diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh
index a061076..238a7ab 100755
--- a/modules/security/bot-analyzer.sh
+++ b/modules/security/bot-analyzer.sh
@@ -307,7 +307,13 @@ parse_logs() {
         log_search_path="/home/*/var/*/logs"
         log_search_name="transfer*.log"
     else
-        # cPanel/Plesk: /var/log/apache2/domlogs/domain.com
+        # cPanel: /var/log/apache2/domlogs/domain.com or domain.com-ssl_log
+        # Plesk: Research verified paths from https://docs.plesk.com/en-US/obsidian/
+        #   Apache HTTP:  /var/www/vhosts/system/{domain}/logs/access_log
+        #   Apache HTTPS: /var/www/vhosts/system/{domain}/logs/access_ssl_log
+        #   nginx HTTP:   /var/www/vhosts/system/{domain}/logs/proxy_access_log
+        #   nginx HTTPS:  /var/www/vhosts/system/{domain}/logs/proxy_access_ssl_log
+        # Note: /var/www/vhosts/{domain}/logs/ are hardlinks (backward compat)
         log_search_path="$LOG_DIR"
         log_search_name="*"
     fi
@@ -325,7 +331,7 @@ parse_logs() {
             # InterWorx: extract from path /home/user/var/domain.com/logs/transfer*.log
             domain=$(echo "$logfile" | sed -n 's|^/home/.*/var/\([^/]*\)/logs/.*|\1|p')
         elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
-            # Plesk: extract from path /var/www/vhosts/system/domain.com/logs/access_log
+            # Plesk: extract from path /var/www/vhosts/system/domain.com/logs/{access_log,access_ssl_log,proxy_*}
             domain=$(echo "$logfile" | sed -n 's|^/var/www/vhosts/system/\([^/]*\)/logs/.*|\1|p')
         else
             # cPanel: extract from filename /var/log/apache2/domlogs/domain.com or domain.com-ssl_log