bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-31 23:53:20 +00:00
Code Issues Releases Wiki Activity
Files
0efc675094caec415d16b02ac48e469f3a40bef3
help/_articles/organizations/event-logs.md
fred_the_tech_writer 9be8c67fa8 Release Documentation (#653) 
* Stage (#636)

* Initial Draft. To do: "How it Works" + Event Logs, User Types, Plans & Pricing, Release Notes.

* whoops, missed one

* Merge latest into working (#616)

* Update proof-of-concept.md (#607)

The "Download Bitwarden" link was going to the Apple Store (https://get.bitwarden.com/) rather than the "Downloads" page (https://bitwarden.com/download/).

* Update proof-of-concept.md (#610)

* Create enterprise-feature-list.md (#611)

* Azure SSO HiFi Documentation (#584)

* azure HiFi documentation

* finalize azure

* typo fixes

* Google Workspace HiFi SSO Documentation (#605)

* Duo HiFi documentation (#598)

* Buncha Stuff (#612)

* clarification on where to find legacy mac .dmg

* tip for update email address

* code vetting security faq

* /managing-items/ refactor

* two-step login 'remember me' duration

* small updates, including denoting purpose of the globe icon

* additional tip for deleting users in a self-host org!

* uri component pieces

* encryption key edit

* importing cleanup

* notes re: importing on file attachements

* Removes custom Safari shortcut docs (#499)

Bitwarden 1.25.0 on MacOS with Safari seems to use the standard MacOS shortcut for autofill (`Cmd + Shift + L`) and the custom Safari shortcuts no longer work (`Cmd + \ or Cmd + 8 or Cmd + Shift + P`).

* Update Microsoft Store Installation path (#614)

* Correct path for Microsoft Store app (#615)

Co-authored-by: Andrea Lebron <78605241+alebr-on@users.noreply.github.com>
Co-authored-by: baylorrandolph <70168800+baylorrandolph@users.noreply.github.com>
Co-authored-by: Charles Renwick <crenwick@users.noreply.github.com>
Co-authored-by: Alex <abanay@bitwarden.com>

* mpwr event logging

* mpwr user permissions

* admin pw reset 2nd draft

* final(ish) draft

* password reprompt

* initial bwdc updates (to do: update cli login procedure)

* update personal api key article to better distingush from org api key

* refactors bwdc desktop app article

* clearer instructions for getting api key

* bwdc cli login scheme

* Bulk Org User Actions

* export event logs

* cli get notes

* send cli --maxAccessCount

* autofill on page load enhancements

* onpageload TOTP copy

* release notes & typo

Co-authored-by: Andrea Lebron <78605241+alebr-on@users.noreply.github.com>
Co-authored-by: baylorrandolph <70168800+baylorrandolph@users.noreply.github.com>
Co-authored-by: Charles Renwick <crenwick@users.noreply.github.com>
Co-authored-by: Alex <abanay@bitwarden.com>

* typo fix

* fix

* fix

* fix

* mpwr final

* mpw reprompt - better gif

* finalize event logs

* fixes to autofill o.p.l. & better screenshot

* directory connector large sync

* reorder rn

* edits from cscharf

* fix date

* mp re-prompt warning

* mobile re-prompt notes

* downcase it

* semi-vague timeline tweak

Co-authored-by: Andrea Lebron <78605241+alebr-on@users.noreply.github.com>
Co-authored-by: baylorrandolph <70168800+baylorrandolph@users.noreply.github.com>
Co-authored-by: Charles Renwick <crenwick@users.noreply.github.com>
Co-authored-by: Alex <abanay@bitwarden.com>
2021-06-28 13:39:33 -04:00

6.0 KiB
Raw Blame History

layout, title, categories, featured, popular, tags, order
layout title categories featured popular tags order
article Event Logs
organizations
true false
organizations events event logs audit access control
13

What are Event Logs?

Event Logs are timestamped records of everything that occurs within your Organization. Event Logs are accessible to Admins and Owners from the Manage tab of your Organization Vault:

{% image /organizations/event-logs-updated.png Event Logs %}

Events Logs are exportable and accessible from the /events endpoint of the Bitwarden Public API.

Events

Event Logs record roughly 40 different types of events. The Event Logs screen captures a Timestamp for the event, client app information including application type and IP (accessed by hoving over the {% icon fa-globe %} globe icon), the User connected to the event, and an Event description.

{% callout info %} Each Event is associated with type code (1000, 1001, etc.) that identifies the action captured by the event. Type codes are used by the Bitwarden Public API to identify the action documented by an event. {% endcallout %}

All Event types are listed below, with their corresponding type codes:

User Events

  • Logged In. (1000)
  • Changed account password. (1001)
  • Enabled/updated two-step login. (1002)
  • Disabled two-step login. (1003)
  • Recovered account from two-step login. (1004)
  • Login attempted failed with incorrect password. (1005)
  • Login attempt failed with incorrect two-step login. (1006)
  • Exported Vault. (1007)

Item Events

  • Created item item-identifier. (1100)
  • Edited item item-identifier. (1101)
  • Permanently Deleted item item-identifier. (1102)
  • Created attachment for item item-identifier. (1103)
  • Deleted attachment for item item-identifier. (1104)
  • Shared item item-identifier. (1105)
  • Edited collections for item item-identifier (1106)
  • Viewed item item-identifier. (1107)
  • Viewed password for item item-identifier. (1108)
  • Viewed hidden field for item item-identifier. (1109)
  • Viewed security code for item item-identifier. (1110)
  • Copied password for item item-identifier. (1111)
  • Copied hidden field for item item-identifier. (1112)
  • Copied security code for item item-identifier. (1113)
  • Auto-filled item item-identifier. (1114)
  • Sent item item-identifier to trash. (1115)
  • Restored item item-identifier. (1116)

Collection Events

  • Created collection collection-identifier. (1300)
  • Edited collection collection-identifier. (1301)
  • Deleted collection collection-identifier. (1302)

Group Events

  • Created group group-identifier. (1400)
  • Edited group group-identifier. (1401)
  • Deleted group group-identifier. (1402)

Organization Events

  • Invited user user-identifier. (1500)
  • Confirmed user user-identifier. (1501)
  • Edited user user-identifier. (1502)
  • Removed user user-identifier. (1503)
  • Edited groups for user user-identifier. (1504)
  • Unlinked SSO. (1505)
  • user-identifier enrolled in Master Password Reset. (1506)
  • user-identifier withdrew from Master Password Reset. (1507)
  • Master Password was reset for user-identifier. (1508)
  • Edited organization settings. (1600)
  • Purged organization vault. (1601)
  • Updated a Policy. (1700)

{% comment %} Sources: https://github.com/bitwarden/server/blob/master/src/Core/Enums/EventType.cs https://github.com/bitwarden/web/blob/master/src/app/services/event.service.ts https://github.com/bitwarden/web/blob/master/src/locales/en/messages.json {% endcomment %}

Export Events

Exporting event logs will create a .csv of all events within the specified date range:

{% image /organizations/event-logs-export.png Export Event Logs %}

For example:

message,appIcon,appName,userId,userName,userEmail,date,ip,type
Logged in.,fa-globe,Web Vault - Chrome,1234abcd-56de-78ef-91gh-abcdef123456,Alice,alice@bitwarden.com,2021-06-14T14:22:23.331751Z,111.11.111.111,User_LoggedIn
Invited user zyxw9876.,fa-globe,Unknown,1234abcd-56de-78ef-91gh-abcdef123456,Alice,alice@bitwarden.com,2021-06-14T14:14:44.7566667Z,111.11.111.111,OrganizationUser_Invited
Edited organization settings.,fa-globe,Web Vault - Chrome,9876dcba-65ed-87fe-19hg-654321fedcba,Bob,bob@bitwarden.com,2021-06-07T17:57:08.1866667Z,222.22.222.222,Organization_Updated

API Responses

Accessing Event Logs from the /events endpoint of the Bitwarden Public API will return a JSON response like the following:

{
  "object": "list",
  "data": [
    {
      "object": "event",
      "type": 1000,
      "itemId": "string",
      "collectionId": "string",
      "groupId": "string",
      "policyId": "string",
      "memberId": "string",
      "actingUserId": "string",
      "date": "2020-11-04T15:01:21.698Z",
      "device": 0,
      "ipAddress": "xxx.xx.xxx.x"
    }
  ],
  "continuationToken": "string"
}

SIEM and External Systems Integrations

When exporting data from Bitwarden into other systems, a combination of data from the Exports, API and CLI may be used to gather data. For example, using Bitwarden RESTful APIs to gather data around the structure of the organization:

  • GET /public/members returns the Members, Ids, and assigned groupIds
  • GET /public/groups returns all the Groups, Ids, assigned Collections, and their permissions
  • GET /public/collections returns all Collections, and their assigned Groups

Once you have the unique ID for each member, group, and collection, you can now use the CLI tool to gather information using the CLI command bw-list retrieve the following items in JSON format:

  • Org Members
  • Items
  • Collections
  • Groups

After gathering this data, you can join rows on their unique Ids to build a reference to all parts of your Bitwarden Organization. For more information on using the Bitwarden CLI, see The Bitwarden command-line tool (CLI).