Last updated: 22 February 2024

Many people use web analytics services such as Google Analytics to get information about traffic to their website. Another popular option is Awstats, which is available on all cPanel accounts. Sometimes, though, you might want to look at the raw access logs for a domain. This article looks at what logs you find on cPanel servers; how they are configured and what information is stored in the logs.

Why look at access logs?

Tools like Awstats are very useful, but they necessarily aggregate information. To get more specific details you need to work with raw access logs. For instance, if your website suddenly gets a very large amount of traffic then you might want know the top IP addresses that visited your website in the last 10 minutes. Or, if someone reported that your website was showing an error at 6am this morning then you can filter out all entries where the Apache status code started with a 5 at around that time. Anything custom like that involves working with raw logs.

Access logs on cPanel servers

cPanel servers keep separate access logs for the main domain and any subdomain and addon domains (as they are all independent virtual hosts). Also, there are separate logs for HTTP and HTTPS requests. So, if you have the domain example.com and the addon domain foo.bar then you have four access logs:

  • example.com (HTTP)
  • example.com (HTTPS
  • foo.bar (HTTP)
  • foo.bar (HTTPS)

You can ignore the HTTP logs if you redirect website traffic from HTTP to HTTPS, as all website traffic will show in the SSL log.

The Raw Access interface

You can access the raw access logs for your domain(s) via Metrics » Raw Access. The page lists both “current” and “archived” logs.

A screenshot of the Raw Access page in cPanel. The page lists all domains under your account, and for each domain you can download the current (active) access log, as well as any archived logs.
Downloading raw access logs via cPanel.

“Current” logs are access logs that haven’t been rotated yet. By default, the current log is rotated every 24 hours. At that time the log is appended to the archived log for the current month, and a new current log is started. So, the current log only shows entries added since the log was last rotated.

Log names

It is worth noting that alias domains don’t have their own access log. In the above image there is one alias: example.net. That domain is an alias of example.com, and the access log is therefore shared.

For addon domains you see the name of the subdomain linked to the addon domain. This is because, technically speaking, addon domains are a subdomain with an alias. You can read more about the different types of domains in the article about cPanel’s Domains feature.

Downloading logs via FTP

You can also download archived logs via cPanel’s file manager. All archived logs are kept in the logs folder in your home directory, so you can navigate to the folder and download individual logs.

All cPanel accounts also have a special FTP account that can be used to download the current (not-yet-rotated) access logs. If you look closely at the FTP account you see that it downloads files from /etc/apache2/logs/domlogs/$user/. This is where the active access logs are stored on the server. The access-logs directory in your home folder is linked to the domlogs directory, but as a “normal” user you won’t see anything inside that folder. You have to either use the Metrics » Raw Access option or download the logs or use the special FTP account.

Understanding access logs

If you have not worked with raw access logs before then the files might be somewhat overwhelming. My article about understanding Apache access logs explains what information is stored in the files.