Vaultwarden logs can't be parsed

Peronia · 2025-12-10T08:36:42.339Z

Hi, I`m new to Crowdsec. I have installed a lapi with a firewall bouncer. Now I want to connect my first machine to it, parsing the Vaultwarden logs. So far it is connected and I installed the collection for it: https://app.crowdsec.net/hub/author/Dominic-Wagner/collections/vaultwarden But when I have a wrong login, it seems to have problems with the log line. I use journalctl and the same setting as provided in the link: --- source: journalctl journalctl_filter: - "SYSLOG_IDENTIFER=Vaultwarden" labels: type: Vaultwarden But I can't see any parsed logs: cscli metrics output nothing. In my journalctl I see this: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de. So the logging from Vaultwarden is correct (I also added the %z in the options). I found this issue: https://github.com/crowdsecurity/hub/issues/988 and when I compre my string and that one metioned in the issue, it looks the same. I don't find the failure in there. Can you help me to identify it?

C

CrowdSec•12/10/25, 8:36 AM

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type

/unresolve

/unresolve

/unresolve

/unresolve

•

12/10/25, 10:04 AM

P

PeroniaOP•12/10/25, 8:36 AM

I also tried cscli explain:
cscli explain -l "Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is i
ncorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de." -t journalctl
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain2955044732/parser-dump.yaml
line: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
├ s01-parse
| └

Dominic-Wagner/vaultwarden-logs
└-------- parser failure

Maybe cscli explain can't handle raw journalctl entries, I omit the date from journalctl
cscli explain -l "[2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. U
sername: rr@gg.de." -t journalctl
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain3269712178/parser-dump.yaml
line: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
├ s01-parse
| └

Dominic-Wagner/vaultwarden-logs
└-------- parser failure

L

Loz•12/10/25, 8:55 AM

your explain command is using an incorrect type

L

Loz•12/10/25, 8:55 AM

it should be

syslog

syslog

syslog

syslog

L

Loz•12/10/25, 9:02 AM

with

syslog

syslog

syslog

syslog type

File: /tmp/tmp.4Bo6GZxwdq
$ cscli explain --log 'Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.' --type syslog -v
line: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    ├ s00-raw
    |   └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
    |       └ update evt.ExpectMode : %!s(int=0) -> 1
    |       └ update evt.Stage :  -> s01-parse
    |       └ update evt.Line.Raw :  -> Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Line.Src :  -> /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789474757 +0000 UTC
    |       └ create evt.Line.Labels.type : syslog
    |       └ update evt.Line.Process : %!s(bool=false) -> true
    |       └ update evt.Line.Module :  -> file
    |       └ create evt.Parsed.pid : 141613
    |       └ create evt.Parsed.priority : 
    |       └ create evt.Parsed.program : vaultwarden
    |       └ create evt.Parsed.timestamp : Dez 10 09:08:39
    |       └ create evt.Parsed.timestamp8601 : 
    |       └ create evt.Parsed.facility : 
    |       └ create evt.Parsed.logsource : syslog
    |       └ create evt.Parsed.message : [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789701681 +0000 UTC
    |       └ update evt.StrTime :  -> Dez 10 09:08:39
    |       └ create evt.Meta.datasource_path : /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ create evt.Meta.datasource_type : file
    |       └ create evt.Meta.machine : host
    ├ s01-parse
    |   └ 🟢 Dominic-Wagner/vaultwarden-logs (+7 ~3)
    |       └ update evt.Stage : s01-parse -> s02-enrich
    |       └ create evt.Parsed.username : rr@gg.de
    |       └ create evt.Parsed.source_ip : 192.168.230.166
    |       └ create evt.Parsed.datetimestamp : 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTime : Dez 10 09:08:39 -> 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTimeFormat :  -> 2006-01-02 15:04:05.000-0700
    |       └ create evt.Meta.log_type : vaultwarden_failed_auth
    |       └ create evt.Meta.service : vaultwarden
    |       └ create evt.Meta.source_ip : 192.168.230.166
    |       └ create evt.Meta.username : rr@gg.de
    ├ s02-enrich
    |   ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
    |       ├ create evt.Enriched.MarshaledTime : 2025-12-10T09:08:39.285+01:00
    |       ├ update evt.Time : 2025-12-10 09:02:45.789701681 +0000 UTC -> 2025-12-10 09:08:39.285 +0100 +0100
    |       ├ update evt.MarshaledTime :  -> 2025-12-10T09:08:39.285+01:00
    |       ├ create evt.Meta.timestamp : 2025-12-10T09:08:39.285+01:00
    ├-------- parser success 🟢
    ├ Scenarios
        ├ 🟢 Dominic-Wagner/vaultwarden-bf
        └ 🟢 Dominic-Wagner/vaultwarden-bf_user-enum

File: /tmp/tmp.4Bo6GZxwdq
$ cscli explain --log 'Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.' --type syslog -v
line: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    ├ s00-raw
    |   └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
    |       └ update evt.ExpectMode : %!s(int=0) -> 1
    |       └ update evt.Stage :  -> s01-parse
    |       └ update evt.Line.Raw :  -> Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Line.Src :  -> /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789474757 +0000 UTC
    |       └ create evt.Line.Labels.type : syslog
    |       └ update evt.Line.Process : %!s(bool=false) -> true
    |       └ update evt.Line.Module :  -> file
    |       └ create evt.Parsed.pid : 141613
    |       └ create evt.Parsed.priority : 
    |       └ create evt.Parsed.program : vaultwarden
    |       └ create evt.Parsed.timestamp : Dez 10 09:08:39
    |       └ create evt.Parsed.timestamp8601 : 
    |       └ create evt.Parsed.facility : 
    |       └ create evt.Parsed.logsource : syslog
    |       └ create evt.Parsed.message : [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789701681 +0000 UTC
    |       └ update evt.StrTime :  -> Dez 10 09:08:39
    |       └ create evt.Meta.datasource_path : /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ create evt.Meta.datasource_type : file
    |       └ create evt.Meta.machine : host
    ├ s01-parse
    |   └ 🟢 Dominic-Wagner/vaultwarden-logs (+7 ~3)
    |       └ update evt.Stage : s01-parse -> s02-enrich
    |       └ create evt.Parsed.username : rr@gg.de
    |       └ create evt.Parsed.source_ip : 192.168.230.166
    |       └ create evt.Parsed.datetimestamp : 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTime : Dez 10 09:08:39 -> 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTimeFormat :  -> 2006-01-02 15:04:05.000-0700
    |       └ create evt.Meta.log_type : vaultwarden_failed_auth
    |       └ create evt.Meta.service : vaultwarden
    |       └ create evt.Meta.source_ip : 192.168.230.166
    |       └ create evt.Meta.username : rr@gg.de
    ├ s02-enrich
    |   ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
    |       ├ create evt.Enriched.MarshaledTime : 2025-12-10T09:08:39.285+01:00
    |       ├ update evt.Time : 2025-12-10 09:02:45.789701681 +0000 UTC -> 2025-12-10 09:08:39.285 +0100 +0100
    |       ├ update evt.MarshaledTime :  -> 2025-12-10T09:08:39.285+01:00
    |       ├ create evt.Meta.timestamp : 2025-12-10T09:08:39.285+01:00
    ├-------- parser success 🟢
    ├ Scenarios
        ├ 🟢 Dominic-Wagner/vaultwarden-bf
        └ 🟢 Dominic-Wagner/vaultwarden-bf_user-enum

File: /tmp/tmp.4Bo6GZxwdq
$ cscli explain --log 'Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.' --type syslog -v
line: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    ├ s00-raw
    |   └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
    |       └ update evt.ExpectMode : %!s(int=0) -> 1
    |       └ update evt.Stage :  -> s01-parse
    |       └ update evt.Line.Raw :  -> Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Line.Src :  -> /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789474757 +0000 UTC
    |       └ create evt.Line.Labels.type : syslog
    |       └ update evt.Line.Process : %!s(bool=false) -> true
    |       └ update evt.Line.Module :  -> file
    |       └ create evt.Parsed.pid : 141613
    |       └ create evt.Parsed.priority : 
    |       └ create evt.Parsed.program : vaultwarden
    |       └ create evt.Parsed.timestamp : Dez 10 09:08:39
    |       └ create evt.Parsed.timestamp8601 : 
    |       └ create evt.Parsed.facility : 
    |       └ create evt.Parsed.logsource : syslog
    |       └ create evt.Parsed.message : [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789701681 +0000 UTC
    |       └ update evt.StrTime :  -> Dez 10 09:08:39
    |       └ create evt.Meta.datasource_path : /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ create evt.Meta.datasource_type : file
    |       └ create evt.Meta.machine : host
    ├ s01-parse
    |   └ 🟢 Dominic-Wagner/vaultwarden-logs (+7 ~3)
    |       └ update evt.Stage : s01-parse -> s02-enrich
    |       └ create evt.Parsed.username : rr@gg.de
    |       └ create evt.Parsed.source_ip : 192.168.230.166
    |       └ create evt.Parsed.datetimestamp : 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTime : Dez 10 09:08:39 -> 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTimeFormat :  -> 2006-01-02 15:04:05.000-0700
    |       └ create evt.Meta.log_type : vaultwarden_failed_auth
    |       └ create evt.Meta.service : vaultwarden
    |       └ create evt.Meta.source_ip : 192.168.230.166
    |       └ create evt.Meta.username : rr@gg.de
    ├ s02-enrich
    |   ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
    |       ├ create evt.Enriched.MarshaledTime : 2025-12-10T09:08:39.285+01:00
    |       ├ update evt.Time : 2025-12-10 09:02:45.789701681 +0000 UTC -> 2025-12-10 09:08:39.285 +0100 +0100
    |       ├ update evt.MarshaledTime :  -> 2025-12-10T09:08:39.285+01:00
    |       ├ create evt.Meta.timestamp : 2025-12-10T09:08:39.285+01:00
    ├-------- parser success 🟢
    ├ Scenarios
        ├ 🟢 Dominic-Wagner/vaultwarden-bf
        └ 🟢 Dominic-Wagner/vaultwarden-bf_user-enum

File: /tmp/tmp.4Bo6GZxwdq
$ cscli explain --log 'Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.' --type syslog -v
line: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    ├ s00-raw
    |   └ 🟢 crowdsecurity/syslog-logs (+12 ~9)
    |       └ update evt.ExpectMode : %!s(int=0) -> 1
    |       └ update evt.Stage :  -> s01-parse
    |       └ update evt.Line.Raw :  -> Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Line.Src :  -> /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789474757 +0000 UTC
    |       └ create evt.Line.Labels.type : syslog
    |       └ update evt.Line.Process : %!s(bool=false) -> true
    |       └ update evt.Line.Module :  -> file
    |       └ create evt.Parsed.pid : 141613
    |       └ create evt.Parsed.priority : 
    |       └ create evt.Parsed.program : vaultwarden
    |       └ create evt.Parsed.timestamp : Dez 10 09:08:39
    |       └ create evt.Parsed.timestamp8601 : 
    |       └ create evt.Parsed.facility : 
    |       └ create evt.Parsed.logsource : syslog
    |       └ create evt.Parsed.message : [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
    |       └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2025-12-10 09:02:45.789701681 +0000 UTC
    |       └ update evt.StrTime :  -> Dez 10 09:08:39
    |       └ create evt.Meta.datasource_path : /tmp/cscli_explain599301605/cscli_test_tmp.log
    |       └ create evt.Meta.datasource_type : file
    |       └ create evt.Meta.machine : host
    ├ s01-parse
    |   └ 🟢 Dominic-Wagner/vaultwarden-logs (+7 ~3)
    |       └ update evt.Stage : s01-parse -> s02-enrich
    |       └ create evt.Parsed.username : rr@gg.de
    |       └ create evt.Parsed.source_ip : 192.168.230.166
    |       └ create evt.Parsed.datetimestamp : 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTime : Dez 10 09:08:39 -> 2025-12-10 09:08:39.285+0100
    |       └ update evt.StrTimeFormat :  -> 2006-01-02 15:04:05.000-0700
    |       └ create evt.Meta.log_type : vaultwarden_failed_auth
    |       └ create evt.Meta.service : vaultwarden
    |       └ create evt.Meta.source_ip : 192.168.230.166
    |       └ create evt.Meta.username : rr@gg.de
    ├ s02-enrich
    |   ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
    |       ├ create evt.Enriched.MarshaledTime : 2025-12-10T09:08:39.285+01:00
    |       ├ update evt.Time : 2025-12-10 09:02:45.789701681 +0000 UTC -> 2025-12-10 09:08:39.285 +0100 +0100
    |       ├ update evt.MarshaledTime :  -> 2025-12-10T09:08:39.285+01:00
    |       ├ create evt.Meta.timestamp : 2025-12-10T09:08:39.285+01:00
    ├-------- parser success 🟢
    ├ Scenarios
        ├ 🟢 Dominic-Wagner/vaultwarden-bf
        └ 🟢 Dominic-Wagner/vaultwarden-bf_user-enum

