The Lazy Admin Blog

Home  /  Uncategorized  /  cPanel email log explanation & examples – Audit Log

cPanel email log explanation & examples – Audit Log

March 13, 2017 Uncategorized Leave a Comment

Unfortunately, cPanel does not have any graphical interface or audit logs as far as emails are concerned, so we will have to use the available command line tools for advanced troubleshooting.

An audit log is a document that records an event in an information technology system.

In addition to documenting what resources were accessed, audit log entries usually include destination and source addresses, a time-stamp and user login information.

In this guide we will learn how the email logs are written for monitoring deleted email, created email etc.

For your convenience these are cPanel’s email log locations:

cPanel email log

Delivery and receipt log /var/log/exim_mainlog
Incoming mail queue /var/spool/exim/input/
Log of messages rejected based on ACLS or other policies /var/log/exim_rejectlog
Unexpected/Fatal error log /var/log/exim_paniclog
IMAP, POP3 login attempts, transactions, fatal errors and spam scoring /var/log/maillog /var/log/messages
Mailman /usr/local/cpanel/3rdparty/mailmain/logs

The exim_mainlog contains interactions that exim handles, both incoming and outgoing mail transactions. This log does NOT provide specific details such as deleting, creating email account, changing passwords etc.

So in this guide we will focus on /usr/local/cpanel/logs/access_log.

Learning to read the /usr/local/cpanel/logs/access_log log is important for it holds much needed information.

The ‘tail’ command displays the last lines of a file and it’s main purpose is to read the latest messages. we will add argument “-f” to output append data as the file is being written:

 tail -f /usr/local/cpanel/logs/access_log

Now create an email box from within cPanel :

For this example I’ve created an email account named “Test”.

let’s take a look how creating an email account is represented in the log file (/usr/local/cpanel/logs/access_log):

  • A – Operator’s IP Address
  • B – cPanel’s username of the operator (jetnet)
  • C –  Which operation has been made?  addpop = create an email account (you can see that the account name is “Test”
  • D – Quota of the newly created email account (1024)
  • E – Domain name of the newly created email account (jetserver.net)
  • F – Did the operation succeed ? ( 200 = Yes)

How changing password account is represented in the log:

We can see it represented in the same way as before, expect the operation which has been made:

  • B – Which operation has been made? passwdpop&email = change password of an email account & which email it was made on.

How Suspending an account is represented in the log:

Same concept, by reading the log we can see that:

jetnet cpanel user made a request of suspending (suspend_incoming) to and email account test with the domain:jetserver.net. Has the operation succeeded? Yes. (200)

Our last example will be deleting an email account, same concept :

jetnet cpanel user made a request to delete an email account (delpop) to an email account test with the domain:jetserver.net. Has the operation succeeded? Yes. (200)

 

I hope this guide was informative for you and you will be able to trace your account actions a little bit better 😉

Good Luck!

Daniel Alum.

Previous Article
Next Article

Leave a Reply

Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search Our Blog

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Filter by Categories
Apache
CentOS
CloudLinux
cPanel
Emails
ESXI
iSCSI
JetBackup
Linux
Litespeed
MySQL
NGINX
Oracle
Reduxio
Security
SSL
Uncategorized
VMware
Wordpress
XEN

Tags

apache aspx backup bash CentOS cloudlinux cPanel CXS Emails freetds google htaccess IMAP InnoDB iscsi JetBackup Libmodsecurity litespeed modsec modsecurity mssql MySQL netapp nginx odbc Oracle php php.ini phpselector rsync ssh ssmtp systemd threads VMFS WHM Wordpress xenserver

Popular Posts

  • Convert JetBackup to cPanel structure October 6, 2022
  • How To Install & Configure a Galera Cluster with MariaDB on Centos 7 February 6, 2018
  • Allow a cPanel server to run a VHOST from multiple IP addresses April 3, 2018
  • rsync without prompting for password October 10, 2022

Recent Posts

  • Understanding Why More Threads Can Sometimes Slow Down Performance October 9, 2024
  • Set up a new systemd service May 18, 2024
  • Bash Arrays November 7, 2023
  • rsync without prompting for password October 10, 2022

Recent Comments

  • Sven on rsync without prompting for password
  • TheLazyAdmin on rsync without prompting for password
  • Sven on rsync without prompting for password
  • TheLazyAdmin on Convert JetBackup to cPanel structure
  • Chris on Convert JetBackup to cPanel structure
Privacy Policy • Contact