Vaultwarden parser doesn't handle time zones #988

dlprows · 2024-03-03T03:32:21Z

Description

Dominic-Wagner/vaultwarden parser doesn't handle time zones.

The pattern for parsing the timestamp [%{DATE_YMD:date} %{TIME:time}\] assumes that the logs will be written in UTC. But when properly configured, vaultwarden's logs are in local time.

When crowdsec parses the logs, it assumes UTC, and makes decisions accordingly. In my case, the decisions had the ban period entirely in the past.

This can be handled by changing the pattern to use TIMESTAMP_ISO8601 and changing the vaultwarden log format to add %z

Expected behavior
Update the parser to handle timestamps. A recommended route is provided in the description.
Update the readme/setup directions to indicate the change needed in vaultwarden's admin to make the format have timezone.

The text was updated successfully, but these errors were encountered:

LaurenceJJones · 2024-03-03T08:20:32Z

Could you provide an example log line (you can redact any PII data from the line) so we can test and ultimately add it to the test files so we don't break it moving forward

dlprows · 2024-03-08T04:24:05Z

These are all the logs that the parser looks for

[2024-03-02 17:38:19.023-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-02 17:42:20.407-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-07 21:16:33.743-0700][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-03-08 04:16:33 UTC IP: 192.168.43.14
[2024-03-07 21:19:30.450-0700][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1

The default format in vaultwarden Vaultwarden Admin Panel -> Advanced Settings -> Log timestamp format
is
%Y-%m-%d %H:%M:%S.%3f

which would result in identical logs but without the -0700 in the timestamp

eg

[2024-03-02 17:38:19.023][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-02 17:42:20.407][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-07 21:16:33.743][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-03-08 04:16:33 UTC IP: 192.168.43.14
[2024-03-07 21:19:30.450][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1

changing it to %Y-%m-%d %H:%M:%S.%3f%z puts the timezone in. So the directions should indicate that too

LaurenceJJones added the question Further information is requested label Mar 4, 2024

LaurenceJJones self-assigned this Sep 3, 2024

LaurenceJJones added enhancement New feature or request and removed question Further information is requested labels Sep 3, 2024

LaurenceJJones linked a pull request Sep 18, 2024 that will close this issue

enhance: Fix vaultwarden logs to allow non timezoned timestamps #1117

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vaultwarden parser doesn't handle time zones #988

Vaultwarden parser doesn't handle time zones #988

dlprows commented Mar 3, 2024

LaurenceJJones commented Mar 3, 2024 •

edited

Loading

dlprows commented Mar 8, 2024

Vaultwarden parser doesn't handle time zones #988

Vaultwarden parser doesn't handle time zones #988

Comments

dlprows commented Mar 3, 2024

LaurenceJJones commented Mar 3, 2024 • edited Loading

dlprows commented Mar 8, 2024

LaurenceJJones commented Mar 3, 2024 •

edited

Loading