Tweak Settings: Store access logs for past X days [Case 53120]

[terraGirl]

When a site is hacked, the access logs are an important resource to find out how the hackers got in, but with cPanel's daily rotation, the logs are often already rotated by the time the analysis starts and the data is lost forever.

The setting within cPanel to store logs for the month is not useful, as it relies on the client / cPanel user to have the correct settings.

I'd prefer a setting in WHM (root/reseller) level where we can specify to archive logs for the last X days with the last day being removed and replaced by the new log on each rotation. So there are never more than X logs in total stored, but we can always go back X days.

We used to have a similar system with Ensim and whilst under no circumstances do I wish to go back to it, it was pretty much the only useful bit that cPanel doesn't have.

Where the logs are stored, I'm not too fussed. If there could be an interface to download via cPanel would be great, but failing that just having them somewhere safe where I can get to them via root SSH would suffice.

As for disk space, if we only store the last 5 days, and assuming that the logs for past days are zipped, it could be part of the user's disk space.

So in summary:
* Have a setting in WHM where I can specify to keep access logs for past X days
* ZIP all but the current log
* The X days are on a rolling basis, the last day is always removed when a new archive is created
* Store on server; a cPanel download button would be a bonus
* Have this feature in addition to the existing cPanel level log settings

Many thanks for reading this,
Edith Karnitsch

[DomineauX]

I support this request 100%
The lack of access log retention other than month by month or permanent is one of the very few seriously lacking abilities within cPanel.

[monarobase]

+ 1
This makes a lot of sense !

[Kent Brockman]

+1 for this.

But... the archives should be tar-gzipped and I'm not sure nor confident on storing the data in the user account space.
Take in account that storing the last 5 days of access log may consume different disk space in every account. There may be websites using small packages but having a huge amount of visitors, hence producing bigger access logs. This feature is very interesting but some customers may be forced to upgrade to bigger packages in order to cope with the disk space required to store the generated logs. I think this issue may be circumvented if cPanel store the logs in a global folder in the system, thus leaving these archives out of the access of a hacker in the process. Because if you want to audit bad behaviours in your website, if it is hacked, the logs will surely be deleted. That's why I think they must be stored in a folder out of the range of the given user.

Also, this feature should come disabled by default, and allow to enable it for individual accounts. Because 1) Not every sysadmin will be aware of this addition, 2) Not every sysadmin will be happy of storing lots of Gigs of data if their server disks are at 80% . And, additionally, of you will be able to enable this functionality for individual accounts, this feature would be richest if you also may be enable to set for how many days every enabled account will individually store access logs.

Thank you

[Infopro]

When a site is hacked, the access logs are an important resource to find out how the hackers got in, but with cPanel's daily rotation, the logs are often already rotated by the time the analysis starts and the data is lost forever.

The setting within cPanel to store logs for the month is not useful, as it relies on the client / cPanel user to have the correct settings.

I'd prefer a setting in WHM (root/reseller) level where we can specify to archive logs for the last X days with the last day being removed and replaced by the new log on each rotation. So there are never more than X logs in total stored, but we can always go back X days.

We used to have a similar system with Ensim and whilst under no circumstances do I wish to go back to it, it was pretty much the only useful bit that cPanel doesn't have.

Where the logs are stored, I'm not too fussed. If there could be an interface to download via cPanel would be great, but failing that just having them somewhere safe where I can get to them via root SSH would suffice.

As for disk space, if we only store the last 5 days, and assuming that the logs for past days are zipped, it could be part of the user's disk space.

So in summary:
* Have a setting in WHM where I can specify to keep access logs for past X days
* ZIP all but the current log
* The X days are on a rolling basis, the last day is always removed when a new archive is created
* Store on server; a cPanel download button would be a bonus
* Have this feature in addition to the existing cPanel level log settings

Many thanks for reading this,
Edith Karnitsch

This (I've highlighted it in bold above) sounds more like an enhancement to existing features/settings if I'm reading it correctly. Adding a setting for the number of days logs are saved.

And an enhancement to this setting giving the host access to change a setting on a users account from WHM:

The setting within cPanel to store logs for the month is not useful, as it relies on the client / cPanel user to have the correct settings.

[terraGirl]

Many thanks for replying!

Yes, a modification of the existing function can work but it would need to be protected so users cannot modify via cPanel.

Users could still enable:
* Archive logs in your home directory at the end of each stats run[ [every 24 hour(s)~]]
* Remove the previous month's archived logs from your home directory at the end of each month

But in addition, the server root can set a minimum number of X days logs are kept which can't be over-ridden by resellers/cpanel users

So the archive functions in cPanel would be in addition to the minimum number of days set for the entire server.

Many thanks, Edith

[cPanelDavidG]

Just an update to this discussion, the entirety of the original post is in an internal case and we hope to implement this by version 11.34.

[DomineauX]

Wonderful David, thanks for the update!

[terraGirl]

Great news!

[rojer_31]

Dudes, we have a situation here where we need the access logs & just discovered that all the raw logs are gone. I cannot believe raw data is not stored by default for even 3 months!

[LBJ]

+1

Excellent idea.