Understanding cPanel & WHM Log File's and Their Locations

1. Overview of cPanel & WHM Log Files

cPanel & WHM stores logs across multiple directories to help administrators troubleshoot system activity, authentication attempts, service behavior, and user‑level operations. The paths listed below reflect default configurations unless manually modified.

2. General System Logs

2.1 System Messages Log

On Red Hat‑based servers:

/var/log/messages

On Ubuntu servers:

/var/log/syslog

This log contains login attempts and general errors for:

• FTP services
• Nameserver daemons (named, bind, PowerDNS)
• SSH daemon (sshd)

Example:

Nov  3 08:41:10 vm5 proftpd[684684]: FTP session opened.
Nov  3 08:41:10 vm5 proftpd[684684]: FTP session closed.

2.2 SSH Authentication Log

/var/log/secure

This file records SSH login attempts.

Example:

Jul  5 08:50:04 colin sshd[29856]: Accepted password for root
Jul  5 15:00:17 colin sshd[29856]: session closed for user root

3. User‑Level Service Logs

3.1 Task Queue Logs

/home/USER/.cpanel/logs

Contains errors related to a user’s task queue.

Example:

Processing /home/USER/example...
Already had it.

3.2 DAV Debug Log

/home/username/logs/DAV-debug.log

Important: Only enable this log for troubleshooting calendar or contacts issues. It can quickly consume disk space.

Enable by creating:

/home/username/.caldav/.debug

Example Format:

[420074] [Tue Jan 30 19:00:59 2024] [Cpanel/DAV/CaldavCarddav.pm : 4457 ] >>> load_metadata

3.3 DAV Error Log

/home/username/logs/DAV-error.log

Contains errors from the cpdavd service.

Example:

[02/Nov/2023:21:47:53] 10.3.5.127 [email protected] "PROPFIND /calendars/user/" 400

3.4 DAV I/O Log

/home/username/logs/DAV-io.log

Contains request and payload data from cpdavd.

Example:

[2213123] [Tue Jan 30 08:28:35 2024] >>>A long string containing request data>>>

4. cPanel & WHM Access Log

4.1 Access Log Path

/usr/local/cpanel/logs/access_log

This log records every time a cPanel or WHM user accesses their account. Entries use the Common Log Format.

Example Format:

IP - USER [timestamp] "REQUEST" STATUS BYTES

Conclusion

cPanel & WHM provides extensive logging across system‑level, service‑level, and user‑level operations. Understanding these log locations helps administrators troubleshoot authentication issues, service failures, and application behavior more effectively.

1. api_log — cPanel API Log

This file contains human‑readable logs of all cPanel API1 calls, successful API2 calls, and successful UAPI calls made by a single cPanel user. Administrators must enable this log in:

WHM » Home » Server Configuration » Tweak Settings » Logging

Path:

/usr/local/cpanel/logs/api_log

Example:

[2022-07-12 20:18:52 +0000] info [cpwrapd] api_version=uapi {"call":"Themes::list"}
[2022-07-12 20:18:52 +0000] info [cpwrapd] api_version=uapi {"call":"SSL::installed_host"}
[2022-07-12 20:18:52 +0000] info [cpwrapd] api_version=uapi {"call":"Resellers::list_accounts"}

2. api_tokens_log — WHM API Token Log

This file records WHM API token activity, including which user and token performed a request.

Path:

/usr/local/cpanel/logs/api_tokens_log

Example:

[2017-02-07 19:07:13 -0600] User: kingrichard, Token: robin_of_loxley, Request: GET /scripts2/reloadbind_local

3. locale_database_log — Locale Database Log

This file logs updates made to locale databases.

Path:

/usr/local/cpanel/build/locale_database_log

Example:

[2014-09-28 02:55:26 -0500] Finished updating locale databases

4. cpdavd_error_log — Web Disk Error Log

This file contains error logs for the Web Disk (cpdavd) service.

Path:

/usr/local/cpanel/logs/cpdavd_error_log

Example:

Starting PID 11197: cpdavd - accepting connections on 2077 and 2078

5. cpdavd_session_log — Web Disk Session Log

This file logs Web Disk session activity.