P

PeroniaOP•12/10/25, 9:29 AM

hmm interesting, when I test this, it doesn't work:
cscli explain -l "Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de." -t syslog
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode. file=/tmp/cscli_explain2011146282/parser-dump.yaml
line: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
├ s01-parse
| └

Dominic-Wagner/vaultwarden-logs
└-------- parser failure

L

Loz•12/10/25, 9:29 AM

ohh

L

Loz•12/10/25, 9:29 AM

I see the issue

L

Loz•12/10/25, 9:29 AM

your missing the

syslog-logs

syslog-logs

syslog-logs

syslog-logs parsers

L

Loz•12/10/25, 9:29 AM

can you run

cscli collections install crowdsecurity/linux

cscli collections install crowdsecurity/linux

cscli collections install crowdsecurity/linux

cscli collections install crowdsecurity/linux

P

PeroniaOP•12/10/25, 9:34 AM

Thanks for spotting this, now it looks like this:
cscli explain -l "Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is i
ncorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de." -t syslog
line: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
├ s00-raw
| └

crowdsecurity/syslog-logs (+12 ~9)
├ s01-parse
| ├

crowdsecurity/sshd-logs
| └

Dominic-Wagner/vaultwarden-logs (+7 ~3)
├ s02-enrich
| ├

crowdsecurity/dateparse-enrich (+2 ~2)
| ├

crowdsecurity/geoip-enrich
| └

crowdsecurity/public-dns-allowlist (unchanged)
├-------- parser success

├ Scenarios
├

Dominic-Wagner/vaultwarden-bf
└

Dominic-Wagner/vaultwarden-bf_user-enum
I didn't know that I need geoip and ssh logs for that?!

L

Loz•12/10/25, 9:40 AM

geoip doesnt trigger for private ips

P

PeroniaOP•12/10/25, 9:40 AM

Okay, semms to be that sshd and geoip are other scenarios (which I don't need here). But when I now do a bad login, I see the line on journalctl (like before) and when I run cscli metrics it shows nothing. I expect that I see here the parsed log line (or even the number of).

PPeronia Okay, semms to be that sshd and geoip are other scenarios (which I don't need he...

L

Loz•12/10/25, 9:41 AM

your acquis is set to

Vaultwarden

Vaultwarden

Vaultwarden

Vaultwarden it need to be type

syslog

syslog

syslog

syslog

L

Loz•12/10/25, 9:41 AM

I am updating the example in the hub right now

P

PeroniaOP•12/10/25, 9:41 AM

Ah okay, not only for cscli explain

PPeronia Ah okay, not only for cscli explain

L

Loz•12/10/25, 9:42 AM

Yeah exactly the

type

type

in explain should match the

type

type

in acquis

P

PeroniaOP•12/10/25, 9:48 AM

Tested another, non local ip with explain, geoip works there, even I can see this in the crowdsec logs: level=warning msg="unable to initialize GeoIP: open /var/lib/crowdsec/state/GeoLite2-City.mmdb: no such file or directory"
And sshd is a scenario which comes with crowdsecurity/linux. Are there othe "base scenarios" which I missed?

P

PeroniaOP•12/10/25, 9:52 AM

okay, my mistake, the warning about geoip was before the download, so all fine about that

P

PeroniaOP•12/10/25, 10:03 AM

Works now with the syslog type, thanks. I can see valid output for cscli metrics. As far as I see there is no other "base package" that I need.

CCrowdSec Empty message

C

CrowdSecAPP•12/10/25, 10:04 AM

Resolving Vaultwarden logs can't be parsed

C

CrowdSec•12/10/25, 10:04 AM

This has now been resolved. If you think this is a mistake please run

/unresolve

/unresolve

/unresolve

/unresolve