Location of the logs on the CWP servers

Apache logs are in folder

/usr/local/apache/logs (main logs)
/usr/local/apache/domlogs (per domain logs are in the same file for apache&nginx)

Nginx logs are in folder

/var/log/nginx/
/usr/local/apache/domlogs (per domain logs are in the same file for apache&nginx)

Mod Security (per domain logs, replace DOMAIN.COM)

/usr/local/apache/domlogs/DOMAIN.COM.error.log

CWP server logs and server services logs, including (PhpMyAdmin/Roundcube/API):

/usr/local/cwpsrv/logs/
/usr/local/cwp/php71/var/log/

CWP WebServers rebuild log for vhosts including php-fpm conf:

/var/log/cwp/webservers.log

CSF & LFD firewall logs

/var/log/lfd.log

SSH logs

/var/log/secure

Yum logs

/var/log/yum.log

FTP logs

/var/log/messages

PHP Mail Log (sent from php scripts)

/usr/local/apache/logs/phpmail.log

Postfix / Mail

/var/log/maillog

Failed SMTP Login example (mail client software: thunderbird, outlook):

Jun 22 17:09:20 srv1 postfix/smtpd[14076]: warning: unknown[38.10.12.80]: SASL LOGIN authentication failed: UGFzc3df4mQ6

Dovecot and Dovecot debug logs

/var/log/dovecot.log
/var/log/dovecot-info.log
/var/log/dovecot-debug.log

Failed IMAP/POP3 Logins
/var/log/dovecot-info.log

Failed Login examle (mail client software: thunderbird, outlook):

Jun 22 18:06:25 imap-login: Info: Disconnected (auth failed, 3 attempts): user=<info@domain.com>, method=PLAIN, rip=212.12.176.56, lip=5.196.100.13, TLS

Failed Login example roundcube:

Jun 22 17:59:22 imap-login: Info: Disconnected (auth failed, 1 attempts): user=<username@domain.net>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Success Login roundcube:

Jun 22 18:14:20 imap-login: Info: Login: user=<username@domain.net>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=26051, secured

Success Login example (mail client software: thunderbird, outlook):

Jun 22 18:16:51 pop3-login: Info: Login: user=<username@domain.net>, method=PLAIN, rip=212.12.176.56, lip=5.192.100.13, mpid=26464, TLS

Roundcube (CWP version 160+)

/usr/local/cwpsrv/var/services/roundcube/logs/

example of /usr/local/cwpsrv/var/services/roundcube/logs/sendmail:

[22-Jun-2018 21:15:39 +0000]: <e1efa51l> User username@domain.net [11.22.33.144]; Message for someuser@gmail.com; 250: 2.0.0 Ok: queued as E7B7B21244E7

Failed Logins
/usr/local/cwpsrv/var/services/roundcube/logs/errors

example /var/log/dovecot-info.log:

Jun 22 17:59:22 imap-login: Info: Disconnected (auth failed, 1 attempts): user=<username@domain.net>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

MySQL logs
Please read this: https://mariadb.com/kb/en/error-log/

/var/lib/mysql/HOSTNAME.err

Bind/Named logs

/var/log/messages

SSL Let's Encrypt logs:

/var/log/cwp/autossl.log
/root/.acme.sh/acme.sh.log

Admin Login Logs

/var/log/cwp_client_login.log