Keycloak

Collect logs from Keycloak with Elastic Agent.


Version	1.22.3 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Community

The Keycloak integration collects events from the Keycloak log files.

To enable logging of all Keycloak events like logins, user creation/updates/deletions.... add the below

    <logger category="org.keycloak.events">
        <level name="DEBUG"/>
    </logger>

to your configuration XML file (ie standalone.xml) under the path below

<server>
    <profile>
        <subsystem xmlns="urn:jboss:domain:logging:8.0">
            ....
        </subsystem>
    </profile>
</server>

Note:

Keycloak log files could contain multiline logs. In order to process them, the multiline configuration should be added to the parsers section when deploying the integration.

Logs

log

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset name.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Type of Filebeat input.	keyword
keycloak.admin.operation	Keycloak admin operation; Add, Update, Delete	keyword
keycloak.admin.resource.path	Path to affected resource	keyword
keycloak.admin.resource.type	Type of keycloak resource being acted upon; Group, User, Client, Scope...	keyword
keycloak.client.id	ID of the Keycloak client	keyword
keycloak.event_type	Keycloak event type; Login or Admin	keyword
keycloak.login.auth_method	Keycloak authentication method (SAML or OpenID Connect)	keyword
keycloak.login.auth_session_parent_id	Parent session ID	keyword
keycloak.login.auth_session_tab_id	Session Tab ID	keyword
keycloak.login.auth_type	OpenID Connect authentication type (code, implicit...)	keyword
keycloak.login.code_id	OpenID Connect Code ID	keyword
keycloak.login.redirect_uri	Keycloak redirect URL	keyword
keycloak.login.type	Event Type	keyword
keycloak.realm.id	Keycloak Realm ID	keyword
log.file.device_id	ID of the device containing the filesystem where the file resides.	keyword
log.file.fingerprint	The sha256 fingerprint identity of the file when fingerprinting is enabled.	keyword
log.file.idxhi	The high-order part of a unique identifier that is associated with a file. (Windows-only)	keyword
log.file.idxlo	The low-order part of a unique identifier that is associated with a file. (Windows-only)	keyword
log.file.inode	Inode number of the log file.	keyword
log.file.vol	The serial number of the volume that contains a file. (Windows-only)	keyword
log.flags	Flags for the log file.	keyword
log.offset	Offset of the entry in the log file.	long
url.scheme

An example event for log looks as following:

{
    "@timestamp": "2021-10-22T21:01:42.667-05:00",
    "agent": {
        "ephemeral_id": "bb6d890f-5c05-4247-b410-8f3b914e5293",
        "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.2"
    },
    "data_stream": {
        "dataset": "keycloak.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a",
        "snapshot": false,
        "version": "8.10.2"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "keycloak.log",
        "ingested": "2023-10-03T10:29:46Z",
        "original": "2021-10-22 21:01:42,667 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication",
        "timezone": "-05:00"
    },
    "host": {
        "architecture": "x86_64",
        "containerized": true,
        "hostname": "docker-fleet-agent",
        "id": "efe661d97f0c4d9883075c393da6b0d8",
        "ip": [
            "172.30.0.7"
        ],
        "mac": [
            "02-42-AC-1E-00-07"
        ],
        "name": "docker-fleet-agent",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "5.15.90.1-microsoft-standard-WSL2",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.6 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "filestream"
    },
    "log": {
        "file": {
            "device_id": 2080,
            "inode": 90612,
            "path": "/tmp/service_logs/test-log.log"
        },
        "level": "INFO",
        "logger": "org.jboss.resteasy.resteasy_jaxrs.i18n",
        "offset": 658
    },
    "message": "RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication",
    "process": {
        "thread": {
            "name": "ServerService Thread Pool -- 64"
        }
    },
    "tags": [
        "preserve_original_event",
        "keycloak-log"
    ]
}

