diff --git a/server.js b/server.js
index 18f5cba1a..c890b650b 100644
--- a/server.js
+++ b/server.js
@@ -57,7 +57,7 @@ import {
 
 import getWebpackServeMiddleware from './src/middleware/webpack-serve.js';
 import basicAuthMiddleware from './src/middleware/basicAuth.js';
-import whitelistMiddleware from './src/middleware/whitelist.js';
+import whitelistMiddleware, { getAccessLogPath, migrateAccessLog } from './src/middleware/whitelist.js';
 import multerMonkeyPatch from './src/middleware/multerMonkeyPatch.js';
 import initRequestProxy from './src/request-proxy.js';
 import getCacheBusterMiddleware from './src/middleware/cacheBuster.js';
@@ -754,6 +754,7 @@ const preSetupTasks = async function () {
     await checkForNewContent(directories);
     await ensureThumbnailCache();
     cleanUploads();
+    migrateAccessLog();
 
     await settingsInit();
     await statsInit();
@@ -856,7 +857,7 @@ const postSetupTasks = async function (v6Failed, v4Failed, useIPv6, useIPv4) {
     if (listen) {
         console.log();
         console.log('To limit connections to internal localhost only ([::1] or 127.0.0.1), change the setting in config.yaml to "listen: false".');
-        console.log('Check the "access.log" file in the SillyTavern directory to inspect incoming connections.');
+        console.log('Check the "access.log" file in the data directory to inspect incoming connections:', color.green(getAccessLogPath()));
     }
     console.log('\n' + getSeparator(plainGoToLog.length) + '\n');
     console.log(goToLog);
diff --git a/src/middleware/whitelist.js b/src/middleware/whitelist.js
index 395084a9d..cb90328ee 100644
--- a/src/middleware/whitelist.js
+++ b/src/middleware/whitelist.js
@@ -12,6 +12,8 @@ const enableForwardedWhitelist = getConfigValue('enableForwardedWhitelist', fals
 let whitelist = getConfigValue('whitelist', []);
 let knownIPs = new Set();
 
+export const getAccessLogPath = () => path.join(globalThis.DATA_ROOT, 'access.log');
+
 if (fs.existsSync(whitelistPath)) {
     try {
         let whitelistTxt = fs.readFileSync(whitelistPath, 'utf-8');
@@ -46,6 +48,23 @@ function getForwardedIp(req) {
     return undefined;
 }
 
+export function migrateAccessLog() {
+    try {
+        if (!fs.existsSync('access.log')) {
+            return;
+        }
+        const logPath = getAccessLogPath();
+        if (fs.existsSync(logPath)) {
+            return;
+        }
+        fs.renameSync('access.log', logPath);
+        console.log(color.yellow('Migrated access.log to new location:'), logPath);
+    } catch (e) {
+        console.error('Failed to migrate access log:', e);
+        console.info('Please move access.log to the data directory manually.');
+    }
+}
+
 /**
  * Returns a middleware function that checks if the client IP is in the whitelist.
  * @param {boolean} whitelistMode If whitelist mode is enabled via config or command line
@@ -67,9 +86,10 @@ export default function whitelistMiddleware(whitelistMode, listen) {
             knownIPs.add(clientIp);
 
             // Write access log
+            const logPath = getAccessLogPath();
             const timestamp = new Date().toISOString();
             const log = `${timestamp} ${clientIp} ${userAgent}\n`;
-            fs.appendFile('access.log', log, (err) => {
+            fs.appendFile(logPath, log, (err) => {
                 if (err) {
                     console.error('Failed to write access log:', err);
                 }