CyberPanel Main Log File

CyberPanel's main log file contains errors related to CyberPanel operations. If something goes wrong directly in CyberPanel this file should be checked

https://<IP Address>:8090/serverstatus/cyberCPMainLogFile

On the server, this file is located at

/home/cyberpanel/error-logs.txt

Improved and detailed dynamic logging

/usr/local/CyberCP/debug

Run command touch /usr/local/CyberCP/debug, this will start generating more debug logs. If you find any issue with CyberPanel, you can run this command and then capture the output of /home/cyberpanel/error-logs.txt and share it with our support team.

/usr/local/CyberCP/emailDebug

If you want logs in /home/cyberpanel/error-logs.txt to be emailed to you, please run touch /usr/local/CyberCP/emailDebug, you will get logs in your email. (Email of admin account will be used to send these notifications). This also includes notification if CyberPanel fails to obtain SSL for any domain.

LiteSpeed Server Error Logs

This file contains errors logs for webserver (both OpenLiteSpeed and LiteSpeed Enterprise Webserver)

https://<IP Address>:8090/serverlogs/errorLogs

On server this file is located at

/usr/local/lsws/logs/error.log

LiteSpeed Server Access Logs

This file contains global access logs for webserver (both OpenLiteSpeed and LiteSpeed Enterprise Webserver)

https://<IP Address>:8090/serverlogs/accessLogs

On the server, this file is located at

/usr/local/lsws/logs/access.log

Email Logs

This file contains email logs for postfix/dovecot.

https://<IP Address>:8090/serverlogs/emaillogs

On the server, this file is located at

/var/log/maillog

FTP Logs

This file contains FTP logs.

https://<IP Address>:8090/serverlogs/ftplogs

On the server, this file is located at

/var/log/messages

ModSecurity Audit Logs

ModSecurity audit logs from LiteSpeed Server. (This file is populated if ModSecurity is enabled)

https://<IP Address>:8090/serverlogs/modSecAuditLogs

On the server this file is located at

/usr/local/lsws/logs/auditmodsec.log

Starting version 1.6.2 stable you can now enable OWASP and Comodo Mod Security rules via one click.

Navigate to → https://<IP Address>:8090/firewall/modSecRulesPacks

Click the switch and it will turn on OWASP Rules, to verify if OWASP rules are installed successfully, open:

http://example.com/?a=b AND 1=1

You should get 403 Forbidden error, you can also see your ModSecurity Audit logs:

ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:a: b AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref "v8,9t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]

You can notice that rule from REQUEST-949-BLOCKING-EVALUATION.conf is triggered if you disable this file, you will not be getting 403 error.

Disable Rule Files

Once OWASP or Comodo rules are enabled you can also enable or disable individual rule files.

Add Rules

SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access' ,log,auditlog,deny"

Once you open: https://<IP Address>:8090/firewall/modSecurity

You will see something like:

There are seven options, lets discuss them.

ModSecurity Status

This is the only option controlled by OpenLiteSpeed web server, once you turn this off nothing related to ModSecurity will work, this should be turned On for ModSecurity to function.

SecAuditEngine

ModSecurity can generate extensive logs for HTTP requests in the Audit log file, this option states weather you need extensive logging or not. You can read more details here.

SecRuleEngine

Weather to process rules you have defined in the rules files or not, if ModSecurity Status is turned off this option does not make any effects.

SecDebugLogLevel

Levels of debug logs you need, 9 being the highest level of logging. More details here.

SecAuditLogParts

If `SecAuditEngine` is turned on you can decide here which parts of HTTP trasaction you want to be logged into audit log file, more details here.

SecAuditLogRelevantStatus

Related to Audit logging more details here.

SecAuditLogType

How Audit logging should be done, more details here.

By default, ModSecurity is not installed, but once you first try to configure ModSecurity CyberPanel prompt for ModSecurity installation.

Open → https://<IP Address>:8090/firewall/modSecurity

Clicking 'Install Now' will start the installation, if installation is successful it will refresh your page and let you configure ModSecurity settings, which looks something like: