👀 Choose SSD-powered VPS servers for increased speed, power, and security! Now 50% off- starting from only $3.19/mo.
This article provides a location of log files in cPanel WHM servers.
cPanel/WHM Server Log File Locations
Core system (AlmaLinux/Rocky/CloudLinux – RHEL family)
- /var/log/messages — General system log (kernel, services, hardware, firewall notes).
- /var/log/secure — Authentication and authorization (SSH, sudo, PAM, pure-ftpd auth, etc.).
- /var/log/cron — Cron daemon job starts/exits.
- /var/log/dmesg — Boot-time kernel ring buffer.
- /var/log/dnf.log (or /var/log/yum.log on older hosts) — Package installs/updates history.
- /var/log/firewalld (if enabled) — Firewalld events; otherwise kernel FW logs land in
/var/log/messages. - /var/log/maillog — Dovecot (IMAP/POP), SpamAssassin (spamd) notices, LDA events.
cPanel/WHM platform
- /usr/local/cpanel/logs/error_log — cPanel/WHM/Webmail (cpsrvd) application errors; first stop for UI/API issues.
- /usr/local/cpanel/logs/access_log — All cPanel/WHM/Webmail HTTP/API access entries (user, IP, endpoint).
- /usr/local/cpanel/logs/login_log — Successful/failed cPanel/WHM/Webmail login attempts.
- /usr/local/cpanel/logs/session_log — Session lifecycle messages for cPanel/WHM/Webmail.
- /usr/local/cpanel/logs/tailwatchd_log — TailWatch framework supervisor (drives chkservd, eximstats, cpanel-logd, etc.).
- /usr/local/cpanel/logs/chkservd.log — Service monitor (chkservd) restarts and fail/ok checks.
- /usr/local/cpanel/logs/queueprocd.log — Queue processor (e.g., stats, backups, maintenance queues).
- /usr/local/cpanel/logs/stats_runner.log — Web stats generation runs (AWStats/Webalizer/Analog).
- /usr/local/cpanel/logs/cphulkd.log — cPHulk (brute-force protection) blocks/decisions.
- /usr/local/cpanel/logs/cpdavd_error_log — CalDAV/CardDAV service (cpdavd) errors.
- /usr/local/cpanel/logs/backup_error_log — Legacy backup system errors (if legacy enabled).
- /usr/local/cpanel/logs/cpbackup/ — Account backup job logs (newer backup system also uses this path).
- /usr/local/cpanel/logs/cpbackup_transporter.log — Remote backup transporter (S3, SFTP, etc.) upload results.
- /usr/local/cpanel/logs/easy/apache/ — EasyApache build/config logs (EA3/early EA4 traces).
- /var/cpanel/updatelogs/ — WHM/cPanel update runs by date/channel; dig here for update-related problems.
- /var/log/cpanel-install.log — Original cPanel installation transcript.
- /usr/local/cpanel/logs/transfer_session/ — Transfer Tool/migration session logs (per-run subdirs).
- /usr/local/cpanel/logs/dnsadmin_log — DNS cluster (dnsadmin) sync and RPC actions.
- /var/cpanel/logs/autossl/ — AutoSSL issuance/renewal logs per provider (cPanel/Let’s Encrypt/ZeroSSL).
Apache HTTP Server (EA4)
- /usr/local/apache/logs/error_log — Global Apache errors (vhost config issues, segfaults, ModSecurity notices, etc.).
- /usr/local/apache/logs/access_log — Global access log (if enabled globally).
- /usr/local/apache/logs/ssl_request_log — SSL request summaries (if enabled).
- /usr/local/apache/logs/modsec_audit.log (or /usr/local/apache/logs/modsecaudit/ rotated set) — ModSecurity audit details with full request bodies (if audit logging enabled).
- /usr/local/apache/domlogs/ — Per-domain access logs (one file per vhost)
- /usr/local/apache/domlogs/DOMAIN-ssl_log — Per-domain HTTPS access.
- Rotated gz files appear alongside (by date).
- ~/public_html/error_log — Per-account PHP application errors (if
display_errors=Offand logging enabled).
PHP-FPM (EA4, per PHP version)
- /opt/cpanel/ea-phpNN/root/usr/var/log/php-fpm/error.log — Engine errors for PHP-FPM pool of that version.
- /opt/cpanel/ea-phpNN/root/usr/var/log/php-fpm/www-error.log — Pool/runtime errors (path may vary by pool name).
