cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

Offer to retain access logs for one month by default. (Offer is shown in the Feature Showcase)

Feature Importer shared this idea 9 years ago
Completed

As a Server Administrator, I want better Apache Log Rotation, so that I can use Apache logs for post-compromise forensics.


Something anything more than [a maximum of] 24 hours of domlogs kept by default. Even a default of three days would be infinitely better than the current situation. Even making it default to archive them in the users home directory (as the user level cPanel option for raw access lgos does) would be infinitely better than the current situation.


This is a feature that has been migrated over from the cPanel Forums. All previous comments and discussions concerning this feature can be located at:

http://forums.cpanel.net/f145/logs-should-not-count-against-disk-quota-241452.html#post993762

Replies (11)

photo
2

This should be a part of an overall domlog rotation scheme including options such as:

keep logs for X days

keep separate apache error logs per domain (same as access logs)

compress rotated logs

photo
2

This should be a part of an overall domlog rotation scheme including options such as:

keep logs for X days

keep separate apache error logs per domain (same as access logs)

compress rotated logs

photo
2

This is supposed to already be on the roadmap as per the comment here http://forums.cpanel.net/f145/tweak-settings-store-access-logs-past-x-days-case-53120-a-232352.html#post979852 ... but it seems it never happened

photo
3

This feature is desperately needed.

photo
2

Until cPanel implement this the best solution I've found (without using anything unsupported by cPanel) is to augment postwwwacct to create a ~user/.cpanel-logs file containing:


archive-logs=1

remove-old-archived-logs=1


That'll give you a months worth of logs in ~user/logs/ (also owned by the user so potentially susceptible to modification by an attacker - but in practice I never found an attacker who went to such lengths). The logs are compressed so even busy sites won't use up *too* much disk space.


It's quite feasible to add such a file to existing accounts, too, taking care not to clobber any existing settings your users may have set.

photo
1

Thanks for that info tomin. I put together a bash script to do exactly that. I opted to use a file in /root/cpanel3-skel/ to handle new accounts instead of using postwwwacct. While I would much prefer to see cPanel implement a feature for this (and change the default setting, so systems in production stop losing their logs by default), this is an acceptable alternative in the mean time.


if anyone wants the script it is at http://67.43.2.69/domlogs.txt (change .txt to .sh if you want to wget it directly to a server). bash domlogs.sh will echo usage instructions. It uses /var/cpanel/users/ for a list of users, so if DNS zones are owned by "system" you'll see a harmless error that /home/system doesn't exist. Standard own risk / not responsible / etc applies. I tested this on centos 4, 5, and 6.

photo
2

I *love* the use of the skeleton directory for new .cpanel-logs files - I hadn't considered that at all. That's much cleaner than messing around with postwwwacct.


If you have resellers, remember they may also have their own skeleton directories.


Good stuff, quizknows!

photo
2

Yes, we really must have this feature with configurable X days value to keep logs.


For example rotate daily, compress, and keep archives for 10 days.


I don't think those archives should be keept in user account, and shouldn't be owned by user.


I would just add that it's very importat that they are always keept for defined X days even at the end of the month. For now there is no way to do that since all "log keeping and archiving" options will always remove logs at end of the month which is very bad.

photo
11

Along with the above suggestions, having cPanel default to keeping 7 days of logs would probably be a good idea so we aren't setting up logging after a hack.

photo
1

Meh... real sysadmins use Splunk

photo
1

Happy to see this marked as in progress, please remember to seek input though before getting too far so that the community can help ensure that the development is going in a good direction to meet our needs.

Replies have been locked on this page!