Downloading Raw Access Logs

Raw access logs contain a record of every HTTP request made to your website. Each line represents one request, including the visitor's IP address, the requested URL, the response code, and the browser/user agent. These logs are invaluable for detailed traffic analysis, debugging, and security investigations.

Please note: Screens and options may vary slightly depending on your cPanel version and hosting plan.

Downloading Raw Access Logs

1. Log in to your cPanel account.
2. In the Metrics section, click Raw Access.
3. Click the domain name to download the current log file as a compressed archive.
4. Archived (previous month) logs may also be available for download.

Configuring Log Archiving

On the Raw Access page, you can configure:

• Archive Logs in your home directory — Stores compressed log archives at the end of each month.
• Remove the previous month's archived logs — Automatically deletes last month's archive (saves disk space but loses historical data).

Understanding Log Format

Each line follows the Apache Combined Log Format:

203.0.113.50 - - [16/Feb/2026:10:30:45 +0000] "GET /index.html HTTP/1.1" 200 5423 "https://www.google.com" "Mozilla/5.0 ..."

| Field | Meaning | |-------|---------| | 203.0.113.50 | Visitor's IP address | | [16/Feb/2026:10:30:45 +0000] | Date and time of the request | | GET /index.html HTTP/1.1 | The request method, URL, and protocol | | 200 | HTTP response code (200 = success) | | 5423 | Size of the response in bytes | | https://www.google.com | Referrer (where the visitor came from) | | Mozilla/5.0 ... | The visitor's browser/user agent |

Useful Command-Line Analysis

If you have SSH access:

# Count total requests today
wc -l ~/logs/yourdomain.com

# Top 10 IP addresses by request count
awk '{print $1}' ~/logs/yourdomain.com | sort | uniq -c | sort -rn | head -10

# Top 10 most requested URLs
awk '{print $7}' ~/logs/yourdomain.com | sort | uniq -c | sort -rn | head -10

# Find all 404 errors
awk '$9 == 404' ~/logs/yourdomain.com

# Find requests from a specific IP
grep "203.0.113.50" ~/logs/yourdomain.com

Tips

• Raw access logs can grow very large on busy sites. Enable archiving and removal of old logs to manage disk space.
• Access logs are the source data for cPanel's statistics tools (AWStats, Webalizer). If logs are deleted, these tools won't have data to process.
• For real-time monitoring, use tail -f on the log file via SSH.
• If you use Cloudflare or another CDN/proxy, the visitor's real IP may be in a different header. Check with your hosting provider about how this is configured.

What Next?

• Viewing Error Logs — Debug server-side errors.
• Using AWStats for Web Analytics — Processed reports from access logs.

Related Articles

• Viewing Error Logs
• Using AWStats for Web Analytics
• Blocking IP Addresses