#!/bin/bash ############################################################################# # System Log Paths Mapping # Derives platform-specific log file locations based on detected system info # Must be sourced AFTER lib/system-detect.sh has set SYS_* variables ############################################################################# # Source guard if [ -n "${_LOG_PATHS_LOADED:-}" ]; then return 0 fi readonly _LOG_PATHS_LOADED=1 ############################################################################# # WEB SERVER LOGS ############################################################################# derive_web_server_logs() { # Domain/vhost access logs case "$SYS_CONTROL_PANEL" in cpanel) # cPanel uses centralized domlogs directory export SYS_LOG_WEB_DOMAIN_ACCESS="/var/log/apache2/domlogs" export SYS_LOG_WEB_DOMAIN_ERROR="/var/log/apache2/domlogs" ;; plesk) # Plesk version 18.0.50+ has different structure if [ -d "/var/www/vhosts/system" ]; then export SYS_LOG_WEB_DOMAIN_ACCESS="/var/www/vhosts/system" export SYS_LOG_WEB_DOMAIN_ERROR="/var/www/vhosts/system" else export SYS_LOG_WEB_DOMAIN_ACCESS="/var/www/vhosts" export SYS_LOG_WEB_DOMAIN_ERROR="/var/www/vhosts" fi ;; interworx) # InterWorx stores logs per user/domain export SYS_LOG_WEB_DOMAIN_ACCESS="/home" export SYS_LOG_WEB_DOMAIN_ERROR="/home" ;; *) # Standalone - no per-domain logs export SYS_LOG_WEB_DOMAIN_ACCESS="" export SYS_LOG_WEB_DOMAIN_ERROR="" ;; esac # Main web server logs (varies by web server and OS) case "$SYS_WEB_SERVER" in apache|httpd) if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then export SYS_LOG_WEB_ACCESS="/var/log/apache2/access.log" export SYS_LOG_WEB_ERROR="/var/log/apache2/error.log" else # RHEL, CentOS, AlmaLinux, CloudLinux export SYS_LOG_WEB_ACCESS="/var/log/httpd/access_log" export SYS_LOG_WEB_ERROR="/var/log/httpd/error_log" fi ;; nginx) if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then export SYS_LOG_WEB_ACCESS="/var/log/nginx/access.log" export SYS_LOG_WEB_ERROR="/var/log/nginx/error.log" else export SYS_LOG_WEB_ACCESS="/var/log/nginx/access.log" export SYS_LOG_WEB_ERROR="/var/log/nginx/error.log" fi ;; litespeed|openlitespeed) export SYS_LOG_WEB_ACCESS="/usr/local/lsws/logs/access.log" export SYS_LOG_WEB_ERROR="/usr/local/lsws/logs/error.log" ;; *) export SYS_LOG_WEB_ACCESS="" export SYS_LOG_WEB_ERROR="" ;; esac } ############################################################################# # AUTHENTICATION LOGS ############################################################################# derive_auth_logs() { case "$SYS_OS_TYPE" in ubuntu|debian) export SYS_LOG_AUTH="/var/log/auth.log" export SYS_LOG_WTMP="/var/log/wtmp" export SYS_LOG_BTMP="/var/log/btmp" ;; *) # RHEL, CentOS, AlmaLinux, CloudLinux, Rocky Linux export SYS_LOG_AUTH="/var/log/secure" export SYS_LOG_WTMP="/var/log/wtmp" export SYS_LOG_BTMP="/var/log/btmp" ;; esac } ############################################################################# # MAIL SYSTEM LOGS ############################################################################# derive_mail_logs() { case "$SYS_MAIL_SYSTEM" in exim) # cPanel, InterWorx typically use Exim export SYS_LOG_MAIL_MAIN="/var/log/exim_mainlog" export SYS_LOG_MAIL_REJECT="/var/log/exim_rejectlog" export SYS_LOG_MAIL_PANIC="/var/log/exim_paniclog" ;; postfix) # Plesk default, or standalone Postfix if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then export SYS_LOG_MAIL_MAIN="/var/log/mail.log" else # RHEL-based export SYS_LOG_MAIL_MAIN="/var/log/maillog" fi export SYS_LOG_MAIL_REJECT="" ;; sendmail) if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then export SYS_LOG_MAIL_MAIN="/var/log/mail.log" else export SYS_LOG_MAIL_MAIN="/var/log/maillog" fi ;; *) export SYS_LOG_MAIL_MAIN="" export SYS_LOG_MAIL_REJECT="" ;; esac # Mail queue directory (for queue checks) case "$SYS_MAIL_SYSTEM" in exim) export SYS_MAIL_QUEUE_DIR="/var/spool/exim" ;; postfix) export SYS_MAIL_QUEUE_DIR="/var/spool/postfix" ;; sendmail) export SYS_MAIL_QUEUE_DIR="/var/spool/mqueue" ;; *) export SYS_MAIL_QUEUE_DIR="" ;; esac } ############################################################################# # FIREWALL LOGS ############################################################################# derive_firewall_logs() { case "$SYS_FIREWALL" in csf) export SYS_LOG_FIREWALL="/var/log/lfd.log" export SYS_LOG_FIREWALL_BLOCK="/var/log/lfd.log" ;; firewalld) # firewalld logs to journal, but may have a log file if [ -f "/var/log/firewalld" ]; then export SYS_LOG_FIREWALL="/var/log/firewalld" else export SYS_LOG_FIREWALL="/var/log/messages" # Falls back to syslog fi ;; iptables) # iptables logs to syslog/messages if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then export SYS_LOG_FIREWALL="/var/log/syslog" else export