The Best Price for IPv4/IPv6 Lease – Any RIR & Any Geo-LocationOrder Now
Hostperl logo
Hostperl
Dedicated ServersVPS HostingShared HostingColocationBGP / ASN SetupDDoS ProtectionWordPressn8n HostingDirectus
SaaSGamingFinTechHealthcareTransportationEcommerce
About UsDatacentersCareersContactLegal & Compliance
New ZealandUSLondonSwitzerlandNetherlandsIndia
Support

Setup cPanel Security Audit Logs: Monitor Admin Access & Changes

By Raman Kumar

Share:

Updated on May 29, 2026

Setup cPanel Security Audit Logs: Monitor Admin Access & Changes

Why cPanel Security Audit Logs Matter for Your VPS

Server administrators need visibility into who accessed their cPanel interface and what changes were made. Without proper audit logging, you're blind to unauthorized access attempts, configuration changes, and potential security breaches.

Most hosting providers don't enable comprehensive audit logging by default. You need to configure these systems manually to track administrative actions, failed login attempts, and configuration modifications across your server.

This guide shows you how to setup cPanel security audit logs on your Hostperl VPS. We'll cover both built-in cPanel features and system-level monitoring.

Enable cPanel Access Logs and Login Tracking

Start by enabling cPanel's built-in access logging through WHM. Log into WHM as root and navigate to Security Center > cPanel/WHM Security.

Enable these critical settings:

  • Log cPanel access attempts
  • Log failed authentication attempts
  • Record session duration and IP addresses
  • Track privilege escalation events

Next, configure the logging verbosity. Go to Server Configuration > Tweak Settings and find the "Logging" section:

cPanel access log level: Full
Failed login attempts: Log all attempts
Session timeout logging: Enabled
Privilege changes: Full audit trail

This captures every cPanel login, logout, and access pattern. The logs appear in /usr/local/cpanel/logs/access_log and /usr/local/cpanel/logs/login_log.

Configure File Change Monitoring for Critical Directories

Monitor critical cPanel configuration files and directories for unauthorized modifications. Install and configure auditd on your Ubuntu server:

sudo apt update
sudo apt install auditd audispd-plugins
sudo systemctl enable auditd
sudo systemctl start auditd

Create audit rules for cPanel's key directories. Edit /etc/audit/rules.d/cpanel.rules:

# Monitor cPanel configuration changes
-w /usr/local/cpanel/etc -p wa -k cpanel_config
-w /var/cpanel -p wa -k cpanel_data
-w /etc/wwwacct.conf -p wa -k account_config
-w /etc/cpanel -p wa -k cpanel_system

# Monitor WHM configuration
-w /usr/local/cpanel/whostmgr -p wa -k whm_changes
-w /etc/wwwacct.conf -p wa -k account_defaults

# Track user account modifications
-w /etc/passwd -p wa -k user_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes

Reload the audit rules:

sudo augenrules --load
sudo systemctl restart auditd

These rules capture any write or attribute changes to critical cPanel files. View audit events with sudo ausearch -k cpanel_config.

Set Up Database Activity Logging

Monitor database access and modifications through cPanel's database interfaces. Enable MySQL general logging to track all database queries initiated through cPanel tools.

Edit your MySQL configuration file /etc/mysql/mysql.conf.d/mysqld.cnf:

[mysqld]
general_log = 1
general_log_file = /var/log/mysql/general.log
log_queries_not_using_indexes = 1

Restart MySQL to apply changes:

sudo systemctl restart mysql

Create a log rotation policy for the general log to prevent disk space issues. Add to /etc/logrotate.d/mysql-general:

/var/log/mysql/general.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    create 640 mysql mysql
    postrotate
        /usr/bin/mysqladmin flush-logs
    endscript
}

This tracks database modifications made through phpMyAdmin, cPanel Database tools, or direct SQL access. Combined with our earlier file monitoring tutorial on MySQL backup automation, you get complete database security coverage.

Configure Email Activity Monitoring

Track email account creation, deletion, and configuration changes through cPanel's email interfaces. Enable detailed Exim logging by modifying /etc/exim4/exim4.conf.template:

# Enhanced logging section
log_file_path = /var/log/exim4/%slog
log_selector = +all -subject -arguments

Monitor email-related file changes by adding rules to your audit configuration:

# Email configuration monitoring
-w /etc/virtual -p wa -k email_config
-w /etc/exim4 -p wa -k exim_config
-w /var/cpanel/users -p wa -k user_email_settings

Set up log rotation for Exim logs to manage disk usage:

/var/log/exim4/*log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    create 640 Debian-exim adm
    postrotate
        /usr/sbin/exim4 -bP log_file_path | awk '{print $3}' | xargs -I {} pkill -HUP -f {}
    endscript
}

This monitoring works alongside the email authentication setup covered in our SPF, DKIM, and DMARC tutorial.

Implement Real-Time Alert System

Configure real-time notifications for critical security events. Install and configure logwatch for automated daily reports:

sudo apt install logwatch
sudo nano /etc/logwatch/conf/logwatch.conf

Configure logwatch settings:

LogDir = /var/log
MailTo = admin@yourdomain.com
MailFrom = security@yourserver.com
Detail = High
Service = All
Range = yesterday
Format = html

Create a custom script for immediate alerts on critical events. Save as /usr/local/bin/cpanel-security-alert.sh:

#!/bin/bash

# Monitor for failed cPanel logins
tail -F /usr/local/cpanel/logs/login_log | while read line; do
    if echo "$line" | grep -q "FAILED"; then
        echo "Failed cPanel login detected: $line" | mail -s "Security Alert: Failed cPanel Login" admin@yourdomain.com
    fi
done &

# Monitor for root privilege escalation
tail -F /var/log/auth.log | while read line; do
    if echo "$line" | grep -q "sudo.*root"; then
        echo "Root access detected: $line" | mail -s "Security Alert: Root Access" admin@yourdomain.com
    fi
done &

Make the script executable and add it to system startup:

sudo chmod +x /usr/local/bin/cpanel-security-alert.sh
echo "/usr/local/bin/cpanel-security-alert.sh" >> /etc/rc.local

Centralized Log Analysis and Retention

Aggregate all security logs into a centralized location for analysis. Create a dedicated directory structure:

sudo mkdir -p /var/log/security-audit/{cpanel,system,email,database}
sudo chown -R syslog:adm /var/log/security-audit

Configure rsyslog to forward relevant logs to the central location. Add to /etc/rsyslog.d/50-security-audit.conf:

# cPanel security logs
$ModLoad imfile
$InputFileName /usr/local/cpanel/logs/access_log
$InputFileTag cpanel-access:
$InputFileStateFile cpanel-access-state
$InputFileSeverity info
$InputFileFacility local0
$InputRunFileMonitor
local0.info /var/log/security-audit/cpanel/access.log

# Audit logs
$InputFileName /var/log/audit/audit.log
$InputFileTag audit:
$InputFileStateFile audit-state
$InputFileSeverity info
$InputFileFacility local1
$InputRunFileMonitor
local1.info /var/log/security-audit/system/audit.log

Restart rsyslog to apply the configuration:

sudo systemctl restart rsyslog

Set up automated log compression and retention:

/var/log/security-audit/*/*.log {
    daily
    rotate 90
    compress
    delaycompress
    missingok
    create 644 syslog adm
    sharedscripts
    postrotate
        /bin/kill -HUP $(cat /var/run/rsyslogd.pid 2> /dev/null) 2> /dev/null || true
    endscript
}

This retention policy keeps 90 days of compressed logs. It balances storage costs with compliance requirements.

Ready to implement comprehensive security monitoring for your hosting infrastructure? Hostperl VPS hosting provides the root access and flexibility needed for advanced audit logging configurations. Our support team can help you optimize these security measures for your specific hosting environment.

Frequently Asked Questions

How much disk space do cPanel audit logs typically consume?

Audit logs typically use 50-200MB per month for small to medium-sized hosting environments. High-traffic servers with multiple accounts may generate 1-2GB monthly. Implement log rotation and compression to manage storage efficiently.

Can I monitor cPanel API usage and automation scripts?

Yes, enable API logging in WHM under Development > Manage API Tokens. This tracks all API calls, including automated scripts and third-party integrations accessing your cPanel environment.

What's the performance impact of comprehensive audit logging?

Modern SSDs handle audit logging with minimal performance impact. Expect 1-3% CPU overhead and negligible I/O impact on most VPS configurations. The security benefits far outweigh the minimal resource usage.

How do I investigate suspicious activity in the audit logs?

Use ausearch with specific time ranges and keywords: sudo ausearch -ts yesterday -k cpanel_config. Combine with grep and awk to filter for specific IP addresses, usernames, or file paths.

Should I enable audit logging for all hosting accounts or just admin functions?

Start with admin-level logging (root, WHM access, system configurations). Then expand to user-level monitoring based on your security requirements. Full user monitoring generates significantly more log data but provides complete visibility.

Hostperl Dedicated Servers Ad

Featured Category

All Categories

Latest Chapters