4.9 KiB
layout, title, categories, featured, popular, tags
| layout | title | categories | featured | popular | tags | ||
|---|---|---|---|---|---|---|---|
| article | Organization event logs |
|
true | false |
|
Table of Contents
- What are event logs?
- Where can I access event logs?
- What information is contained in event logs?
- GitHub Link
What are event logs?
Event logs are notes that contain time-stamped, detailed information about what occurs within an organization. These logs are often used to research changes in credentials or configuration, and are also helpful with troubleshooting.
Where can I access event logs?
Inside the Web Vault navigate to your Organization → Manage → Event logs.
You can search for up to 30 days of log events that scroll continuously.
{% image organizations/event-logs.png Web Vault Management %}
To gather more data, plans with API access can use the Bitwarden API. API responses will contain the type of event (enums referenced below) and relevant data.
Example:
{
"object": "list",
"data": [
{
"object": "event",
"type": 1000,
"itemId": "3767a302-8208-4dc6-b842-030428a1cfad",
"collectionId": "bce212a4-25f3-4888-8a0a-4c5736d851e0",
"groupId": "f29a2515-91d2-4452-b49b-5e8040e6b0f4",
"policyId": "f29a2515-91d2-4452-b49b-5e8040e6b0f4",
"memberId": "e68b8629-85eb-4929-92c0-b84464976ba4",
"actingUserId": "a2549f79-a71f-4eb9-9234-eb7247333f94",
"date": "2020-07-06T17:25:50.932Z",
"device": 0,
"ipAddress": "172.16.254.1"
}
],
"continuationToken": "string"
}
What information is contained in event logs?
Log data contains different events based on the action and level of action taken. Below are the items currently captured in the Event logs.
User events
User_LoggedIn = 1000
User_ChangedPassword = 1001
User_Updated2fa = 1002
User_Disabled2fa = 1003
User_Recovered2fa = 1004
User_FailedLogIn = 1005
User_FailedLogIn2fa = 1006
User_ClientExportedVault = 1007
Item events
Cipher_Created = 1100
Cipher_Updated = 1101
Cipher_Deleted = 1102
Cipher_AttachmentCreated = 1103
Cipher_AttachmentDeleted = 1104
Cipher_Shared = 1105
Cipher_UpdatedCollections = 1106
Cipher_ClientViewed = 1107
Cipher_ClientToggledPasswordVisible = 1108
Cipher_ClientToggledHiddenFieldVisible = 1109
Cipher_ClientToggledCardCodeVisible = 1110
Cipher_ClientCopiedPassword = 1111
Cipher_ClientCopiedHiddenField = 1112
Cipher_ClientCopiedCardCode = 1113
Cipher_ClientAutofilled = 1114
Cipher_SoftDeleted = 1115
Cipher_Restored = 1116
Collection events
Collection_Created = 1300
Collection_Updated = 1301
Collection_Deleted = 1302
Group events
Group_Created = 1400
Group_Updated = 1401
Group_Deleted = 1402
Organization events
OrganizationUser_Invited = 1500
OrganizationUser_Confirmed = 1501
OrganizationUser_Updated = 1502
OrganizationUser_Removed = 1503
OrganizationUser_UpdatedGroups = 1504
Organization_Updated = 1600
Organization_PurgedVault = 1601
Policy_Updated = 1700
GitHub Link
To see the most current enumerations and data model for event logs, please see the below project file
SIEM and external system integrations
When exporting data from Bitwarden into other systems, a combination of data from the API and CLI may be used to gather data.
For example, Bitwarden RESTful APIs gather data around the structure of the organization.
- GET /public/members returns the Members,Ids, and assigned groupIds
- GET /public/groups returns all the Groups, Ids, assigned Collections, and their permissions
- GET /public/collections returns all Collections, and their assigned Groups
Once you have the unique ID for each member, group, and collection, you can now use the CLI tool to gather information using the CLI command bw-list retrieve the following items in JSON format:
- Org Members
- Items
- Collections
- Groups
After gathering this data, you can join rows on their unique Ids to build a reference to all parts of your Bitwarden Organization.