When a site is hacked, the access logs are an important resource to find out how the hackers got in, but with cPanel's daily rotation, the logs are often already rotated by the time the analysis starts and the data is lost forever.
The setting within cPanel to store logs for the month is not useful, as it relies on the client / cPanel user to have the correct settings.
I'd prefer a setting in WHM (root/reseller) level where we can specify to archive logs for the last X days with the last day being removed and replaced by the new log on each rotation. So there are never more than X logs in total stored, but we can always go back X days.
We used to have a similar system with Ensim and whilst under no circumstances do I wish to go back to it, it was pretty much the only useful bit that cPanel doesn't have.
Where the logs are stored, I'm not too fussed. If there could be an interface to download via cPanel would be great, but failing that just having them somewhere safe where I can get to them via root SSH would suffice.
As for disk space, if we only store the last 5 days, and assuming that the logs for past days are zipped, it could be part of the user's disk space.
So in summary:
* Have a setting in WHM where I can specify to keep access logs for past X days
* ZIP all but the current log
* The X days are on a rolling basis, the last day is always removed when a new archive is created
* Store on server; a cPanel download button would be a bonus
* Have this feature in addition to the existing cPanel level log settings
Many thanks for reading this,