Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vaultwarden parser doesn't handle time zones #988

Open
dlprows opened this issue Mar 3, 2024 · 2 comments · May be fixed by #1117
Open

Vaultwarden parser doesn't handle time zones #988

dlprows opened this issue Mar 3, 2024 · 2 comments · May be fixed by #1117
Assignees
Labels
enhancement New feature or request

Comments

@dlprows
Copy link

dlprows commented Mar 3, 2024

Description

Dominic-Wagner/vaultwarden parser doesn't handle time zones.

The pattern for parsing the timestamp [%{DATE_YMD:date} %{TIME:time}\] assumes that the logs will be written in UTC. But when properly configured, vaultwarden's logs are in local time.

When crowdsec parses the logs, it assumes UTC, and makes decisions accordingly. In my case, the decisions had the ban period entirely in the past.

This can be handled by changing the pattern to use TIMESTAMP_ISO8601 and changing the vaultwarden log format to add %z

Expected behavior
Update the parser to handle timestamps. A recommended route is provided in the description.
Update the readme/setup directions to indicate the change needed in vaultwarden's admin to make the format have timezone.

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Mar 3, 2024

Could you provide an example log line (you can redact any PII data from the line) so we can test and ultimately add it to the test files so we don't break it moving forward

@LaurenceJJones LaurenceJJones added the question Further information is requested label Mar 4, 2024
@dlprows
Copy link
Author

dlprows commented Mar 8, 2024

These are all the logs that the parser looks for

[2024-03-02 17:38:19.023-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: [email protected].
[2024-03-02 17:42:20.407-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: [email protected].
[2024-03-07 21:16:33.743-0700][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-03-08 04:16:33 UTC IP: 192.168.43.14
[2024-03-07 21:19:30.450-0700][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1

The default format in vaultwarden Vaultwarden Admin Panel -> Advanced Settings -> Log timestamp format
is
%Y-%m-%d %H:%M:%S.%3f

which would result in identical logs but without the -0700 in the timestamp

eg

[2024-03-02 17:38:19.023][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: [email protected].
[2024-03-02 17:42:20.407][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: [email protected].
[2024-03-07 21:16:33.743][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-03-08 04:16:33 UTC IP: 192.168.43.14
[2024-03-07 21:19:30.450][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1

changing it to %Y-%m-%d %H:%M:%S.%3f%z puts the timezone in. So the directions should indicate that too

@LaurenceJJones LaurenceJJones self-assigned this Sep 3, 2024
@LaurenceJJones LaurenceJJones added enhancement New feature or request and removed question Further information is requested labels Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants