Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

user and admin activity log

Discussion in 'General Discussion' started by ReiJu, Aug 20, 2010.

  1. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    58
    Where can I find user and admin activity log? That is, when a user or admin (root) log to whether cpanel or whm and doing things like removing or modifying file.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelJared

    cPanelJared Technical Analyst

    Joined:
    Feb 25, 2010
    Messages:
    1,835
    Likes Received:
    21
    Trophy Points:
    143
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    /usr/local/cpanel/logs

    All activity in the cPanel, WHM, and Webmail interfaces is logged to /usr/local/cpanel/logs/access_log. Logins to cPanel, WHM and Webmail are logged to /usr/local/cpanel/logs/login_log. Errors that occur in cPanel are logged to /usr/local/cpanel/logs/error_log.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    58
    Sorry for a very very late comment.

    But all I can see in /usr/local/cpanel/logs/access_log is GET request to some files/dirs. I can't find any log saying "deleting here" or "change setting there to what" or anything like that. Is there any chance that I wrongly configured cpanel log bahaviour?

    I even found entries like this:

    Code:
    10.18.11.10 proxy $USERNAME [10/01/2010:03:35:44 -0000] "GET /cPanel_magic_revision ...
    Why didn't it log the actual public IP instead of private IP?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelJared

    cPanelJared Technical Analyst

    Joined:
    Feb 25, 2010
    Messages:
    1,835
    Likes Received:
    21
    Trophy Points:
    143
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The cPanel access log logs the exact function that is called, the URL that is used to activate the function. The function names do not always correspond exactly to what you see in the WebHost Manager or cPanel. For example, terminating an account will call "killacct." It is an Apache-style log, logging exactly the URL that was called by the browser, and the result of the request.

    The public IP address that made the request should be logged. In your case, is 10.18.11.10 the server's private IP address, or is it another system on the network?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    58
    Hmm, that make sense. So, what keyword/function I should grep to find who deleted a file/directory?

    Nope, the server only has one IP, the public IP.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    When using file manager, I'm not seeing any indication of the file deletion other than these lines on my own machine when I tested deleting a file:

    Code:
    208.74.121.102 - admin [10/14/2010:20:15:22 -0000] 
    "POST /frontend/x3/filemanager/live_fileop.xml HTTP/1.1" 200 0 
    "https://mydomain.com:2083/frontend/x3/filemanager/index.html?
    dirselect=webroot&domainselect=mydomain.com&dir=
    %2Fhome%2Fadmin%2Fpublic_html" "Mozilla/5.0 (Macintosh; U; 
    Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
    
    208.74.121.102 - admin [10/14/2010:20:15:22 -0000] "GET 
    /frontend/x3/filemanager/listfiles.json?types=dir&dir=
    %2fhome%2fadmin%2fpublic_html HTTP/1.1" 200 0 
    "https://mydomain.com:2083/frontend/x3/filemanager/index.html?
    dirselect=webroot&domainselect=mydomain.com&dir=
    %2Fhome%2Fadmin%2Fpublic_html" "Mozilla/5.0 (Macintosh; 
    U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    58
    Then, I guess, there is no hope in finding information when a specific file was deleted. The log you excerpted doesn't tell me anything about what file was deleted. The case is I need to know who was deleted my files, public_html directory, if you need to know.

    Is there any chance, maybe in the future, that there will be a better cpanel admin activity log?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    58
    Any comment?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Jose Nobile likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice