user and admin activity log

[ReiJu]

Where can I find user and admin activity log? That is, when a user or admin (root) log to whether cpanel or whm and doing things like removing or modifying file.

[cPanelJared]

All activity in the cPanel, WHM, and Webmail interfaces is logged to /usr/local/cpanel/logs/access_log. Logins to cPanel, WHM and Webmail are logged to /usr/local/cpanel/logs/login_log. Errors that occur in cPanel are logged to /usr/local/cpanel/logs/error_log.

[ReiJu]

All activity in the cPanel, WHM, and Webmail interfaces is logged to /usr/local/cpanel/logs/access_log. Logins to cPanel, WHM and Webmail are logged to /usr/local/cpanel/logs/login_log. Errors that occur in cPanel are logged to /usr/local/cpanel/logs/error_log.

Sorry for a very very late comment.

But all I can see in /usr/local/cpanel/logs/access_log is GET request to some files/dirs. I can't find any log saying "deleting here" or "change setting there to what" or anything like that. Is there any chance that I wrongly configured cpanel log bahaviour?

I even found entries like this:

Code:

10.18.11.10 proxy $USERNAME [10/01/2010:03:35:44 -0000] "GET /cPanel_magic_revision ...

Why didn't it log the actual public IP instead of private IP?

[cPanelJared]

The cPanel access log logs the exact function that is called, the URL that is used to activate the function. The function names do not always correspond exactly to what you see in the WebHost Manager or cPanel. For example, terminating an account will call "killacct." It is an Apache-style log, logging exactly the URL that was called by the browser, and the result of the request.

The public IP address that made the request should be logged. In your case, is 10.18.11.10 the server's private IP address, or is it another system on the network?

[ReiJu]

The cPanel access log logs the exact function that is called, the URL that is used to activate the function. The function names do not always correspond exactly to what you see in the WebHost Manager or cPanel. For example, terminating an account will call "killacct." It is an Apache-style log, logging exactly the URL that was called by the browser, and the result of the request.

Hmm, that make sense. So, what keyword/function I should grep to find who deleted a file/directory?

The public IP address that made the request should be logged. In your case, is 10.18.11.10 the server's private IP address, or is it another system on the network?

Nope, the server only has one IP, the public IP.

[cPanelTristan]

When using file manager, I'm not seeing any indication of the file deletion other than these lines on my own machine when I tested deleting a file:

Code:

208.74.121.102 - admin [10/14/2010:20:15:22 -0000] 
"POST /frontend/x3/filemanager/live_fileop.xml HTTP/1.1" 200 0 
"https://mydomain.com:2083/frontend/x3/filemanager/index.html?
dirselect=webroot&domainselect=mydomain.com&dir=
%2Fhome%2Fadmin%2Fpublic_html" "Mozilla/5.0 (Macintosh; U; 
Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"

208.74.121.102 - admin [10/14/2010:20:15:22 -0000] "GET 
/frontend/x3/filemanager/listfiles.json?types=dir&dir=
%2fhome%2fadmin%2fpublic_html HTTP/1.1" 200 0 
"https://mydomain.com:2083/frontend/x3/filemanager/index.html?
dirselect=webroot&domainselect=mydomain.com&dir=
%2Fhome%2Fadmin%2Fpublic_html" "Mozilla/5.0 (Macintosh; 
U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"

[ReiJu]

Then, I guess, there is no hope in finding information when a specific file was deleted. The log you excerpted doesn't tell me anything about what file was deleted. The case is I need to know who was deleted my files, public_html directory, if you need to know.

Is there any chance, maybe in the future, that there will be a better cpanel admin activity log?

[ReiJu]

Any comment?