Path:

/usr/local/cpanel/logs/cpdavd_session_log

Example:

[2015-11-18 14:38:51 -0600] info [cpdavd] NEW session accepting connections on 2077–2080

6. cpgreylistd.log — Greylisting Log

This file contains activity logs for the Greylisting daemon.

Path:

/usr/local/cpanel/logs/cpgreylistd.log

Example:

[2015-10-30 11:05:39 -0500] Purged old records from DB

7. cphulkd_errors.log — cPHulk Error Log

This file contains error messages from the Brute Force Protection daemon (cPHulk).

Path:

/usr/local/cpanel/logs/cphulkd_errors.log

Example:

[2015-08-26 12:14:29 -0500] Broken pipe error

8. cphulkd.log — cPHulk Activity Log

This file logs cPHulk daemon activity.

Path:

/usr/local/cpanel/logs/cphulkd.log

Example:

[2015-10-20 03:27:14 -0500] processor shutdown via SIGTERM

9. cpwrapd_log — cPanel Service Manager Log

This file logs activity from the cpsrvd service manager daemon.

Path:

/usr/local/cpanel/logs/cpwrapd_log

Example:

[1985-10-21 10:18:11 -0500] action=fetch module=reseller

10. dnsadmin_log — DNS Admin Log

This file logs dnsadmin requests and cache resets.

Path:

/usr/local/cpanel/logs/dnsadmin_log

Example:

[2015-10-21 13:33:19 -0500] Reset reseller cache 'example'

11. error_log — General cPanel Error Log

This file contains general cPanel & WHM errors, including fatal errors and timeouts.

Path:

/usr/local/cpanel/logs/error_log

Example:

Cpanel::Exception::ModSecurity::VendorUpdateUnnecessary

12. incoming_http_requests.log — Incoming HTTP Requests Log

This file logs incoming HTTP requests to the cPanel account’s server.

Path:

/usr/local/cpanel/logs/incoming_http_requests.log

Example:

[headerparser]:Host: 127.0.0.1:2087

13. license_log — License Update Log

This file contains license update activity and license‑related errors.

Path:

/usr/local/cpanel/logs/license_log

Example:

Trying server 192.168.0.20 on port 2089

14. login_log — Login Attempts Log

This file records login attempts to the cpsrvd daemon.

Path:

/usr/local/cpanel/logs/login_log

Conclusion

These advanced log files provide essential insights into system behavior, API activity, authentication attempts, service errors, and daemon operations. Understanding these logs helps administrators troubleshoot issues efficiently and maintain a secure, stable hosting environment.

1. panic_log — Severe Error Log

This file contains severe cPanel account errors. It should always be empty. If it contains entries, investigate immediately and contact your hosting provider.

Path:

/usr/local/cpanel/logs/panic_log

2. queueprocd.log — TaskQueue Processing Log

Logs activity from the TaskQueue Processing daemon (queueprocd).

Path:

/usr/local/cpanel/logs/queueprocd.log

Example:

[2015-10-20] cPanel TaskQueue Processing Daemon starting.
Updating locales...
"ar" complete.

3. safeapacherestart_log — Apache Restart Log

Contains information about each Apache restart.

Path:

/usr/local/cpanel/logs/safeapacherestart_log

Example:

[2015-10-30] Restart elapsed seconds: 5

4. session_log — User Session Activity

Logs user activity while logged into cPanel or WHM.

Path:

/usr/local/cpanel/logs/session_log

Example:

[2015-10-29] NEW root login via whostmgrd

5. setupdbmap_log — Database Mapping Log

Logs database-related operations such as MySQL user updates and database mapping.

Path:

/usr/local/cpanel/logs/setupdbmap_log

Example:

Processing MySQL databases and users...

6. stats_log — Bandwidth Statistics Log

Contains bandwidth processing logs for all cPanel accounts.

Path:

/usr/local/cpanel/logs/stats_log

Example:

Process bandwidth for domain1

7. tailwatchd_log — TailWatch Driver Log

Logs activity from the TailWatch daemon.

