Hi,
I would like to submit a feature request regarding improvements to Bitwarden event logging, specifically in relation to SIEM integrations such as the Splunk connector. We have identified several limitations that materially impact the ability to implement robust, collection-scoped auditing controls.
1. Device Context Granularity
At present, password view events (type 1108) do not clearly differentiate between access via the Admin Console and access via the Web Vault. Both appear with the same device value (device=9), making it impossible to distinguish administrative override access from standard user interaction.
We request that event logs clearly differentiate access source between Admin Console and Web Vault with distinct and documented device code.
2. Missing Collection Context in Item Events
When an item is viewed or a password is revealed (types 1107-1110), the event includes itemId but does not reliably include collectionId (by design), even when the item belongs to a collection. This metadata must exist as items can be bound to a collection:
For organisations that may rely on collection-based segregation this creates a significant gap. There is currently no deterministic way, using logs alone, to identify which collection the accessed item belonged to at the time of the event.
We request that Item-related events include the associated collectionId (or collectionIds) at the time of access (if they are assigned to one). Additionally, the collection context reflects the item’s membership at the time the event occurred.
This would eliminate the need for external lookup maintenance and enable accurate, collection-scoped alerting. Providing proof that user X has not accessed item in collection Y. As currently an event log proves a user accessed something, but this itemID does not mean anything without context, we can collect historic collectionIDs but cannot attribute this to anything.
Thanks,
Patrick