]
Dec 01, 2015 6:46:53 AM org.apache.catalina.startup.ClassLoaderFactory validateFile
/var/log/easy-tomcat7/catalina.out

This file contains the Tomcat7 output logs.

 Click to view...
Dec 08 07:07:14 server.example.com server[12345]: at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:455)

Additional documentation