Unfortunately, cPanel does not have any graphical interface or audit logs as far as emails are concerned, so we will have to use the available command line tools for advanced troubleshooting.
An audit log is a document that records an event in an information technology system.
In addition to documenting what resources were accessed, audit log entries usually include destination and source addresses, a time-stamp and user login information.
In this guide we will learn how the email logs are written for monitoring deleted email, created email etc.
For your convenience these are cPanel’s email log locations:
cPanel email log
|Delivery and receipt log||/var/log/exim_mainlog|
|Incoming mail queue||/var/spool/exim/input/|
|Log of messages rejected based on ACLS or other policies||/var/log/exim_rejectlog|
|Unexpected/Fatal error log||/var/log/exim_paniclog|
|IMAP, POP3 login attempts, transactions, fatal errors and spam scoring||/var/log/maillog||/var/log/messages|
The exim_mainlog contains interactions that exim handles, both incoming and outgoing mail transactions. This log does NOT provide specific details such as deleting, creating email account, changing passwords etc.
So in this guide we will focus on /usr/local/cpanel/logs/access_log.
Learning to read the /usr/local/cpanel/logs/access_log log is important for it holds much needed information.
The ‘tail’ command displays the last lines of a file and it’s main purpose is to read the latest messages. we will add argument “-f” to output append data as the file is being written:
tail -f /usr/local/cpanel/logs/access_log
Now create an email box from within cPanel :
For this example I’ve created an email account named “Test”.
let’s take a look how creating an email account is represented in the log file (/usr/local/cpanel/logs/access_log):
- A – Operator’s IP Address
- B – cPanel’s username of the operator (jetnet)
- C – Which operation has been made? addpop = create an email account (you can see that the account name is “Test”
- D – Quota of the newly created email account (1024)
- E – Domain name of the newly created email account (jetserver.net)
- F – Did the operation succeed ? ( 200 = Yes)
How changing password account is represented in the log:
We can see it represented in the same way as before, expect the operation which has been made:
- B – Which operation has been made? passwdpop&email = change password of an email account & which email it was made on.
How Suspending an account is represented in the log:
Same concept, by reading the log we can see that:
jetnet cpanel user made a request of suspending (suspend_incoming) to and email account test with the domain:jetserver.net. Has the operation succeeded? Yes. (200)
Our last example will be deleting an email account, same concept :
jetnet cpanel user made a request to delete an email account (delpop) to an email account test with the domain:jetserver.net. Has the operation succeeded? Yes. (200)
I hope this guide was informative for you and you will be able to trace your account actions a little bit better 😉