cPanel Log Locations: Where to Find Useful Server Logs
cPanel and WHM servers create a lot of logs. Knowing where to look can save time when troubleshooting website errors, email delivery, FTP access, ModSecurity blocks, backup issues and control panel problems.
Quick reference table
| Log type | Common location | What it helps with |
|---|---|---|
| cPanel error log | /usr/local/cpanel/logs/error_log | cPanel and WHM interface errors. |
| cPanel access log | /usr/local/cpanel/logs/access_log | Access to cPanel, WHM and Webmail services. |
| Apache error log | /usr/local/apache/logs/error_log | Web server errors and module warnings. |
| Apache domlogs | /usr/local/apache/domlogs/domain.com | Per-domain requests, status codes and traffic. |
| User archived logs | /home/user/logs/ | Rotated or archived domain logs. |
| Mail log | /var/log/maillog | SMTP, IMAP, POP and delivery activity. |
| Exim main log | /var/log/exim_mainlog | Email routing and delivery details. |
| FTP log | /var/log/messages or FTP-specific logs | FTP authentication and upload/download activity. |
| Backup logs | /usr/local/cpanel/logs/cpbackup/ | cPanel backup generation and transport issues. |
Apache and domain logs
For website troubleshooting, Apache logs and domlogs are usually the first place to look.
Main Apache error log
tail -100 /usr/local/apache/logs/error_logLive domain access log
tail -f /usr/local/apache/domlogs/example.comSSL domain log
tail -f /usr/local/apache/domlogs/example.com-ssl_logUser archived logs
ls -lh /home/username/logs/Example domlog output
203.0.113.10 - - [03/May/2026:12:30:15 +0100] "GET /wp-login.php HTTP/2" 200 5421 "-" "Mozilla/5.0"
198.51.100.25 - - [03/May/2026:12:31:02 +0100] "POST /xmlrpc.php HTTP/1.1" 403 391 "-" "curl/8.0"
192.0.2.44 - - [03/May/2026:12:31:40 +0100] "GET /missing-page HTTP/2" 404 1240 "-" "Mozilla/5.0"cPanel and WHM logs
When the control panel itself is misbehaving, check the cPanel logs rather than the website logs.
cPanel error log
tail -100 /usr/local/cpanel/logs/error_logcPanel access log
tail -100 /usr/local/cpanel/logs/access_logLogin history
last
lastlogService restarts
grep -i "restart" /usr/local/cpanel/logs/error_logEmail logs
Email issues often need both Exim logs and the general mail log. Search by sender, recipient, domain or message ID.
Exim main log
grep "user@example.com" /var/log/exim_mainlogMail log
tail -100 /var/log/maillogSearch for failed auth
grep -i "auth" /var/log/maillog | tailSearch a domain
grep "example.com" /var/log/exim_mainlog | tail -50FTP logs
FTP logs depend on the FTP service in use, but authentication attempts and connection details often appear in system logs.
grep -i "ftp" /var/log/messages | tail -50
grep -i "pure-ftpd" /var/log/messages | tail -50For file changes, also check the account files directly with Find Command Builder style searches.
ModSecurity logs
ModSecurity blocks are commonly visible in Apache logs and may include rule IDs, request details and the script being accessed.
grep -i "modsecurity" /usr/local/apache/logs/error_log | tail -50
grep "id \"[0-9]" /usr/local/apache/logs/error_log | tail -50Backup logs
Backup logs are useful when investigating missed backups, failed transports, quota problems or large account backup failures.
ls -lh /usr/local/cpanel/logs/cpbackup/
tail -100 /usr/local/cpanel/logs/cpbackup/*.logUseful examples
Find recent 500 errors
grep " 500 " /usr/local/apache/domlogs/example.com-ssl_log | tail -50Top IPs in a domlog
awk '{print $1}' /usr/local/apache/domlogs/example.com | sort | uniq -c | sort -nr | headSearch compressed user logs
zgrep "wp-login.php" /home/user/logs/example.com-ssl_log.gzWatch live traffic
tail -f /usr/local/apache/domlogs/example.com-ssl_logFast cPanel log checks by issue type
Start with the log closest to the symptom. A website error, mail rejection and ModSecurity block usually live in different places.
| Issue | Useful first checks |
|---|---|
| Website 500 error | tail -n 100 /usr/local/apache/logs/error_logtail -n 100 /home/user/public_html/error_log |
| High traffic or abuse | awk '{print $1}' /usr/local/apache/domlogs/domain.com | sort | uniq -c | sort -nr | head |
| Email delivery problem | grep user@example.com /var/log/exim_mainlog |
| ModSecurity block | grep domain.com /usr/local/apache/logs/modsec_audit.log |
| cPanel interface error | tail -n 100 /usr/local/cpanel/logs/error_log |
Example domlog summary
$ awk '{print $1}' /usr/local/apache/domlogs/example.com | sort | uniq -c | sort -nr | head
1842 203.0.113.51
923 198.51.100.24
311 192.0.2.19That kind of quick count is useful before deciding whether to investigate bot traffic, caching problems or application-level load.
Related: cPanel Domlog Guide, Search Logs for Errors and Linux Troubleshooting Hub.
Frequently Asked Questions
Where are cPanel Apache domain logs stored?
Common cPanel Apache domain logs are stored under /usr/local/apache/domlogs/ with one or more files per domain.
Where is the cPanel main error log?
A common cPanel error log is /usr/local/cpanel/logs/error_log.
Which log should I check for email delivery?
On many cPanel systems, Exim delivery details are in /var/log/exim_mainlog, with related rejection and panic logs depending on the issue.
Where can I find ModSecurity blocks?
ModSecurity events are often found in the Apache ModSecurity audit log or the web server error log, depending on the system configuration.