mirror of
https://github.com/bitwarden/help
synced 2025-12-22 03:03:14 +00:00
145 lines
4.9 KiB
Markdown
145 lines
4.9 KiB
Markdown
---
|
|
layout: article
|
|
title: Organization event logs
|
|
categories: [organizations]
|
|
featured: true
|
|
popular: false
|
|
tags: [organizations events event logs audit access control]
|
|
---
|
|
|
|
## Table of Contents
|
|
|
|
- [What are event logs?](#what-are-event-logs-)
|
|
- [Where can I access event logs?](#where-can-i-access-event-logs-)
|
|
- [What information is contained in event logs?](#what-information-is-contained-in-event-logs-)
|
|
* [User events](#user-events)
|
|
* [Item events](#item-events)
|
|
* [Collection events](#collection-events)
|
|
* [Group events](#group-events)
|
|
* [Organization events](#organization-events)
|
|
- [GitHub Link](#github-link)
|
|
|
|
## What are event logs?
|
|
|
|
Event logs are notes that contain time-stamped, detailed information about what occurs within an organization. These logs are often used to research changes in credentials or configuration, and are also helpful with troubleshooting.
|
|
|
|
## Where can I access event logs?
|
|
|
|
Inside the Web Vault navigate to your Organization → Manage → Event logs.
|
|
|
|
You can search for up to 30 days of log events that scroll continuously.
|
|
|
|
{% image organizations/event-logs.png Web Vault Management %}
|
|
|
|
To gather more data, plans with API access can use the [Bitwarden API](https://bitwarden.com/help/api/). API responses will contain the type of event (enums referenced below) and relevant data.
|
|
|
|
Example:
|
|
```
|
|
{
|
|
"object": "list",
|
|
"data": [
|
|
{
|
|
"object": "event",
|
|
"type": 1000,
|
|
"itemId": "3767a302-8208-4dc6-b842-030428a1cfad",
|
|
"collectionId": "bce212a4-25f3-4888-8a0a-4c5736d851e0",
|
|
"groupId": "f29a2515-91d2-4452-b49b-5e8040e6b0f4",
|
|
"policyId": "f29a2515-91d2-4452-b49b-5e8040e6b0f4",
|
|
"memberId": "e68b8629-85eb-4929-92c0-b84464976ba4",
|
|
"actingUserId": "a2549f79-a71f-4eb9-9234-eb7247333f94",
|
|
"date": "2020-07-06T17:25:50.932Z",
|
|
"device": 0,
|
|
"ipAddress": "172.16.254.1"
|
|
}
|
|
],
|
|
"continuationToken": "string"
|
|
}
|
|
```
|
|
|
|
## What information is contained in event logs?
|
|
|
|
Log data contains different events based on the action and level of action taken. Below are the items currently captured in the Event logs.
|
|
|
|
### User events
|
|
|
|
User_LoggedIn = 1000
|
|
User_ChangedPassword = 1001
|
|
User_Updated2fa = 1002
|
|
User_Disabled2fa = 1003
|
|
User_Recovered2fa = 1004
|
|
User_FailedLogIn = 1005
|
|
User_FailedLogIn2fa = 1006
|
|
User_ClientExportedVault = 1007
|
|
|
|
### Item events
|
|
|
|
Cipher_Created = 1100
|
|
Cipher_Updated = 1101
|
|
Cipher_Deleted = 1102
|
|
Cipher_AttachmentCreated = 1103
|
|
Cipher_AttachmentDeleted = 1104
|
|
Cipher_Shared = 1105
|
|
Cipher_UpdatedCollections = 1106
|
|
Cipher_ClientViewed = 1107
|
|
Cipher_ClientToggledPasswordVisible = 1108
|
|
Cipher_ClientToggledHiddenFieldVisible = 1109
|
|
Cipher_ClientToggledCardCodeVisible = 1110
|
|
Cipher_ClientCopiedPassword = 1111
|
|
Cipher_ClientCopiedHiddenField = 1112
|
|
Cipher_ClientCopiedCardCode = 1113
|
|
Cipher_ClientAutofilled = 1114
|
|
Cipher_SoftDeleted = 1115
|
|
Cipher_Restored = 1116
|
|
|
|
### Collection events
|
|
Collection_Created = 1300
|
|
Collection_Updated = 1301
|
|
Collection_Deleted = 1302
|
|
|
|
### Group events
|
|
|
|
Group_Created = 1400
|
|
Group_Updated = 1401
|
|
Group_Deleted = 1402
|
|
|
|
### Organization events
|
|
|
|
OrganizationUser_Invited = 1500
|
|
OrganizationUser_Confirmed = 1501
|
|
OrganizationUser_Updated = 1502
|
|
OrganizationUser_Removed = 1503
|
|
OrganizationUser_UpdatedGroups = 1504
|
|
Organization_Updated = 1600
|
|
Organization_PurgedVault = 1601
|
|
Policy_Updated = 1700
|
|
|
|
### GitHub Link
|
|
|
|
To see the most current enumerations and data model for event logs, please see the below project file
|
|
|
|
- [https://github.com/bitwarden/server/blob/master/src/Core/Enums/EventType.cs](https://github.com/bitwarden/server/blob/master/src/Core/Enums/EventType.cs)
|
|
|
|
## SIEM and external system integrations
|
|
|
|
When exporting data from Bitwarden into other systems, a combination of data from the API and CLI may be used to gather data.
|
|
|
|
For example, Bitwarden RESTful APIs gather data around the structure of the organization.
|
|
|
|
- GET /public/members returns the Members,Ids, and assigned groupIds
|
|
- GET /public/groups returns all the Groups, Ids, assigned Collections, and their permissions
|
|
- GET /public/collections returns all Collections, and their assigned Groups
|
|
|
|
Once you have the unique ID for each member, group, and collection, you can now use the CLI tool to gather information using the CLI command ```bw-list``` retrieve the following items in JSON format:
|
|
|
|
- Org Members
|
|
- Items
|
|
- Collections
|
|
- Groups
|
|
|
|
After gathering this data, you can join rows on their unique Ids to build a reference to all parts of your Bitwarden Organization.
|
|
|
|
### Documentation
|
|
|
|
- API documentation is available [here.](https://bitwarden.com/help/api/)
|
|
- CLI documentation is available [here.](https://bitwarden.com/help/article/cli/)
|