ÇáÓí ÈÇäíá Cpanel | ÊÊÈÚ ÇááæÌ track cpanel users navigations and actions
How to interpret cPanel and WHM access logs
How can I track cpanel users navigations and actions
How to track who have login to my cpanel
Best method to track down offending ip address?
Help tracking down a hacker .. where to view Cpanel login IP's?
åÐå ÇáÎÇÕíÉ ÏÇÎá ÝÇíÑææá csf ÊÓãÍ áß ãÔÇåÏÉ ãáÝ log access ÇáÐì Êã Úáì Çì user áÏíß
æÈÓåæáÉ íãßäß ÇáÈÍË ÈÏÇÎáå Úä Çì ÔìÁ Çæ ÏÎæá Êã ãä ÎáÇá Çì Èì ãÍÏÏ
æåíßæä ÈÏÇÎáå ÇãÇ GET Çæ POST ááÇßÔä ÇáÊÝÕíáí ÇáÐì íÊã
Any action made in the cPanel or WHM interfaces is traced in
Some generic data can be found within the cPanel access log. Using the following technique can help you become familiar with
what kinds of actions are associated with the logs that you find in the /usr/local/cpanel/logs/access_log .
Úáì ÓÈíá ÇáãËÇá ÊÑíÏÏ ÊÊÈÚ ÇáÏÎæá Úáì webmail ãÇÐÇ ÍÏË ÈÏÇÎáå
you'll need to decide what kind of information you would like to know. For example,
you could decide to monitor logs related to logging into webmail.
åÊÌÏ ÏÇÎá ÇááæÌ ãËá åÐÇ - testemail%40cptest.tld [09/15/2020:15:03:07 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" "-" "-" 2096
You'll notice that the log has a "
POST /login/?login" on port "2096" for the
[email protected] user.
Looking for that in the access_log would be a good indicator that a user used that exact method to login to webmail.
There are other methods of logging into webmail, so looking for this kind of access log will only reveal logins for that specific login method.
For example, logging into webmail via the "
Check Mail" button in the cPanel interface does not post to the /login url.
It is not possible to fully audit all user actions through the access log because the actions taken are often very generic.
íãßäß ÇíÖÇ ãÑÇÞÈÉ ãáÝ /var/log/messages áãÚÑÝÉ ÑÓÇÆá ÇáÍÙÑ Çáì ÊãÊ
Here are some log files you may find useful: