# System Log Paths Reference ## Complete mapping of all log files across all supported platforms **Generated from**: `lib/log-paths.sh` **Last Updated**: 2026-03-20 --- ## Overview All scripts should reference log paths via environment variables set during system detection. These variables are automatically derived based on the detected: - Control panel (cPanel, Plesk, InterWorx, Standalone) - Operating System (RHEL/CentOS/AlmaLinux vs Ubuntu/Debian) - Services installed (Apache, Nginx, MySQL, Exim, etc.) ### Variable Naming Convention ``` SYS_LOG__ └─ Examples: SYS_LOG_WEB_ACCESS, SYS_LOG_MAIL_MAIN, SYS_LOG_FIREWALL ``` --- ## Web Server Logs ### Domain/Virtual Host Logs (Per-Domain) ``` Variable: SYS_LOG_WEB_DOMAIN_ACCESS Variable: SYS_LOG_WEB_DOMAIN_ERROR By Platform: ├─ cPanel (all OS): /var/log/apache2/domlogs/ │ ├─ Access: /var/log/apache2/domlogs/DOMAIN │ └─ Error: /var/log/apache2/domlogs/DOMAIN-error_log ├─ Plesk (all OS): /var/www/vhosts/system/ or /var/www/vhosts/ │ └─ Structure: system/DOMAIN/logs/ (v18.0.50+) ├─ InterWorx: /home/USER/var/DOMAIN/logs/ │ ├─ Access: transfer.log │ └─ Error: error_log └─ Standalone: (No per-domain logs) ``` ### Main Server Logs ``` Variable: SYS_LOG_WEB_ACCESS Variable: SYS_LOG_WEB_ERROR By Web Server + OS: ├─ Apache + Ubuntu/Debian: │ ├─ Access: /var/log/apache2/access.log │ └─ Error: /var/log/apache2/error.log ├─ Apache + RHEL/CentOS/AlmaLinux: │ ├─ Access: /var/log/httpd/access_log │ └─ Error: /var/log/httpd/error_log ├─ Nginx + Ubuntu/Debian: │ ├─ Access: /var/log/nginx/access.log │ └─ Error: /var/log/nginx/error.log ├─ Nginx + RHEL/CentOS: │ ├─ Access: /var/log/nginx/access.log │ └─ Error: /var/log/nginx/error.log └─ LiteSpeed: ├─ Access: /usr/local/lsws/logs/access.log └─ Error: /usr/local/lsws/logs/error.log ``` --- ## Authentication Logs ### SSH, Sudo, Login Records ``` Variable: SYS_LOG_AUTH Variable: SYS_LOG_WTMP (who/login records - binary) Variable: SYS_LOG_BTMP (failed login attempts - binary) Variable: SYS_LOG_SSH (alias for SYS_LOG_AUTH) By OS: ├─ Ubuntu / Debian: │ ├─ Auth/SSH: /var/log/auth.log │ ├─ Wtmp: /var/log/wtmp │ └─ Btmp: /var/log/btmp └─ RHEL / CentOS / AlmaLinux / CloudLinux: ├─ Auth/SSH: /var/log/secure ├─ Wtmp: /var/log/wtmp └─ Btmp: /var/log/btmp ``` --- ## Mail System Logs ### Mail Server Main Log ``` Variable: SYS_LOG_MAIL_MAIN Variable: SYS_LOG_MAIL_REJECT (Exim only) Variable: SYS_LOG_MAIL_PANIC (Exim only) Variable: SYS_MAIL_QUEUE_DIR (Queue directory) By Mail System: ├─ Exim (cPanel, InterWorx): │ ├─ Main: /var/log/exim_mainlog │ ├─ Reject: /var/log/exim_rejectlog │ ├─ Panic: /var/log/exim_paniclog │ └─ Queue: /var/spool/exim ├─ Postfix (Plesk default): │ ├─ Ubuntu: /var/log/mail.log │ ├─ RHEL: /var/log/maillog │ └─ Queue: /var/spool/postfix └─ Sendmail: ├─ Ubuntu: /var/log/mail.log ├─ RHEL: /var/log/maillog └─ Queue: /var/spool/mqueue ``` --- ## Firewall Logs ### Active Firewall Logs ``` Variable: SYS_LOG_FIREWALL Variable: SYS_LOG_FIREWALL_BLOCK (Block events) By Firewall: ├─ CSF (ConfigServer Firewall): │ └─ Main: /var/log/lfd.log ├─ firewalld: │ └─ Log: /var/log/firewalld (or journalctl) ├─ iptables: │ └─ Log: /var/log/messages (RHEL) or /var/log/syslog (Debian) ├─ UFW: │ └─ Log: /var/log/syslog (Debian) or /var/log/messages (RHEL) └─ Plesk built-in: └─ Log: /var/log/swsoft/swsoft.log ``` --- ## Control Panel Logs ### Panel Service Logs ``` Variable: SYS_LOG_PANEL Variable: SYS_LOG_PANEL_ERROR Variable: SYS_LOG_PANEL_ACCESS By Control Panel: ├─ cPanel: │ ├─ Directory: /usr/local/cpanel/logs/ │ ├─ Error: /usr/local/cpanel/logs/error_log │ └─ Access: /usr/local/cpanel/logs/access_log ├─ Plesk: │ ├─ Directory: /var/log/plesk/ │ ├─ Main: /var/log/plesk/panel.log │ └─ Error: /var/log/plesk/panel.log ├─ InterWorx: │ ├─ Directory: /home/interworx/var/log/ │ ├─ Error: /home/interworx/var/log/iworx.log │ └─ Access: /home/interworx/var/log/siteworx.log └─ Standalone: (No control panel logs) ``` --- ## Database Logs ### MySQL/MariaDB Logs ``` Variable: SYS_LOG_DB_ERROR Variable: SYS_LOG_DB_SLOW (Slow query log) By Database + OS: ├─ MySQL/MariaDB + Ubuntu/Debian: │ ├─ Error: /var/log/mysql/error.log │ └─ Slow: /var/log/mysql/slow.log ├─ MySQL + RHEL/CentOS: │ ├─ Error: /var/log/mysqld.log │ └─ Slow: /var/log/mysql/slow.log ├─ MariaDB + RHEL/CentOS: │ ├─ Error: /var/log/mariadb/mariadb.log │ └─ Slow: /var/log/mysql/slow.log └─ PostgreSQL: ├─ Ubuntu: /var/log/postgresql/postgresql.log └─ RHEL: /var/log/pgsql/postgresql.log ``` --- ## Security Scanner Logs ### Malware/Security Tool Logs ``` Variable: SYS_LOG_CLAMAV (ClamAV antivirus) Variable: SYS_LOG_MALDET (Linux Malware Detect) Variable: SYS_LOG_RKHUNTER (Rootkit Hunter) Variable: SYS_LOG_IMUNIFY (Imunify360) Standard Locations: ├─ ClamAV: /var/log/clamav/clamscan.log ├─ Maldet: /var/log/maldet.log ├─ Rkhunter: /var/log/rkhunter.log └─ Imunify: /var/log/imunify360/ or /var/log/imunifyav/ ``` --- ## System Logs ### OS-Level System Messages ``` Variable: SYS_LOG_SYSTEM (Main system log) Variable: SYS_LOG_MESSAGES (Alias for SYS_LOG_SYSTEM) Variable: SYS_LOG_KERN (Kernel messages) Variable: SYS_LOG_AUDIT (Audit log) Variable: SYS_LOG_PKG_MGR (Package manager log) By OS: ├─ Ubuntu / Debian: │ ├─ System: /var/log/syslog │ ├─ Kernel: /var/log/kern.log │ ├─ Audit: /var/log/audit/audit.log │ └─ Package: /var/log/apt/history.log └─ RHEL / CentOS / AlmaLinux / CloudLinux: ├─ System: /var/log/messages ├─ Kernel: /var/log/kern.log ├─ Audit: /var/log/audit/audit.log └─ Package: /var/log/yum.log ``` --- ## PHP Logs ### PHP Runtime Logs ``` Variable: SYS_LOG_PHP_FPM (PHP-FPM process manager) Variable: SYS_LOG_PHP_ERROR (PHP error log) Locations: ├─ PHP-FPM: /var/log/php-fpm/ or /var/log/php-fpm.log ├─ PHP Errors: /var/log/php-errors.log └─ cPanel PHP: /usr/local/php/lib/php.log ``` --- ## Service Logs ### Other Services ``` Variable: SYS_LOG_FTP (FTP/VSFTPD) Variable: SYS_LOG_DNS (DNS/Named) Locations: ├─ VSFTPD: /var/log/vsftpd.log └─ Named (DNS): /var/log/named.log ``` --- ## Usage in Scripts ### Example 1: Check Web Access Logs ```bash #!/bin/bash source lib/system-variables.sh # Access domain-specific logs (cPanel) if [ -n "$SYS_LOG_WEB_DOMAIN_ACCESS" ]; then grep "404" "$SYS_LOG_WEB_DOMAIN_ACCESS"/* fi # OR access main logs (all platforms) tail -f "$SYS_LOG_WEB_ACCESS" ``` ### Example 2: Check Auth Logs ```bash #!/bin/bash source lib/system-variables.sh # Works on both Ubuntu and RHEL grep "Failed password" "$SYS_LOG_AUTH" ``` ### Example 3: Check Mail Queue ```bash #!/bin/bash source lib/system-variables.sh # Check mail system queue (works for all mail systems) exim -bpc # If Exim postqueue -p # If Postfix ``` ### Example 4: Monitor Firewall ```bash #!/bin/bash source lib/system-variables.sh # Watch firewall blocks tail -f "$SYS_LOG_FIREWALL" ``` --- ## Script Audit Results ### Scripts Using These Log Paths **Top 5 scripts that benefit from this:** 1. `live-attack-monitor-v2.sh` (54 log references) 2. `live-attack-monitor.sh` (50 log references) 3. `malware-scanner.sh` (45 log references) 4. `hardware-health-check.sh` (40 log references) 5. `suspicious-login-monitor.sh` (32 log references) **Plus 40+ other scripts** that reference various log files --- ## Summary Table | Category | Variable | cPanel | Plesk | InterWorx | Standalone | |----------|----------|--------|-------|-----------|------------| | Web Access | SYS_LOG_WEB_ACCESS | /var/log/apache2/domlogs/ | /var/log/apache2 | /home | /var/log/httpd | | Auth | SYS_LOG_AUTH | /var/log/secure | /var/log/secure | /var/log/secure | /var/log/secure | | Mail | SYS_LOG_MAIL_MAIN | /var/log/exim_mainlog | /var/log/maillog | /var/log/exim_mainlog | /var/log/maillog | | Firewall | SYS_LOG_FIREWALL | /var/log/lfd.log | /var/log/swsoft | /var/log/lfd.log | /var/log/messages | | Database | SYS_LOG_DB_ERROR | /var/log/mysqld.log | /var/log/mysqld.log | /var/log/mysqld.log | /var/log/mysqld.log | | Panel | SYS_LOG_PANEL | /usr/local/cpanel/logs | /var/log/plesk | /home/interworx/var/log | (none) | --- ## Notes 1. **All paths are automatically derived** during system detection 2. **No scripts should hardcode paths** - always use SYS_LOG_* variables 3. **Mail system detection** identifies Exim, Postfix, or Sendmail and sets appropriate paths 4. **Control panel detection** sets panel-specific log directories 5. **OS detection** handles RHEL vs Debian differences (secure vs auth.log, messages vs syslog) --- ## Updating This Reference When adding support for a new service or changing paths: 1. Update `lib/log-paths.sh` with the new detection logic 2. Add a `derive__logs()` function 3. Call it from `derive_all_log_paths()` 4. Document the mapping here 5. Update any scripts that reference those logs