CyberPanel Main Log File

CyberPanel's main log file contains errors related to CyberPanel operations. If something goes wrong directly in CyberPanel this file should be checked

https://<IP Address>:8090/serverstatus/cyberCPMainLogFile

On the server, this file is located at


Improved and detailed dynamic logging


Run command touch /usr/local/CyberCP/debug, this will start generating more debug logs. If you find any issue with CyberPanel, you can run this command and then capture the output of /home/cyberpanel/error-logs.txt and share it with our support team.


If you want logs in /home/cyberpanel/error-logs.txt to be emailed to you, please run touch /usr/local/CyberCP/emailDebug, you will get logs in your email. (Email of admin account will be used to send these notifications). This also includes notification if CyberPanel fails to obtain SSL for any domain.

LiteSpeed Server Error Logs

This file contains errors logs for webserver (both OpenLiteSpeed and LiteSpeed Enterprise Webserver)

https://<IP Address>:8090/serverlogs/errorLogs

On server this file is located at


LiteSpeed Server Access Logs

This file contains global access logs for webserver (both OpenLiteSpeed and LiteSpeed Enterprise Webserver)

https://<IP Address>:8090/serverlogs/accessLogs

On the server, this file is located at


Email Logs

This file contains email logs for postfix/dovecot.

https://<IP Address>:8090/serverlogs/emaillogs

On the server, this file is located at


FTP Logs

This file contains FTP logs.

https://<IP Address>:8090/serverlogs/ftplogs

On the server, this file is located at


ModSecurity Audit Logs

ModSecurity audit logs from LiteSpeed Server. (This file is populated if ModSecurity is enabled)

https://<IP Address>:8090/serverlogs/modSecAuditLogs

On the server this file is located at


Starting version 1.6.2 stable you can now enable OWASP and Comodo Mod Security rules via one click.

Navigate to → https://<IP Address>:8090/firewall/modSecRulesPacks


Click the switch and it will turn on OWASP Rules, to verify if OWASP rules are installed successfully, open:

http://example.com/?a=b AND 1=1

You should get 403 Forbidden error, you can also see your ModSecurity Audit logs:

ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:a: b AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref "v8,9t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "dev.cyberpanel.net"] [uri "/"] [unique_id "152317238285.808317"] [ref ""]

You can notice that rule from REQUEST-949-BLOCKING-EVALUATION.conf is triggered if you disable this file, you will not be getting 403 error.

Disable Rule Files

Once OWASP or Comodo rules are enabled you can also enable or disable individual rule files.


Later we will be having auto installation of Comodo and Owasp rules.

Add Rules

To add individual rules, you can navigate to: https://<IP Address>:8090/firewall/modSecRules

By default there is one rule defined:

SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access' ,log,auditlog,deny"

To test the functionality of this rule add folloing to end of your URL '?abc=../../ you should get 403 Forbidden, which means your ModSecurity installation went successfull.

You can add further rules to this file and save to apply changes.

Once you open: https://<IP Address>:8090/firewall/modSecurity

You will see something like:

There are seven options, lets discuss them.

ModSecurity Status

This is the only option controlled by OpenLiteSpeed web server, once you turn this off nothing related to ModSecurity will work, this should be turned On for ModSecurity to function.


ModSecurity can generate extensive logs for HTTP requests in the Audit log file, this option states weather you need extensive logging or not. You can read more details here.


Weather to process rules you have defined in the rules files or not, if ModSecurity Status is turned off this option does not make any effects.


Levels of debug logs you need, 9 being the highest level of logging. More details here.


If `SecAuditEngine` is turned on you can decide here which parts of HTTP trasaction you want to be logged into audit log file, more details here.


Related to Audit logging more details here.


How Audit logging should be done, more details here.

By default, ModSecurity is not installed, but once you first try to configure ModSecurity CyberPanel prompt for ModSecurity installation.

Open → https://<IP Address>:8090/firewall/modSecurity


Clicking 'Install Now' will start the installation, if installation is successful it will refresh your page and let you configure ModSecurity settings, which looks something like: