Cpanel | track cpanel users navigations and actions
How to interpret cPanel and WHM access logs
How can I track cpanel users navigations and actions
How to track who have login to my cpanel
Best method to track down offending ip address?
Help tracking down a hacker .. where to view Cpanel login IP's?



csf log access user

GET POST

Any action made in the cPanel or WHM interfaces is traced in
:
 /usr/local/cpanel/logs/access_log
Some generic data can be found within the cPanel access log. Using the following technique can help you become familiar with
what kinds of actions are associated with the logs that you find in the /usr/local/cpanel/logs/access_log .

webmail

you'll need to decide what kind of information you would like to know. For example,
you could decide to monitor logs related to logging into webmail.



10.1.1.1 - testemail%40cptest.tld [09/15/2020:15:03:07 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://10.1.1.1:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" "-" "-" 2096
You'll notice that the log has a "POST /login/?login" on port "2096" for the [email protected] user.
Looking for that in the access_log would be a good indicator that a user used that exact method to login to webmail.

There are other methods of logging into webmail, so looking for this kind of access log will only reveal logins for that specific login method.
For example, logging into webmail via the "Check Mail" button in the cPanel interface does not post to the /login url.

It is not possible to fully audit all user actions through the access log because the actions taken are often very generic.

/var/log/messages




Here are some log files you may find useful:

/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/login_log

:
https://support.cpanel.net/hc/en-us/...HM-access-logs
https://forums.cpanel.net/threads/ho...ctions.678721/
https://forums.cpanel.net/threads/ho...cpanel.443872/
https://forums.cpanel.net/threads/he...gin-ips.69386/