Apache log files are in directory owned by web user
The apache log files are placed in a directory in /var/log/ispconfig/httpd whose owner/group is set to web*:client*. Although the logfiles themselves are owned by root:root (well, except error.log, which belongs to the web user, too), they can still be deleted and replaced by the user. This might be undesirable from an auditing point of view.
This also opens up the system to various kinds of symlink attacks, as the log files are written to by vlogger (run as root). vlogger does check for symlinks, but its reaction to finding one is simply to die, which makes Apache restart it. This could potentially lead to a high load. More importantly, the check is done in a non-atomic manner, making it circumventable with some effort.
AFAICS, the directory ownership as well as the ownership of error.log can simply be changed to root:root, without breaking any important functionality, thereby evading the above-mentioned problems easily.