vaultwarden-logs Log Parser

Installation

cscli parsers install Dominic-Wagner/vaultwarden-logs

Description

Parser for Vaultwarden Logs.

If using LOG_FILE environment variable:

---
filenames:
 - /var/log/vaultwarden.log
labels:
  type: Vaultwarden

If running via systemd:

---
source: journalctl
journalctl_filter:
  - "SYSLOG_IDENTIFER=Vaultwarden"
labels:
  type: Vaultwarden

In the default configuration of vaultwarden logs, the timestamp uses system local time. This means that detection may not work as expected as CrowdSec uses UTC time. To fix this, you can configure vaultwarden to log the offset from UTC time. To do this, head over to Vaultwarden Admin Panel -> Advanced Settings -> Log timestamp format and change format to %Y-%m-%d %H:%M:%S.%3f%z.

YAML Configuration

1onsuccess: next_stage
2filter: "Upper(evt.Parsed.program) == 'VAULTWARDEN'"
3name: Dominic-Wagner/vaultwarden-logs
4description: "Parse vaultwarden logs"
5pattern_syntax:
6  DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
7nodes:
8  - grok:
9      pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::identity\]\[ERROR\] Username or password is incorrect\. Try again\. IP: %{IP:source_ip}\. Username: %{EMAILADDRESS:username}\.$'
10      apply_on: message
11      statics:
12        - meta: log_type
13          value: vaultwarden_failed_auth
14        - meta: username
15          expression: evt.Parsed.username
16  - grok:
17      pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::admin\]\[ERROR\] Invalid admin token. IP: %{IP:source_ip}'
18      apply_on: message
19      statics:
20        - meta: log_type
21          value: vaultwarden_failed_admin_auth
22  - grok:
23      pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::core::two_factor::authenticator\]\[ERROR\] Invalid TOTP code! Server time: %{DATE_YMD:server_date} %{TIME:server_time} %{TZ:server_tz} IP: %{IP:source_ip}'
24      apply_on: message
25      statics:
26        - meta: log_type
27          value: vaultwarden_failed_2fa_totp
28  - grok:
29      pattern: '^\[%{TIMESTAMP_ISO8601:datetimestamp}\]\[vaultwarden::api::core::two_factor::email\]\[ERROR\] Token is invalid! IP: %{IP:source_ip}'
30      apply_on: message
31      statics:
32        - meta: log_type
33          value: vaultwarden_failed_2fa_email
34
35statics:
36  - meta: service
37    value: vaultwarden
38  - meta: source_ip
39    expression: "evt.Parsed.source_ip"
40  - target: evt.StrTimeFormat
41    value: "2006-01-02 15:04:05.000-0700"
42  - target: evt.StrTime
43    expression: evt.Parsed.datetimestamp
44

Hub configuration

« vaultwarden-logs »
v0.4 by Dominic-Wagner
Log parser

Hub configuration

« vaultwarden-logs »v0.4 by Dominic-WagnerLog parser

« vaultwarden-logs »
v0.4 by Dominic-Wagner
Log parser