Monitoring Event Logs
Event monitoring with SIEM (system information and event management) integration is an important tool for monitoring your organization to maintain best security practices and ensure compliance. The following sections highlight several monitoring reference points that will provide increased observability of your Bitwarden solutions. This monitoring includes enabling insights into user actions in the vault, and providing examples of targets for automated alerting.
These events have been selected from the Bitwarden Event logs. By configuring a combination of instant alerts with alerting-over-time against the events that matter to your business, you will be able to audit your organization's use of Bitwarden in accordance with your unique security landscape.
Various SIEM platforms integrate with Bitwarden to review critical information on day to day vault usage.

SIEM event monitoring platforms will provide specific fields which should be monitored to maintain high security standards:
Value | Description |
---|---|
| The email of the user performing the action. |
| Unique id of user performing action. |
| Name of the user performing an action. |
| Organization collection id. |
| Numerical id of device. Exact mapping can be located here. |
| The ip address that performed the event. |
| Vault item (cipher, secure note, etc..) of the organization vault. |
| Organization policy update. See organization events here. |
Tracking Bitwarden usage trends can identify questionable activity, or potential security threats:
Abnormal Rate of failed login attempts
Failed Login attempts
1005
Login attempt failed with incorrect password1006
Login attempt failed with incorrect two step login.
Abnormal rate of viewing sensitive or hidden fields
Viewing item
1107
Viewed itemitem-identifier
1108
Viewed password for itemitem-identifier
1109
Viewed hidden field for itemitem-identifier
1110
Viewed security code for itemitem-identifier
Copying item fields
1111
Copied password for itemitem-identifier
1112
Copied security code for itemitem-identifier
Monitor usage trends to identify users engaging with Bitwarden and maintaining security practices:
Monitor user frequency
Vault usage
1000
Logged in1010
User requested device approval
Specific events may be monitored in order to track critical actions made by high-level users, or changes made to critical vault items:
Super-user activities
Individual account activity
1000
Logged in1001
Changed account password1002
Enabled/updated two-step login1003
Disabled two-step login1007
User exported their individual vault items1603
Organization vault access by a managing provider
Organization activities
1500
Invited useruser-identifier
1501
Confirmed useruser-identifier
1502
Edited useruser-identifier
1504
Edited groups for useruser-identifier
1511
Revoked organization access for useruser-identifier
1512
Restored organization access foruser-identifier
1513
Approved device foruser-identifier
1600
Edited organization settings1609
Modified collection management setting1700
Modified policypolicy-identifier
2001
Removed domaindomain-name
Exporting organization vault information
1602
Exported organization vault
Critical item activities
Changes made to items that have been identified to be critical
1101
Edited itemitem-identifier
1105
Moved itemitem-identifier
to an organization1106
Edited collections for itemitem-identifier
1107
Viewed itemitem-identifier
1108
Viewed password for itemitem-identifier
1109
Viewed hidden field for itemitem-identifier
1110
Viewed security code for itemitem-identifier
1111
Copied password for itemitem-identifier
1112
Copied hidden field for itemitem-identifier
1113
Copied security code for itemitem-identifier
1114
Autofilled itemitem-identifier
1117
Viewed card number for itemitem-identifier