List All Events API doesn't return anything useful

I’m looking to get a list of all events using the GET /public/events api call from the doc here. The issue is that it provides nothing meaningful. An example output is listed below which shows that a user changed their master password but it doesn’t say who.

“object”: “list”,
“data”: [
“object”: “event”,
“type”: 1508,
“itemId”: null,
“collectionId”: null,
“groupId”: null,
“policyId”: null,
“memberId”: “42788795-9598-4ec8-8009-adff013cb68d”,
“actingUserId”: “8d873d15-cd88-43a9-aca0-ae0001222b26”,
“date”: “2021-12-16T17:37:26.2738916Z”,
“device”: null,
“ipAddress”: null

How can I get any meaningful logs from this? I’m looking to ingest this to our SIEM but if the output is like the above it’s meaningless.

Hi @witness777, welcome!

The API provides data that isn’t stored encrypted - for example, the GUIDs in the response. The way to match that data up with more context is using the CLI tool.

Using the CLI tool, you can get full data from the organization and use the GUIDs as foreign keys.

There’s some more info here, too: Event Logs | Bitwarden Help & Support

Sorry if I’m not understanding. Are you saying to use the curl command in the CLI?

Can you walk me through how to do that exactly?

@witness777 the Bitwarden CLI tool (more about that here) you can export the data in JSON format to ingest into your SIEM. The CLI tool is needed due to our end-to-end encryption - as the CLI is a full client and can generate the keys needed to decrypt the vault and organization data.

We have a fantastic Integration team that can help out, too. I’d recommend reaching out to them here: Get in Touch | Bitwarden and they can absolutely walk you through it!

1 Like

Ah got it! So in short, if I don’t use the CLI, I will get exactly that output like the example I provided. From what you’re saying, to get anything meaningful, I have to use the CLI to do so.

@witness777 - correct :slight_smile:

The events API just gives the ‘what happened’ and the CLI provides the metadata

1 Like

I got a hold of support and basically told me that they don’t have any examples or a way to show me how I can use the cli and api to pull an meaningful logs. Pretty much since we’re not using splunk as our SIEM, there’s no way of pulling meaningful logs.

@witness777 - thanks for the follow-up. I’ve escalated to see if we can get some extra assistance for you!