How to log unauthorised access attempts?

Oksana · April 11, 2024, 4:04pm

Hello,

I would like to audit log every unauthorised access of Keycloak resources. The approach we take in our project is that we implement an EventListenerProvider that audit logs all Keycloak events. The problem is, there is no event emitted by Keycloak for unauthorised access attempt. If a user who has no permission to query clients tries to do so, a user gets 401 Unauthorised, there is no Keycloak event emitted and we cannot log it. Is there any other way we could try logging unauthorised requests?

Thank you,
Oxana

xgp · April 12, 2024, 9:56am

There isn’t a good way using Keycloak events. You could enable and use the HTTP logs in order to find all 401s and 403s. You can enable those with the quarkus.properties file, and the following value:

quarkus.http.access-log.enabled=true

See the quarkus guide for more information:

Topic		Replies	Views
Enable audit Logging on all keycloak instances Getting advice authentication	0	391	October 26, 2022
Event logs analysis	0	127	January 24, 2024
Keycloak Logs - Device Information Getting advice	3	1525	March 26, 2024
How Keycloak validates my user and how to save to my db? Getting advice authentication	0	469	October 21, 2020
Logging HTTP traffic "from and to" keycloak server Getting advice	0	145	November 21, 2023

How to log unauthorised access attempts?

Related Topics