Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vaultwarden parser doesn't handle time zones #988

Open
dlprows opened this issue Mar 3, 2024 · 2 comments
Open

Vaultwarden parser doesn't handle time zones #988

dlprows opened this issue Mar 3, 2024 · 2 comments
Labels
question Further information is requested

Comments

@dlprows
Copy link

dlprows commented Mar 3, 2024

Description

Dominic-Wagner/vaultwarden parser doesn't handle time zones.

The pattern for parsing the timestamp [%{DATE_YMD:date} %{TIME:time}\] assumes that the logs will be written in UTC. But when properly configured, vaultwarden's logs are in local time.

When crowdsec parses the logs, it assumes UTC, and makes decisions accordingly. In my case, the decisions had the ban period entirely in the past.

This can be handled by changing the pattern to use TIMESTAMP_ISO8601 and changing the vaultwarden log format to add %z

Expected behavior
Update the parser to handle timestamps. A recommended route is provided in the description.
Update the readme/setup directions to indicate the change needed in vaultwarden's admin to make the format have timezone.
@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Mar 3, 2024
edited

Could you provide an example log line (you can redact any PII data from the line) so we can test and ultimately add it to the test files so we don't break it moving forward

@LaurenceJJones LaurenceJJones added the question Further information is requested label Mar 4, 2024
@dlprows
Copy link
Author

dlprows commented Mar 8, 2024

These are all the logs that the parser looks for

[2024-03-02 17:38:19.023-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-02 17:42:20.407-0700][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-07 21:16:33.743-0700][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-03-08 04:16:33 UTC IP: 192.168.43.14
[2024-03-07 21:19:30.450-0700][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1

The default format in vaultwarden Vaultwarden Admin Panel -> Advanced Settings -> Log timestamp format
is
%Y-%m-%d %H:%M:%S.%3f

which would result in identical logs but without the -0700 in the timestamp

eg

[2024-03-02 17:38:19.023][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-02 17:42:20.407][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 31.222.254.228. Username: blah@gmail.com.
[2024-03-07 21:16:33.743][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-03-08 04:16:33 UTC IP: 192.168.43.14
[2024-03-07 21:19:30.450][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.41.1

changing it to %Y-%m-%d %H:%M:%S.%3f%z puts the timezone in. So the directions should indicate that too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dlprows @LaurenceJJones