Feature Request: include IP and username in logging for failed attempts #64

New Issue

OVERLORD · 2026-02-04T16:37:11+03:00

OVERLORD commented

2026-02-04 16:37:11 +03:00

Originally created by @davekaufman on GitHub (Aug 8, 2018).

Feature Request

Issue

Currently, failed login attempts are logged like so:

{"log":"ERROR: Username or password is incorrect. Try again.\n","stream":"stdout","time":"2018-08-08T19:33:20.892869034Z"}

Ideally, these log messages would include the IP address of the host attempting login, and username that was attempted. Including this information would allow for better monitoring and alerting, as well as blocking of bad actors.

Suggestion

Include IP address and username in log message.
Example:

{"log":"ERROR: Username or password is incorrect. Try again.\n","IP":"192.0.2.23","username":"foo@example.com","stream":"stdout","time":"2018-08-08T19:33:20.892869034Z"}

Originally created by @davekaufman on GitHub (Aug 8, 2018). # Feature Request ## Improve logging of failed login attempts ### Issue Currently, failed login attempts are logged like so: ```json {"log":"ERROR: Username or password is incorrect. Try again.\n","stream":"stdout","time":"2018-08-08T19:33:20.892869034Z"} ``` Ideally, these log messages would include the IP address of the host attempting login, and username that was attempted. Including this information would allow for better monitoring and alerting, as well as blocking of bad actors. ### Suggestion Include IP address and username in log message. Example: ```json {"log":"ERROR: Username or password is incorrect. Try again.\n","IP":"192.0.2.23","username":"foo@example.com","stream":"stdout","time":"2018-08-08T19:33:20.892869034Z"} ```

OVERLORD added the enhancement good first issue labels 2026-02-04 16:37:11 +03:00

OVERLORD closed this issue

2026-02-04 16:37:18 +03:00

OVERLORD commented

2026-02-04 16:37:27 +03:00

@mprasil commented on GitHub (Aug 8, 2018):

Excellent idea and shouldn't be too hard to implement.

@mprasil commented on GitHub (Aug 8, 2018): Excellent idea and shouldn't be too hard to implement.

OVERLORD commented

2026-02-04 16:37:42 +03:00

@Baelyk commented on GitHub (Aug 25, 2018):

I'm interested in trying to add this, but I can't seem to find any log file. The only logging that I am finding is the logging to stdout that Rocket usually does.

Am I missing something obvious?

@Baelyk commented on GitHub (Aug 25, 2018): I'm interested in trying to add this, but I can't seem to find any log file. The only logging that I am finding is the logging to stdout that Rocket usually does. Am I missing something obvious?

OVERLORD commented

2026-02-04 16:37:46 +03:00

@mprasil commented on GitHub (Aug 25, 2018):

There's #63 for logging to file, but that is currently pending some upstream changes. So this is purely about changing that single failure message to include requested information.

@mprasil commented on GitHub (Aug 25, 2018): There's #63 for logging to file, but that is currently pending some upstream changes. So this is purely about changing that single failure message to include requested information.

OVERLORD commented

2026-02-04 16:37:49 +03:00

@dani-garcia commented on GitHub (Aug 26, 2018):

The stdout now logs IP and user on failed login attempts.
For those behind proxy, you might need to configure the proxy to create a X-Real-IP header with the external IP of the request.

@dani-garcia commented on GitHub (Aug 26, 2018): The stdout now logs IP and user on failed login attempts. For those behind proxy, you might need to configure the proxy to create a `X-Real-IP` header with the external IP of the request.

OVERLORD commented

2026-02-04 16:37:57 +03:00

@philw07 commented on GitHub (Sep 13, 2018):

This is a useful feature, however I noticed the IP is only logged when trying to log in with a valid username and a wrong password (with the message "Username or password is incorrect"). When trying to log in with a username for which no account exists however only "Invalid user" is logged.
What's even worse is that the same error messages are displayed in the web vault UI, so a potential attacker can immediately see if an account exists or not.
I think the error message should be "Username or password is incorrect" including logged IP in any case.

@philw07 commented on GitHub (Sep 13, 2018): This is a useful feature, however I noticed the IP is only logged when trying to log in with a valid username and a wrong password (with the message "Username or password is incorrect"). When trying to log in with a username for which no account exists however only "Invalid user" is logged. What's even worse is that the same error messages are displayed in the web vault UI, so a potential attacker can immediately see if an account exists or not. I think the error message should be "Username or password is incorrect" including logged IP in any case.

OVERLORD commented

2026-02-04 16:38:12 +03:00

@dani-garcia commented on GitHub (Sep 14, 2018):

That should be fixed now in b75ba216d. Thanks for reporting it!

@dani-garcia commented on GitHub (Sep 14, 2018): That should be fixed now in b75ba216d. Thanks for reporting it!

OVERLORD referenced this issue

2026-02-05 04:48:22 +03:00

[PR #64] [MERGED] Update readme for docker hub #2567

Sign in to join this conversation.