Organization event logs

Table of Contents

What are event logs?

Event logs are notes that contain time-stamped, detailed information about what occurs within an organization. These logs are often used to research changes in credentials or configuration, and are also helpful with troubleshooting.

Where can I access event logs?

Inside the Web Vault navigate to your Organization → Manage → Event logs.

You can search for up to 30 days of log events that scroll continuously.

Web Vault Management
Web Vault Management

To gather more data, plans with API access can use the Bitwarden API. API responses will contain the type of event (enums referenced below) and relevant data.

Example:

{
  "object": "list",
  "data": [
    {
      "object": "event",
      "type": 1000,
      "itemId": "3767a302-8208-4dc6-b842-030428a1cfad",
      "collectionId": "bce212a4-25f3-4888-8a0a-4c5736d851e0",
      "groupId": "f29a2515-91d2-4452-b49b-5e8040e6b0f4",
      "policyId": "f29a2515-91d2-4452-b49b-5e8040e6b0f4",
      "memberId": "e68b8629-85eb-4929-92c0-b84464976ba4",
      "actingUserId": "a2549f79-a71f-4eb9-9234-eb7247333f94",
      "date": "2020-07-06T17:25:50.932Z",
      "device": 0,
      "ipAddress": "172.16.254.1"
    }
  ],
  "continuationToken": "string"
}

What information is contained in event logs?

Log data contains different events based on the action and level of action taken. Below are the items currently captured in the Event logs.

User events

    User_LoggedIn = 1000
    User_ChangedPassword = 1001
    User_Updated2fa = 1002
    User_Disabled2fa = 1003
    User_Recovered2fa = 1004
    User_FailedLogIn = 1005
    User_FailedLogIn2fa = 1006
    User_ClientExportedVault = 1007

Item events

    Cipher_Created = 1100
    Cipher_Updated = 1101
    Cipher_Deleted = 1102
    Cipher_AttachmentCreated = 1103
    Cipher_AttachmentDeleted = 1104
    Cipher_Shared = 1105
    Cipher_UpdatedCollections = 1106
    Cipher_ClientViewed = 1107
    Cipher_ClientToggledPasswordVisible = 1108
    Cipher_ClientToggledHiddenFieldVisible = 1109
    Cipher_ClientToggledCardCodeVisible = 1110
    Cipher_ClientCopiedPassword = 1111
    Cipher_ClientCopiedHiddenField = 1112
    Cipher_ClientCopiedCardCode = 1113
    Cipher_ClientAutofilled = 1114
    Cipher_SoftDeleted = 1115
    Cipher_Restored = 1116

Collection events

    Collection_Created = 1300
    Collection_Updated = 1301
    Collection_Deleted = 1302

Group events

    Group_Created = 1400
    Group_Updated = 1401
    Group_Deleted = 1402

Organization events

    OrganizationUser_Invited = 1500
    OrganizationUser_Confirmed = 1501
    OrganizationUser_Updated = 1502
    OrganizationUser_Removed = 1503
    OrganizationUser_UpdatedGroups = 1504
    Organization_Updated = 1600
    Organization_PurgedVault = 1601
    Policy_Updated = 1700

To see the most current enumerations and data model for event logs, please see the below project file

SIEM and external system integrations

When exporting data from Bitwarden into other systems, a combination of data from the API and CLI may be used to gather data.

For example, Bitwarden RESTful APIs gather data around the structure of the organization.

  • GET /public/members returns the Members,Ids, and assigned groupIds
  • GET /public/groups returns all the Groups, Ids, assigned Collections, and their permissions
  • GET /public/collections returns all Collections, and their assigned Groups

Once you have the unique ID for each member, group, and collection, you can now use the CLI tool to gather information using the CLI command bw-list retrieve the following items in JSON format:

  • Org Members
  • Items
  • Collections
  • Groups

After gathering this data, you can join rows on their unique Ids to build a reference to all parts of your Bitwarden Organization.

Documentation

  • API documentation is available here.
  • CLI documentation is available here.

Was this helpful?

Rate this article:

Email Us

Want to talk to a human?

Send Us An Email