How to know last login from all e-mail accounts within a Cpanel domain?

Lucas Nascimento

Registered
Jun 12, 2020
4
1
3
Rio de Janeiro, Brazil
cPanel Access Level
Root Administrator
Hi Guys! one of my clients raised this question, since they're starting a cleanup in all their 180 e-mail accounts. They asked me if we could check the last login date of all accounts, or at least, check all the accounts that logged in within the last three months.

I already searched other threads that were about the same subject, and they recommended searching logs within cPanel, but since they are from 6, 7 and even 9 years ago, looks that they are outdated, since I tried to follow the recommendations, but haven't found even the folders indicated.

Please, if anyone could help, I would be thankful. :)

Lucas
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,295
313
Houston
You can find the logins for cPanel/WHM/Webmail in the login_log at /usr/local/cpanel/logs/access_log a webmail login entry looks like:

Code:
<mylocalIP> - lauren%40mydomain.tld [06/16/2020:05:24:02 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://server.mydomain.tld:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" "-" "-" 2096
These logs are present for as long as log rotation allows them to be (just depends on what you've got set)

You can also see ALL logins for POP/IMAP and webmail access in /var/log/maillog

If you're saying that the logs go back too far it's pretty easy to check within a timeframe - something like this would do it for the last two hours and you can pipe in a grep for a specific user

Code:
awk -vDate=`date -d'now-2 hours' +[%d/%b/%Y:%H:%M:%S` '$4 > Date {print Date, $0}' /var/log/maillog |grep [email protected]
This will do specific timeframes, I've piped a grep for a specific email account and another for Login:
Code:
sed -n '/Jun 14 03:10:/ , /Jun 16 00:54:05/p' /var/log/maillog |grep [email protected] |grep Login
 

Lucas Nascimento

Registered
Jun 12, 2020
4
1
3
Rio de Janeiro, Brazil
cPanel Access Level
Root Administrator
You can find the logins for cPanel/WHM/Webmail in the login_log at /usr/local/cpanel/logs/access_log a webmail login entry looks like:

Code:
<mylocalIP> - lauren%40mydomain.tld [06/16/2020:05:24:02 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://server.mydomain.tld:2096/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" "-" "-" 2096
These logs are present for as long as log rotation allows them to be (just depends on what you've got set)

You can also see ALL logins for POP/IMAP and webmail access in /var/log/maillog

If you're saying that the logs go back too far it's pretty easy to check within a timeframe - something like this would do it for the last two hours and you can pipe in a grep for a specific user

Code:
awk -vDate=`date -d'now-2 hours' +[%d/%b/%Y:%H:%M:%S` '$4 > Date {print Date, $0}' /var/log/maillog |grep [email protected]
This will do specific timeframes, I've piped a grep for a specific email account and another for Login:
Code:
sed -n '/Jun 14 03:10:/ , /Jun 16 00:54:05/p' /var/log/maillog |grep [email protected] |grep Login
Hi Lauren! First of all, I thank you for your response! My problem, though, is that I cannot find any of these paths you indicated. I have WHM access, and a cPanel account bonded to it, as the main domain account, but in this account's cPanel, I cannot locate the folders you have indicated.

Do I have to search for it somewhere inside WHM, not in cPanel? Or am I missing something?

I recorded a screen capture to prove what I'm talking about... I find a "var" folder, but not "var > log > maillog"

captura.gif
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,295
313
Houston
Hi @Lucas Nascimento

I see. These log files aren't accessible through your cPanel account as they contain data for all accounts on the server. Your profile indicates you're a root administrator and as such we assume you have root access to the server - you'd be able to get this data by accessing the server using the CLI as the root user.
 

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
CSF (the firewall people) have a free file manager for WHM, called 'configserver explorer'
I guess it can be dangerous if you don't know what you are doing but is a very handy tool for things like this.

Or connect via SFTP as the root user.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,295
313
Houston
If it gave you connection refused then, yes I would say to contact your hosting provider - it may be that the ssh port isn't open or SSH is listening on another port
 

froi-manila

Active Member
Jan 11, 2014
35
0
56
Philippines
cPanel Access Level
Reseller Owner
I came across this thread as I have a customer who also requires the same.
However, this about 2,900 email accounts :)
All are under a single domain.
Any idea of such command that will list successful logins of all email accounts from the past 'x' number of days and perhaps print it to a text file?

Thanks guys
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
@froi-manila - you'll have to make something custom for that. I'd recommend logging into an email account while watching the log file to get an idea of what a normal login looks like. Then you can create a command to search for similar entries in the log file, possibly sorting by date or just ignoring older data you don't want.