How to find out failed login attempts
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
With the audit log enhancements made in Bitbucket 7.0, the steps for this process will differ depending on your version of Bitbucket.
For more information on the changes to logging made in Bitbucket 7.0, click here to review the release notes.
Solution
Versions before Bitbucket 7.0
In order to identify failed login attempts, you have to enable Audit log events in Bitbucket to see that. Configure your bitbucket.properties by setting the audit.highest.priority.to.log=MEDIUM. A restart is required so Bitbucket Server will initialize these properties.
Please note the below information on this property:
Event | Description | Priority |
|---|---|---|
AuthenticationFailureEvent | Occurs whenever a user fails to authenticate. Note that this can occur frequently in Bitbucket Server whenever a command line CLI is used as the initial URL provided to Bitbucket Server contains a username but no password, which is rejected by Crowd. | HIGH |
The Audit logs are kept under the $BITBUCKET_HOME/log/audit directory.
Log Examples
audit/atlassian-bitbucket-audit.log
# These are the events recorded for a failed authentication in the following conditions:
## http clone
0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | admin | 1408523251985 | admin | {"authentication-method":"basic","error":"Invalid username or password."} | @DX16Wx987x199x0 | -
## login via the user interface (note the "form" value as authentication-method)
0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | admin | 1552975040486 | admin | {"authentication-method":"form","error":"Invalid username or password."} | @2750WEx1017x76x0 | -atlassian-bitbucket-access.log
Taking the first example from above, look up DX16Wx987x199x0 in my access logs:
0:0:0:0:0:0:0:1 | http | i@DX16Wx987x199x0 | - | 2014-08-20 16:27:31,972 | "POST /rest/api/1.0/projects/WORK/repos/my-repo/commits/ HTTP/1.1" | "" "curl/7.30.0" | - | - | - |Bitbucket 7.0+
Failed login attempts are captured as long as the authentication audit events are set to 'Advanced' level or higher. Please note that this is only possible in Bitbucket Data Center versions.
To view and configure the audit log in Bitbucket Data Center 7.0 or later, please refer to the 'Selecting events to log' section on this page.
To review authentication events, you can either review the Authentication category ("/plugins/servlet/audit/?categories=Authentication") page in your Bitbucket instance's audit section, or you can review the logs themselves on the server in the $BITBUCKET_HOME/log/audit directory.
Log Examples
audit/YYYYMMDD.#####.audit.log
# These are the events recorded for a failed authentication in the following conditions:
## http clone
{"affectedObjects":[],"auditType":{"action":"User login failed","actionI18nKey":"bitbucket.service.user.audit.action.authenticationfailure","area":"SECURITY","category":"Authentication","categoryI18nKey":"bitbucket.service.audit.category.authentication","level":"ADVANCED"},"author":{"id":"-2","name":"Anonymous","type":"user"},"changedValues":[],"extraAttributes":[{"name":"Error","nameI18nKey":"bitbucket.service.user.audit.attribute.authenticationfailure.error","value":"Invalid username or password."},{"name":"Load balancer/proxy IP address","nameI18nKey":"atlassian.audit.event.attribute.forwarder","value":"192.168.5.2"},{"name":"target","nameI18nKey":"bitbucket.audit.attribute.legacy.target","value":"invalid_user"},{"name":"Authentication method","nameI18nKey":"bitbucket.service.user.audit.attribute.authentication.authmethod","value":"basic"}],"method":"Browser","node":"f8449858-2506-4724-a0ae-d587234dce15","source":"192.168.5.51","system":"https://examplebitbucket.com","timestamp":{"epochSecond":1605572664,"nano":56000000},"version":"1.0"}
## login via the user interface (note the "form" value as authentication.authmethod)
{"affectedObjects":[],"auditType":{"action":"User login failed","actionI18nKey":"bitbucket.service.user.audit.action.authenticationfailure","area":"SECURITY","category":"Authentication","categoryI18nKey":"bitbucket.service.audit.category.authentication","level":"ADVANCED"},"author":{"id":"-2","name":"Anonymous","type":"user"},"changedValues":[],"extraAttributes":[{"name":"Error","nameI18nKey":"bitbucket.service.user.audit.attribute.authenticationfailure.error","value":"Invalid username or password."},{"name":"Load balancer/proxy IP address","nameI18nKey":"atlassian.audit.event.attribute.forwarder","value":"192.168.5.2"},{"name":"Authentication method","nameI18nKey":"bitbucket.service.user.audit.attribute.authentication.authmethod","value":"form"},{"name":"target","nameI18nKey":"bitbucket.audit.attribute.legacy.target","value":"invalid_user"}],"method":"Browser","node":"f8449858-2506-4724-a0ae-d587234dce15","source":"192.168.5.1","system":"https://examplebitbucket.com","timestamp":{"epochSecond":1605572121,"nano":449000000},"version":"1.0"}If you're having issues with CAPTCHA, please refer to:
Was this helpful?