The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

user and admin activity log

Discussion in 'General Discussion' started by ReiJu, Aug 20, 2010.

  1. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    6
    Where can I find user and admin activity log? That is, when a user or admin (root) log to whether cpanel or whm and doing things like removing or modifying file.
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    /usr/local/cpanel/logs

    All activity in the cPanel, WHM, and Webmail interfaces is logged to /usr/local/cpanel/logs/access_log. Logins to cPanel, WHM and Webmail are logged to /usr/local/cpanel/logs/login_log. Errors that occur in cPanel are logged to /usr/local/cpanel/logs/error_log.
     
  3. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    6
    Sorry for a very very late comment.

    But all I can see in /usr/local/cpanel/logs/access_log is GET request to some files/dirs. I can't find any log saying "deleting here" or "change setting there to what" or anything like that. Is there any chance that I wrongly configured cpanel log bahaviour?

    I even found entries like this:

    Code:
    10.18.11.10 proxy $USERNAME [10/01/2010:03:35:44 -0000] "GET /cPanel_magic_revision ...
    Why didn't it log the actual public IP instead of private IP?
     
  4. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The cPanel access log logs the exact function that is called, the URL that is used to activate the function. The function names do not always correspond exactly to what you see in the WebHost Manager or cPanel. For example, terminating an account will call "killacct." It is an Apache-style log, logging exactly the URL that was called by the browser, and the result of the request.

    The public IP address that made the request should be logged. In your case, is 10.18.11.10 the server's private IP address, or is it another system on the network?
     
  5. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    6
    Hmm, that make sense. So, what keyword/function I should grep to find who deleted a file/directory?

    Nope, the server only has one IP, the public IP.
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    When using file manager, I'm not seeing any indication of the file deletion other than these lines on my own machine when I tested deleting a file:

    Code:
    208.74.121.102 - admin [10/14/2010:20:15:22 -0000] 
    "POST /frontend/x3/filemanager/live_fileop.xml HTTP/1.1" 200 0 
    "https://mydomain.com:2083/frontend/x3/filemanager/index.html?
    dirselect=webroot&domainselect=mydomain.com&dir=
    %2Fhome%2Fadmin%2Fpublic_html" "Mozilla/5.0 (Macintosh; U; 
    Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
    
    208.74.121.102 - admin [10/14/2010:20:15:22 -0000] "GET 
    /frontend/x3/filemanager/listfiles.json?types=dir&dir=
    %2fhome%2fadmin%2fpublic_html HTTP/1.1" 200 0 
    "https://mydomain.com:2083/frontend/x3/filemanager/index.html?
    dirselect=webroot&domainselect=mydomain.com&dir=
    %2Fhome%2Fadmin%2Fpublic_html" "Mozilla/5.0 (Macintosh; 
    U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
     
  7. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    6
    Then, I guess, there is no hope in finding information when a specific file was deleted. The log you excerpted doesn't tell me anything about what file was deleted. The case is I need to know who was deleted my files, public_html directory, if you need to know.

    Is there any chance, maybe in the future, that there will be a better cpanel admin activity log?
     
  8. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    6
    Any comment?
     
    Jose Nobile likes this.
Loading...

Share This Page