How to know last login from all e-mail accounts within a Cpanel domain?

Lucas Nascimento

Registered
Jun 12, 2020
4
1
3
Rio de Janeiro, Brazil
cPanel Access Level
Root Administrator
Hi Guys! one of my clients raised this question, since they're starting a cleanup in all their 180 e-mail accounts. They asked me if we could check the last login date of all accounts, or at least, check all the accounts that logged in within the last three months.

I already searched other threads that were about the same subject, and they recommended searching logs within cPanel, but since they are from 6, 7 and even 9 years ago, looks that they are outdated, since I tried to follow the recommendations, but haven't found even the folders indicated.

Please, if anyone could help, I would be thankful. :)

Lucas
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,257
313
Houston
You can find the logins for cPanel/WHM/Webmail in the login_log at /usr/local/cpanel/logs/access_log a webmail login entry looks like:

Code:
<mylocalIP> - lauren%40mydomain.tld [06/16/2020:05:24:02 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://server.mydomain.tld:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" "-" "-" 2096
These logs are present for as long as log rotation allows them to be (just depends on what you've got set)

You can also see ALL logins for POP/IMAP and webmail access in /var/log/maillog

If you're saying that the logs go back too far it's pretty easy to check within a timeframe - something like this would do it for the last two hours and you can pipe in a grep for a specific user

Code:
awk -vDate=`date -d'now-2 hours' +[%d/%b/%Y:%H:%M:%S` '$4 > Date {print Date, $0}' /var/log/maillog |grep [email protected]
This will do specific timeframes, I've piped a grep for a specific email account and another for Login:
Code:
sed -n '/Jun 14 03:10:/ , /Jun 16 00:54:05/p' /var/log/maillog |grep [email protected] |grep Login
 

Lucas Nascimento

Registered
Jun 12, 2020
4
1
3
Rio de Janeiro, Brazil
cPanel Access Level
Root Administrator
You can find the logins for cPanel/WHM/Webmail in the login_log at /usr/local/cpanel/logs/access_log a webmail login entry looks like:

Code:
<mylocalIP> - lauren%40mydomain.tld [06/16/2020:05:24:02 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://server.mydomain.tld:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" "-" "-" 2096
These logs are present for as long as log rotation allows them to be (just depends on what you've got set)

You can also see ALL logins for POP/IMAP and webmail access in /var/log/maillog

If you're saying that the logs go back too far it's pretty easy to check within a timeframe - something like this would do it for the last two hours and you can pipe in a grep for a specific user

Code:
awk -vDate=`date -d'now-2 hours' +[%d/%b/%Y:%H:%M:%S` '$4 > Date {print Date, $0}' /var/log/maillog |grep [email protected]
This will do specific timeframes, I've piped a grep for a specific email account and another for Login:
Code:
sed -n '/Jun 14 03:10:/ , /Jun 16 00:54:05/p' /var/log/maillog |grep [email protected] |grep Login
Hi Lauren! First of all, I thank you for your response! My problem, though, is that I cannot find any of these paths you indicated. I have WHM access, and a cPanel account bonded to it, as the main domain account, but in this account's cPanel, I cannot locate the folders you have indicated.

Do I have to search for it somewhere inside WHM, not in cPanel? Or am I missing something?

I recorded a screen capture to prove what I'm talking about... I find a "var" folder, but not "var > log > maillog"

captura.gif
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,257
313
Houston
Hi @Lucas Nascimento

I see. These log files aren't accessible through your cPanel account as they contain data for all accounts on the server. Your profile indicates you're a root administrator and as such we assume you have root access to the server - you'd be able to get this data by accessing the server using the CLI as the root user.
 

keat63

Well-Known Member
Nov 20, 2014
1,899
253
113
cPanel Access Level
Root Administrator
CSF (the firewall people) have a free file manager for WHM, called 'configserver explorer'
I guess it can be dangerous if you don't know what you are doing but is a very handy tool for things like this.

Or connect via SFTP as the root user.