How to find out failed login attempts

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Summary

With the audit log enhancements made in Bitbucket 7.0, the steps for this process will differ depending on your version of Bitbucket.

(info) For more information on the changes to logging made in Bitbucket 7.0, click here to review the release notes.

The steps to review failed login attempts for each version are as follows:

Versions before Bitbucket 7.0

In order to identify failed login attempts, you have to enable Audit log events in Bitbucket to see that. Configure your bitbucket.properties by setting the audit.highest.priority.to.log=MEDIUM. A restart is required so Bitbucket Server will initialize these properties.

Please note the below information on this property:


EventDescriptionPriority
AuthenticationFailureEventOccurs whenever a user fails to authenticate. Note that this can occur frequently in Bitbucket Server whenever a command line CLI is used as the initial URL provided to Bitbucket Server contains a username but no password, which is rejected by Crowd.HIGH


The Audit logs are kept under the $BITBUCKET_HOME/log/audit directory.

Bitbucket 7.0+

Failed login attempts are recorded by default, and are captured as long as authentication audit events are captured at an 'Advanced' detail level or higher. Please note that this level is only available with a Bitbucket Data Center license.

To review authentication events, you can either review the Authentication category ("/plugins/servlet/audit/?categories=Authentication") page in your Bitbucket instance's audit section, or you can review the logs themselves on the server in the $BITBUCKET_HOME/log/audit directory.

Environment

Bitbucket Server and Bitbucket Data Center.

Solution

Log Examples

Versions before Bitbucket 7.0

audit/atlassian-bitbucket-audit.log


# These are the events recorded for a failed authentication in the following conditions:
## http clone
0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | admin | 1408523251985 | admin | {"authentication-method":"basic","error":"Invalid username or password."} | @DX16Wx987x199x0 | -


## login via the user interface (note the "form" value as authentication-method)
0:0:0:0:0:0:0:1 | AuthenticationFailureEvent | admin | 1552975040486 | admin | {"authentication-method":"form","error":"Invalid username or password."} | @2750WEx1017x76x0 | -

atlassian-bitbucket-access.log

Taking the first example from above, look up DX16Wx987x199x0 in my access logs:

0:0:0:0:0:0:0:1 | http | i@DX16Wx987x199x0 | - | 2014-08-20 16:27:31,972 | "POST /rest/api/1.0/projects/WORK/repos/my-repo/commits/ HTTP/1.1" | "" "curl/7.30.0" | - | - | - | 
Bitbucket 7.0+

audit/YYYYMMDD.#####.audit.log

# These are the events recorded for a failed authentication in the following conditions:
## http clone
{"affectedObjects":[],"auditType":{"action":"User login failed","actionI18nKey":"bitbucket.service.user.audit.action.authenticationfailure","area":"SECURITY","category":"Authentication","categoryI18nKey":"bitbucket.service.audit.category.authentication","level":"ADVANCED"},"author":{"id":"-2","name":"Anonymous","type":"user"},"changedValues":[],"extraAttributes":[{"name":"Error","nameI18nKey":"bitbucket.service.user.audit.attribute.authenticationfailure.error","value":"Invalid username or password."},{"name":"Load balancer/proxy IP address","nameI18nKey":"atlassian.audit.event.attribute.forwarder","value":"192.168.5.2"},{"name":"target","nameI18nKey":"bitbucket.audit.attribute.legacy.target","value":"invalid_user"},{"name":"Authentication method","nameI18nKey":"bitbucket.service.user.audit.attribute.authentication.authmethod","value":"basic"}],"method":"Browser","node":"f8449858-2506-4724-a0ae-d587234dce15","source":"192.168.5.51","system":"https://examplebitbucket.com","timestamp":{"epochSecond":1605572664,"nano":56000000},"version":"1.0"}

## login via the user interface (note the "form" value as authentication.authmethod)
{"affectedObjects":[],"auditType":{"action":"User login failed","actionI18nKey":"bitbucket.service.user.audit.action.authenticationfailure","area":"SECURITY","category":"Authentication","categoryI18nKey":"bitbucket.service.audit.category.authentication","level":"ADVANCED"},"author":{"id":"-2","name":"Anonymous","type":"user"},"changedValues":[],"extraAttributes":[{"name":"Error","nameI18nKey":"bitbucket.service.user.audit.attribute.authenticationfailure.error","value":"Invalid username or password."},{"name":"Load balancer/proxy IP address","nameI18nKey":"atlassian.audit.event.attribute.forwarder","value":"192.168.5.2"},{"name":"Authentication method","nameI18nKey":"bitbucket.service.user.audit.attribute.authentication.authmethod","value":"form"},{"name":"target","nameI18nKey":"bitbucket.audit.attribute.legacy.target","value":"invalid_user"}],"method":"Browser","node":"f8449858-2506-4724-a0ae-d587234dce15","source":"192.168.5.1","system":"https://examplebitbucket.com","timestamp":{"epochSecond":1605572121,"nano":449000000},"version":"1.0"}

If you're having issues with CAPTCHA, please refer to:

Last modified on Jul 30, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.