Where to Find a FULL Audit of cPanel Login History - Successes and Failures (not WHM) ?

Aug 22, 2016
cPanel Access Level
Root Administrator
I'm a bit baffled by this one, it doesn't seem to exist..... Seems like such a basic requirement or any modern system, yet so difficult to find and/or just doesn't exist anywhere.

When you login to a cPanel 'user_abc123' account, view the File Manager then .lastlogin file, this shows very basic info in here, but from what I've read, this file only updates if you login to cPanel using the 'user_abc123' from a different IP address. But where are the logs showing I have logged in 2, 3, 4, 5 times from the same IP address successfully and at what times/dates etc? Seems cPanel is being extremely lazy here and just not logging this info for what is fundamentally a 5 minute coding exercise in cPanel's development.

Next. Where does cPanel log failed logins for a cPanel account? Seems I can only find this info when logging into WHM, running the command 'tail -n 100 /usr/local/cpanel/logs/login_log' then either digging through the logs for all cPanel accounts and/or running the original command and piping that to grep i.e. "tail -n 100 /usr/local/cpanel/logs/login_log | grep 'user_abc123' ".

Surely, this can't be the only way to do this? This is painful. I want to click a button in cPanel and see a Login History (success and failure) at the click of a button, and with full audit history - which it seems that cPanel can't even be bothered to capture for successful logins. I don't want to be thrown a 1000 piece jigsaw and told to figure it out, in scenarios when this info is important, it's essential I have this info at my fingertips in seconds, not having to dig around in scattered log files.

Am I missing something blindingly obvious here or is cPanel really that bad at these basic requirements?

Note, I have been speaking to cPanel support and have been disappointed with the information provided so far, so I am reaching out to the community on this topic to see if there is anything I'm missing here.

Any insights appreciated...

Last edited by a moderator:


Well-Known Member
Sep 27, 2016
cPanel Access Level
Root Administrator
It's logged in the access_log found in /usr/local/cpanel/logs/:
Code: - myusername [12/29/2022:00:52:25 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "https://example.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-" "-" 2083 - myusername [12/29/2022:00:53:30 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://example.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0" "-" "-" 2083
First is a failed login from It returns code 401.
Second is a successful login. It returns a 301 redirect.

That's the only place logins (whether successful or not) are logged.
  • Like
Reactions: cPRex