- /opt/cpanel/ea-phpNN/root/usr/var/log/php-fpm/slow.log — Slow-request traces (when
request_slowlog_timeoutis set).
Mail (Exim, Dovecot, SpamAssassin, Mailman)
- /var/log/exim_mainlog — Complete SMTP transaction log (queue IDs, routing, deliveries, defers).
- /var/log/exim_rejectlog — SMTP rejections (RBLs, ACL denials, SPF/DMARC failures, etc.).
- /var/log/exim_paniclog — Exim fatal errors (parsing, disk, memory).
- /var/spool/exim/input/ — On-disk message spools (not a “log”, but critical when tracing stuck mail).
- /var/log/maillog — Dovecot authentication/IMAP/POP, LDA, and SpamAssassin (spamd) events.
- /usr/local/cpanel/3rdparty/mailman/logs/ — Mailman (list server) logs: post, smtp, error, locks, etc.
DNS (BIND/named on cPanel)
- /var/log/messages — Default location where named logs go on RHEL-family unless custom
logging {}is set. - /var/named/data/named.run (legacy/if configured) — Named runtime log file (older setups).
- /usr/local/cpanel/logs/dnsadmin_log — DNS cluster syncs, pushes, pulls (repeated here for emphasis).
FTP (Pure-FTPd – default)
- /var/log/messages — Service start/stop and some auth messages.
- /var/log/xferlog — File transfer accounting (uploads/downloads; username, IP, bytes).
- /var/log/secure — PAM authentication outcomes for FTP logins.
Webmail services
- /usr/local/cpanel/logs/error_log — Roundcube/Horde webmail errors via cpsrvd (main place to check).
- /var/log/maillog — IMAP/POP/Webmail IMAP sessions via Dovecot.
SSL/TLS & AutoSSL
- /var/cpanel/logs/autossl/ — Per-run/per-domain issuance and renewal traces.
- /usr/local/apache/logs/error_log — vhost-level certificate/handshake errors surfaced by Apache.
Account lifecycle & billing hooks (platform side)
- /var/cpanel/accounting.log — Account create/suspend/unsuspend/terminate actions.
- /usr/local/cpanel/logs/hook_aborted_transactions.log — Failed cPanel hook runs.
- /usr/local/cpanel/logs/piped_logging_status — Status when piped logging is enabled.
Spam/AV (when enabled via WHM)
- /var/log/clamd.log or /var/log/clamd.scan — ClamAV daemon scans/quarantines.
- /var/log/maillog — SpamAssassin (spamd) classification results and errors.
MySQL/MariaDB (managed by WHM)
- /var/lib/mysql/
$(hostname).err — Server error log (default on MariaDB). - /var/log/mysqld.log (older layouts) — Alternative location for server errors.
- /var/lib/mysql/ — General/slow query logs if enabled (
general_log,slow_query_log).
cPanel analytics & visitors
- /usr/local/cpanel/logs/domlogs/ (alias to
apache/domlogson some systems) — source for AWStats/Webalizer. - /usr/local/cpanel/logs/stats_runner.log — Stats processing status/errors (mirrored above).
Backup & transfer specifics
- /usr/local/cpanel/logs/cpbackup/ — Each backup run’s transcript (per-date files).
- /usr/local/cpanel/logs/cpbackup_transporter.log — Remote destination upload results.
- /usr/local/cpanel/logs/transfer_session/ — WHM Transfer Tool sessions (per-migration dir).
Fast triage commands
# Tail the “hot five”
tail -f /usr/local/cpanel/logs/error_log \
/var/log/exim_mainlog \
/usr/local/apache/logs/error_log \
/var/log/maillog \
/usr/local/cpanel/logs/chkservd.log
# Follow cPanel UI/API access in real time
tail -f /usr/local/cpanel/logs/access_log
# Watch logins to cPanel/WHM/Webmail
tail -f /usr/local/cpanel/logs/login_log
# Trace a specific Exim message ID through SMTP
exigrep -i '1sAMPLE-Id' /var/log/exim_mainlog
# Recent per-domain HTTP hits
tail -n 200 /usr/local/apache/domlogs/example.com
# PHP-FPM errors for PHP 8.2
tail -f /opt/cpanel/ea-php82/root/usr/var/log/php-fpm/error.log
Conclusion
You now know the location of log files in cPanel/WHM servers.