SYS_LOG_FIREWALL="/var/log/messages" fi ;; plesk) export SYS_LOG_FIREWALL="/var/log/swsoft/swsoft.log" ;; *) export SYS_LOG_FIREWALL="" ;; esac } ############################################################################# # CONTROL PANEL LOGS ############################################################################# derive_control_panel_logs() { case "$SYS_CONTROL_PANEL" in cpanel) export SYS_LOG_PANEL="/usr/local/cpanel/logs" export SYS_LOG_PANEL_ERROR="/usr/local/cpanel/logs/error_log" export SYS_LOG_PANEL_ACCESS="/usr/local/cpanel/logs/access_log" ;; plesk) export SYS_LOG_PANEL="/var/log/plesk" export SYS_LOG_PANEL_ERROR="/var/log/plesk/panel.log" export SYS_LOG_PANEL_ACCESS="/var/log/plesk/panel.log" ;; interworx) export SYS_LOG_PANEL="/home/interworx/var/log" export SYS_LOG_PANEL_ERROR="/home/interworx/var/log/iworx.log" export SYS_LOG_PANEL_ACCESS="/home/interworx/var/log/siteworx.log" ;; *) export SYS_LOG_PANEL="" export SYS_LOG_PANEL_ERROR="" export SYS_LOG_PANEL_ACCESS="" ;; esac } ############################################################################# # DATABASE LOGS ############################################################################# derive_database_logs() { case "$SYS_DB_TYPE" in mysql|mariadb) if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then export SYS_LOG_DB_ERROR="/var/log/mysql/error.log" export SYS_LOG_DB_SLOW="/var/log/mysql/slow.log" else # RHEL-based if [ "$SYS_DB_TYPE" = "mariadb" ]; then export SYS_LOG_DB_ERROR="/var/log/mariadb/mariadb.log" else export SYS_LOG_DB_ERROR="/var/log/mysqld.log" fi export SYS_LOG_DB_SLOW="/var/log/mysql/slow.log" fi ;; postgresql) if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then export SYS_LOG_DB_ERROR="/var/log/postgresql/postgresql.log" else export SYS_LOG_DB_ERROR="/var/log/pgsql/postgresql.log" fi export SYS_LOG_DB_SLOW="" ;; *) export SYS_LOG_DB_ERROR="" export SYS_LOG_DB_SLOW="" ;; esac } ############################################################################# # SECURITY SCANNER LOGS ############################################################################# derive_security_logs() { # ClamAV if [ -f "/var/log/clamav/clamscan.log" ]; then export SYS_LOG_CLAMAV="/var/log/clamav/clamscan.log" else export SYS_LOG_CLAMAV="/var/log/clamav.log" fi # Maldet export SYS_LOG_MALDET="/var/log/maldet.log" # Rkhunter export SYS_LOG_RKHUNTER="/var/log/rkhunter.log" # Imunify if [ -d "/var/log/imunify360" ]; then export SYS_LOG_IMUNIFY="/var/log/imunify360" elif [ -d "/var/log/imunifyav" ]; then export SYS_LOG_IMUNIFY="/var/log/imunifyav" else export SYS_LOG_IMUNIFY="/var/log/imunify.log" fi } ############################################################################# # SYSTEM LOGS ############################################################################# derive_system_logs() { case "$SYS_OS_TYPE" in ubuntu|debian) export SYS_LOG_SYSTEM="/var/log/syslog" export SYS_LOG_MESSAGES="/var/log/syslog" export SYS_LOG_KERN="/var/log/kern.log" export SYS_LOG_PKG_MGR="/var/log/apt/history.log" ;; *) # RHEL-based export SYS_LOG_SYSTEM="/var/log/messages" export SYS_LOG_MESSAGES="/var/log/messages" export SYS_LOG_KERN="/var/log/kern.log" export SYS_LOG_PKG_MGR="/var/log/yum.log" ;; esac # Audit log (standard across all) export SYS_LOG_AUDIT="/var/log/audit/audit.log" } ############################################################################# # PHP LOGS ############################################################################# derive_php_logs() { # PHP-FPM error log if [ -d "/var/log/php-fpm" ]; then export SYS_LOG_PHP_FPM="/var/log/php-fpm" else export SYS_LOG_PHP_FPM="/var/log/php-fpm.log" fi # PHP error log (from ini, but common defaults) if [ "$SYS_CONTROL_PANEL" = "cpanel" ]; then export SYS_LOG_PHP_ERROR="/usr/local/php/lib/php.log" else export SYS_LOG_PHP_ERROR="/var/log/php-errors.log" fi } ############################################################################# # SERVICE-SPECIFIC LOGS ############################################################################# derive_service_logs() { # FTP export SYS_LOG_FTP="/var/log/vsftpd.log" # DNS export SYS_LOG_DNS="/var/log/named.log" # SSH (same as auth) case "$SYS_OS_TYPE" in ubuntu|debian) export SYS_LOG_SSH="/var/log/auth.log" ;; *) export SYS_LOG_SSH="/var/log/secure" ;; esac } ############################################################################# # MAIN DERIVATION FUNCTION ############################################################################# derive_all_log_paths() { derive_web_server_logs derive_auth_logs derive_mail_logs derive_firewall_logs derive_control_panel_logs derive_database_logs derive_security_logs derive_system_logs derive_php_logs derive_service_logs } # Auto-run if sourced with detection complete if [ -n "${SYS_DETECTION_COMPLETE:-}" ]; then derive_all_log_paths fi