Getting access logs for a domain

26 July 2021

Many people use web analytics services such as Google Analytics to get information about traffic to their website. Another popular option is Awstats, which is available on all cPanel accounts. Sometimes, though, you might want to look at the raw access logs for a domain. This article looks at what logs you find on cPanel servers; how they are configured and what information is in the logs.

Why look at access logs?

Tools like Awstats are very useful, but they necessarily aggregate information. To get more specific details you need to work with raw access logs. For instance, if your website is suddenly getting a large amount of traffic then you might want know the top IP addresses that visited your website in the last 10 minutes. Or, if someone reported that your website was showing an error at 6am this morning then you can filter out all entries where the Apache status code started with a 5 at around that time. Anything custom like that involves working with raw logs.

Access logs on cPanel servers

cPanel servers keep access logs for each domain, subdomain and addon domain (as they are all independent virtual hosts). Also, there are separate logs for HTTP and HTTPS requests. So, if you got the domain example.com with the addon domain example.net then you got the following four access logs:

• example.com
• example.com-ssl_log
• example.net
• example.net-ssl_log

The logs are rotated daily. Every 24 hours the current log is appended to the log for the current month, and at the same time a new log is started. You can download both the current and archived logs via the Metrics » Raw Access option in cPanel.

Before we get to that, it is worth mentioning that you can also download archived logs via cPanel’s file manager. All archived logs are kept in the logs folder in your home directory, so you can navigate to the folder and download individual logs.

All cPanel accounts also have a special FTP account that can be used to download the current (not-yet-rotated) access logs. If you look closely at the FTP account you see that it downloads files from /etc/apache2/logs/domlogs/$user/. This is where the active access logs are stored on the server. The access-logs directory in your home folder is linked to the domlogs directory, but as a “normal” user you won’t see anything inside that folder. You have to either use the Metrics » Raw Access option or download the logs or use the special FTP account.

Raw Access configuration

The Raw Access page has two configuration options for archived logs. By default, the current log is appended to this month’s log every 24 hours, and the system keeps only the current month’s log. You can keep logs for longer, but please be aware that the logs folder can then grow quite large over time.

Image: cPanel’s Raw Access page.

Below the configuration options you can download the current access logs. The main thing to bear in mind is that there are separate logs for HTTP and HTTPS. If your website has an SSL certificate and if you automatically redirect traffic from HTTP to HTTPS then you only need to grab the SSL log. And, if your website doesn’t have an SSL certificate or if you don’t redirect traffic to HTTPS, I strongly recommend that you configure this. Please contact us if you need a hand with that.

And finally, the archived logs appear at the bottom of the page. As mentioned, this are the access logs for the current month. The files are compressed using gzip to save space, so you need to extract the archives before you can look at them.

Understanding access logs

If you have not worked with raw access logs before then the files might be somewhat overwhelming. My article about understanding Apache access logs explains what information is stored in the files.