Changelog

Version	Details	Kibana version(s)
1.22.3	Bug fix View pull request Fix missing value in pipeline condition.	8.13.0 or higher
1.22.2	Bug fix View pull request Enhanced kv processor to trim escape sequences properly.	8.13.0 or higher
1.22.1	Bug fix View pull request Fixed parser config default value and updated GROK pattern to account for multiline logs.	8.13.0 or higher
1.22.0	Enhancement View pull request Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
1.21.0	Enhancement View pull request Update manifest format version to v3.0.3.	7.16.0 or higher 8.0.0 or higher
1.20.1	Enhancement View pull request Changed owners	7.16.0 or higher 8.0.0 or higher
1.20.0	Enhancement View pull request Make parsers configurable for Keycloak logs.	7.16.0 or higher 8.0.0 or higher
1.19.0	Enhancement View pull request ECS version updated to 8.11.0.	7.16.0 or higher 8.0.0 or higher
1.18.0	Enhancement View pull request Improve 'event.original' check to avoid errors if set.	7.16.0 or higher 8.0.0 or higher
1.17.0	Enhancement View pull request Adapt fields for changes in file system info	7.16.0 or higher 8.0.0 or higher
1.16.0	Enhancement View pull request Set 'community' owner type.	7.16.0 or higher 8.0.0 or higher
1.15.0	Enhancement View pull request Update the package format_version to 3.0.0.	7.16.0 or higher 8.0.0 or higher
1.14.0	Enhancement View pull request Update package to ECS 8.10.0 and align ECS categorization fields.	7.16.0 or higher 8.0.0 or higher
1.13.0	Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	7.16.0 or higher 8.0.0 or higher
1.12.0	Enhancement View pull request Update package to ECS 8.9.0.	7.16.0 or higher 8.0.0 or higher
1.11.0	Enhancement View pull request Update package-spec to 2.9.0.	7.16.0 or higher 8.0.0 or higher
1.10.0	Enhancement View pull request Ensure event.kind is correctly set for pipeline errors.	7.16.0 or higher 8.0.0 or higher
1.9.0	Enhancement View pull request Update package to ECS 8.8.0.	7.16.0 or higher 8.0.0 or higher
1.8.0	Enhancement View pull request Update package to ECS 8.7.0.	7.16.0 or higher 8.0.0 or higher
1.7.2	Enhancement View pull request Added categories and/or subcategories.	7.16.0 or higher 8.0.0 or higher
1.7.1	Bug fix View pull request Ensure numeric timezones are correctly interpreted.	7.16.0 or higher 8.0.0 or higher
1.7.0	Enhancement View pull request Update package to ECS 8.6.0.	7.16.0 or higher 8.0.0 or higher
1.6.0	Enhancement View pull request Update package to ECS 8.5.0.	7.16.0 or higher 8.0.0 or higher
1.5.1	Enhancement View pull request Use ECS geo.location definition.	7.16.0 or higher 8.0.0 or higher
1.5.0	Enhancement View pull request Update package to ECS 8.4.0	7.16.0 or higher 8.0.0 or higher
1.4.2	Bug fix View pull request Fix typo in 'Timezone Offset' description.	7.16.0 or higher 8.0.0 or higher
1.4.1	Enhancement View pull request Update package name and description to align with standard wording	7.16.0 or higher 8.0.0 or higher
1.4.0	Enhancement View pull request Update package to ECS 8.3.0.	7.16.0 or higher 8.0.0 or higher
1.3.1	Enhancement View pull request Add link to keycloak documentation	7.16.0 or higher 8.0.0 or higher
1.3.0	Enhancement View pull request Update to ECS 8.2	7.16.0 or higher 8.0.0 or higher
1.2.1	Enhancement View pull request Add documentation for multi-fields	7.16.0 or higher 8.0.0 or higher
1.2.0	Enhancement View pull request Update to ECS 8.0	7.16.0 or higher 8.0.0 or higher
1.1.0	Enhancement View pull request Add 8.0.0 version constraint	7.16.0 or higher 8.0.0 or higher
1.0.0	Enhancement View pull request initial release	7.16.0 or higher

On this page

Article navigation

Logs

log

Changelog