Path:

/usr/local/cpanel/logs/tailwatchd_log

Example:

Resetting email limits to new starttime...

8. publish_timestamp.log — Sitejet CMS Log

Contains logs and download status for Sitejet Website Builder files.

Path:

/home/USER/logs/publish_timestamp.log

9. /var/cpanel.bandwidth.cache — Bandwidth Cache

Stores cached bandwidth history for each cPanel account.

Example:

domain1
domain4
xtest1

10. accounting.log — Account Action Log

Logs account actions such as creation, deletion, ownership changes, and API token creation.

Path:

/var/cpanel/accounting.log

Example:

Thu Jun 11 13:33:19 2015:ADDRESELLER:root:root:example.com:example

11. chkservd.log — Service Status Log

Contains service monitoring results from the chkservd daemon.

Path:

/var/log/chkservd.log

Example:

Service check ... mysql [+] ... imap [+] ... cpsrvd [+] ... Done

12. cpanel-install.log — Installation Log

Contains logs from the cPanel & WHM installation process.

Path:

/var/log/cpanel-install.log

Example:

cPanel install finished in 69 minutes and 29 seconds!

13. PHP & PHP-FPM Logs

13.1 PHP-FPM Error Log

/usr/local/cpanel/logs/php-fpm/error.log

Example:

ERROR: please specify user and group other than root

13.2 User Slow Log

/var/cpanel/php-fpm/USER/logs/slow.log

13.3 User Error Log

/var/cpanel/php-fpm/USER/logs/error.log

13.4 Internal PHP-FPM Error Log

/home/USER/logs/.php.error.log

14. Backup Logs

14.1 cPanel Backup Logs

/usr/local/cpanel/logs/cpbackup

14.2 Backup Transporter Logs

/usr/local/cpanel/logs/cpbackup_transporter

15. EasyApache Build Logs

/usr/local/cpanel/logs/packman/

16. Update Analysis Logs

/usr/local/cpanel/logs/update_analysis

17. Bandwidth Logs per Account

/var/cpanel/bandwidth/USER

18. Miscellaneous cPanel Logs

/var/cpanel/logs

19. System Update Logs

/var/cpanel/updatelogs

20. MySQL Upgrade Logs

/var/cpanel/logs/mysql_upgrade.log

21. Roundcube Logs

SQLite backend:

/home/USER/logs/roundcube

MySQL backend:

/var/cpanel/roundcube/log

22. Transfer Session Logs

Contains logs for transfer and restore sessions in JSON format.

Path:

/var/cpanel/transfer_sessions

Conclusion

These advanced log files provide deep visibility into system operations, performance, security, and service behavior. Understanding them allows administrators to diagnose issues quickly and maintain a stable, secure hosting environment.

1. FTP Logs

1.1 FTP Transfer Log

This file contains FTP transfer logs for servers running EasyApache 4.

/etc/apache2/logs/domlogs/ftpxferlog

Example:

user
user1
user2

1.2 FTP Log Directory

This directory contains FTP transaction logs for domains.

/etc/apache2/logs/domlogs

Example:

domain1/
example.com
domain1.com
domain1.com-bytes_log

2. Mail Logs

2.1 Z-Push ActiveSync Log

Contains logs for syncing email, contacts, and calendars on Android devices.

/home/USER/.z-push/log/z-push.log

2.2 Z-Push Error Log

/home/USER/.z-push/log/z-push-error.log

Example:

[WARN] SECURITY PROBLEM: insecure server advertised AUTH=PLAIN

2.3 Exim Main Log

Contains email receipt and delivery logs.

/var/log/exim_mainlog

Example:

SpamAssassin detected message as NOT spam (0.0)

2.4 Exim Panic Log

Contains severe Exim errors. This file should always be empty.

/var/log/exim_paniclog

2.5 Exim Reject Log

Logs messages rejected due to ACL rules.

