Keycloak Integration
<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.25.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Community |
</div>
The Keycloak integration collects events from the Keycloak log files.
To enable logging of all Keycloak events like logins, user creation/updates/deletions…. add the below
<logger category="org.keycloak.events">
<level name="DEBUG"/>
</logger>
to your configuration XML file (ie standalone.xml) under the path below
<server>
<profile>
<subsystem xmlns="urn:jboss:domain:logging:8.0">
....
</subsystem>
</profile>
</server>
Note:
- Keycloak log files could contain multiline logs. In order to process them, the multiline configuration should be added to the parsers section when deploying the integration.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset name. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
| keycloak.admin.operation | Keycloak admin operation; Add, Update, Delete | keyword |
| keycloak.admin.resource.path | Path to affected resource | keyword |
| keycloak.admin.resource.type | Type of keycloak resource being acted upon; Group, User, Client, Scope… | keyword |
| keycloak.client.id | ID of the Keycloak client | keyword |
| keycloak.event_type | Keycloak event type; Login or Admin | keyword |
| keycloak.login.auth_method | Keycloak authentication method (SAML or OpenID Connect) | keyword |
| keycloak.login.auth_session_parent_id | Parent session ID | keyword |
| keycloak.login.auth_session_tab_id | Session Tab ID | keyword |
| keycloak.login.auth_type | OpenID Connect authentication type (code, implicit…) | keyword |
| keycloak.login.code_id | OpenID Connect Code ID | keyword |
| keycloak.login.redirect_uri | Keycloak redirect URL | keyword |
| keycloak.login.type | Event Type | keyword |
| keycloak.realm.id | Keycloak Realm ID | keyword |
| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword |
| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword |
| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
| log.file.inode | Inode number of the log file. | keyword |
| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword |
| log.flags | Flags for the log file. | keyword |
| log.offset | Offset of the entry in the log file. | long |
| url.scheme |
**Example**
An example event for log looks as following:
{
"@timestamp": "2021-10-22T21:01:42.667-05:00",
"agent": {
"ephemeral_id": "bb6d890f-5c05-4247-b410-8f3b914e5293",
"id": "d053789b-7b04-4a8c-b06c-ca79014bb61a",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.10.2"
},
"data_stream": {
"dataset": "keycloak.log",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d053789b-7b04-4a8c-b06c-ca79014bb61a",
"snapshot": false,
"version": "8.10.2"
},
"event": {
"agent_id_status": "verified",
"dataset": "keycloak.log",
"ingested": "2023-10-03T10:29:46Z",
"original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication",
"timezone": "-05:00"
},
"host": {
"architecture": "x86_64",
"containerized": true,
"hostname": "docker-fleet-agent",
"id": "efe661d97f0c4d9883075c393da6b0d8",
"ip": [
"172.30.0.7"
],
"mac": [
"02-42-AC-1E-00-07"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "5.15.90.1-microsoft-standard-WSL2",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
"type": "filestream"
},
"log": {
"file": {
"device_id": 2080,
"inode": 90612,
"path": "/tmp/service_logs/test-log.log"
},
"level": "INFO",
"logger": "org.jboss.resteasy.resteasy_jaxrs.i18n",
"offset": 658
},
"message": "RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication",
"process": {
"thread": {
"name": "ServerService Thread Pool -- 64"
}
},
"tags": [
"preserve_original_event",
"keycloak-log"
]
}
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.25.0 | pass:[] Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.24.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.23.2 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 1.23.1 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 1.23.0 | pass:[] Enhancement (View pull request) Make condition configurable to control when to apply the log data stream. |
8.13.0 or higher |
| 1.22.3 | pass:[] Bug fix (View pull request) Fix missing value in pipeline condition. |
8.13.0 or higher |
| 1.22.2 | pass:[] Bug fix (View pull request) Enhanced kv processor to trim escape sequences properly. |
8.13.0 or higher |
| 1.22.1 | pass:[] Bug fix (View pull request) Fixed parser config default value and updated GROK pattern to account for multiline logs. |
8.13.0 or higher |
| 1.22.0 | pass:[] Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.21.0 | pass:[] Enhancement (View pull request) Update manifest format version to v3.0.3. |
7.16.0 or higher 8.0.0 or higher |
| 1.20.1 | pass:[] Enhancement (View pull request) Changed owners |
7.16.0 or higher 8.0.0 or higher |
| 1.20.0 | pass:[] Enhancement (View pull request) Make parsers configurable for Keycloak logs. |
7.16.0 or higher 8.0.0 or higher |
| 1.19.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.18.0 | pass:[] Enhancement (View pull request) Improve event.original check to avoid errors if set. |
7.16.0 or higher 8.0.0 or higher |
| 1.17.0 | pass:[] Enhancement (View pull request) Adapt fields for changes in file system info |
7.16.0 or higher 8.0.0 or higher |
| 1.16.0 | pass:[] Enhancement (View pull request) Set community owner type. |
7.16.0 or higher 8.0.0 or higher |
| 1.15.0 | pass:[] Enhancement (View pull request) Update the package format_version to 3.0.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.14.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.10.0 and align ECS categorization fields. |
7.16.0 or higher 8.0.0 or higher |
| 1.13.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
7.16.0 or higher 8.0.0 or higher |
| 1.12.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.11.0 | pass:[] Enhancement (View pull request) Update package-spec to 2.9.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.10.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
7.16.0 or higher 8.0.0 or higher |
| 1.9.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.7.2 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
7.16.0 or higher 8.0.0 or higher |
| 1.7.1 | pass:[] Bug fix (View pull request) Ensure numeric timezones are correctly interpreted. |
7.16.0 or higher 8.0.0 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.5.1 | pass:[] Enhancement (View pull request) Use ECS geo.location definition. |
7.16.0 or higher 8.0.0 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.4.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.4.2 | pass:[] Bug fix (View pull request) Fix typo in Timezone Offset description. |
7.16.0 or higher 8.0.0 or higher |
| 1.4.1 | pass:[] Enhancement (View pull request) Update package name and description to align with standard wording |
7.16.0 or higher 8.0.0 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.3.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.3.1 | pass:[] Enhancement (View pull request) Add link to keycloak documentation |
7.16.0 or higher 8.0.0 or higher |
| 1.3.0 | pass:[] Enhancement (View pull request) Update to ECS 8.2 |
7.16.0 or higher 8.0.0 or higher |
| 1.2.1 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
7.16.0 or higher 8.0.0 or higher |
| 1.2.0 | pass:[] Enhancement (View pull request) Update to ECS 8.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.1.0 | pass:[] Enhancement (View pull request) Add 8.0.0 version constraint |
7.16.0 or higher 8.0.0 or higher |
| 1.0.0 | pass:[] Enhancement (View pull request) initial release |
7.16.0 or higher |