Review domain access log
Domain access logs can include what pages people are viewing, if the page loaded, or if the page gave an error. Reviewing a domain's access log can be helpful in troubleshooting issues like DDOS attacks & site compromises.
Why would I need to review this log?
- Your site is not working as intended.
- Your site was compromised.
- Visitors receive errors (ie. 500, 404) in various sections of your site.
Log location
WHM/cPanel
/usr/local/apache/domlogs/
Plesk
/var/www/vhosts/domain_com/logs
How can I review this log?
SSH
SSH allows you to access, view and manipulate the full log with tools such as vim or grep.
Plesk:
- Log in to Parallels Plesk Panel as admin.
- If necessary, switch to Service Provider view.
- From the Hosting Services menu, select Domains.
- Select the domain name you want to review.
- Select Logs under Dev Tools.
- Choose the log to review from the dropdown menu on the top right (default: all logs).
WHM/cPanel:
There are two sections within cPanel that you can access logs:- The File Manager in the logs folder.
- Raw Access under Metrics.
Example entries found in a domain access log
What information can you find in this log?
- If a particular visitor or IP address is visiting your site frequently, or attempting something malicious, you may see it here.
- A GET request is from someone viewing content on your site. A POST requst indiciates that someone is interacting with the site (for example, submitting a contact form or attempting to log in to a website dashboard).
- A POST request repeated frequently and rapidly indicates that someone may be attempting a brute-force login attempt, or they may be attempting to abuse a contact form.
- If you see numerous 404 errors in this log, a visitor is attempting to visit pages that don't exist.
127.0.0.1 - - [21/Sep/2021:20:13:53 -0400] "GET /favicon.ico HTTP/1.0" 200 254 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [19/Jan/2022:17:18:22 -0500] "POST /wp-cron.php?doing_wp_cron=1642630701.8854188919067382812500 HTTP/1.1" 200 3208 "https://acooldomain.com/wp-cron.php?doing_wp_cron=1642630701.8854188919067382812500" "WordPress/5.8.3; https://acooldomain.com"
127.0.0.1 - - [19/Jan/2022:15:06:30 -0500] "GET /?author=2 HTTP/1.1" 404 14103 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"
Related Steps
Review the PHP error log.
More Info
Find and review web server logs.