/var/log/exim_rejectlog

Example:

refused relay to <[email protected]>

2.6 Dovecot IMAP/POP3 Log

On Red Hat:

/var/log/maillog

On Ubuntu:

/var/log/mail.log

Example:

dovecot: imap-login: Login: user=..., secured

2.7 Mail Queue Directory

/var/spool/exim/input

2.8 Mailman Logs

/usr/local/cpanel/3rdparty/mailman/logs

3. Memory Usage Logs (dcpumon)

Path:

/var/log/dcpumon/YYYY/MMM/DD

Use this tool to interpret logs:

/usr/local/cpanel/bin/dcpumonview

Example:

mysql=0=8.99=0=...
root=5.87=24.59=2=90.5=...

4. Munin Logs

Path:

/var/log/munin

Example Files:

munin-html.log
munin-limits.log
munin-update.log

5. MySQL & MariaDB Logs

5.1 MySQL 5.7+ / MariaDB 10.3+

/var/log/mysqld.log

Example:

InnoDB: Waiting for purge to start
mysqld: ready for connections

5.2 MySQL 5.6 / MariaDB 10.2 and earlier

/var/lib/mysql/HOSTNAME.err

Conclusion

These log files provide essential insights into FTP transfers, email delivery, authentication attempts, memory usage, Munin monitoring, and MySQL database behavior. Understanding these logs helps administrators troubleshoot issues quickly and maintain a stable, secure hosting environment.

1. Apache Webserver Logs in cPanel & WHM

Apache maintains several log files that record access activity, security events, CGI execution, ModSecurity actions, and Tomcat connections. These logs are essential for diagnosing website issues, security problems, and server performance.

2. Piped Logging (Recommended for Large Servers)

If your server hosts many domains, enabling piped logging reduces the number of log files Apache must manage. This prevents Apache from restarting every time logs rotate.

You can enable piped logging in:

WHM » Home » Service Configuration » Apache Configuration » Piped Log Configuration

3. domlogs Directory

3.1 User domlogs

This directory contains log data for each user on servers running EasyApache 4.

/etc/apache2/logs/domlogs/USER

The system creates this directory when cpanellogd rotates and archives:

• /etc/apache2/logs/domlogs/domain-ssl_log
• /etc/apache2/logs/domlogs/domain

3.2 Additional actions performed by cPanel

• Adds a link to the user’s logs in /home/USER/access_logs
• Adds a symlink to the archived log file in /home/USER/logs
• Symlink may include a .bkup extension

Example domlog entries:

94.228.34.208 - - [19/Nov/2015:08:45:09 -0600] "GET /robots.txt HTTP/1.1" 302 235 "-" "robots"
94.228.34.208 - - [19/Nov/2015:08:45:10 -0600] "GET /forums/forumdisplay.php?f=5 HTTP/1.1" 302 239 "-" "magpie-crawler"

4. ModSecurity Audit Log

Path:

/var/log/apache2/modsec_audit.log

This file contains ModSecurity audit events.

Important: If MPM_ITK or Mod_Ruid2 is enabled, logs appear in:

/etc/apache2/logs/modsec_audit/USER

Example:

ModSecurity: Audit log: Failed to lock global mutex: Identifier removed

5. suEXEC Audit Log

Path:

/var/log/apache2/suexec_log

Useful for diagnosing internal server errors that do not appear in the main error log.

Example:

[error] ModSecurity: Inbound Anomaly Score Exceeded

6. suPHP Audit Log

Path:

/var/log/apache2/suphp_log

Contains execution logs for PHP scripts running under suPHP.

Example:

[info] Executing "/home/test/public_html/member.php" as UID 563, GID 563

7. Tomcat Connector Log (mod_jk)

Path:

/var/log/apache2/mod_jk.log

Contains logs for Apache ↔ Tomcat AJP connections.

Example:

[info] ajp_handle_cping_cpong: timeout in reply

8. Apache Error Log

Path:

/var/log/apache2/error_log

This file contains general Apache errors, CGI errors, and application-level issues.

You can also view these logs in:

cPanel » Home » Metrics » Errors

Conclusion

Apache log files provide essential insight into website behavior, security events, script execution, and server performance. Understanding these logs helps administrators troubleshoot issues quickly and maintain a stable hosting environment.