Impact of enabling Audit Events for Keycloak

We are looking to enable Keycloak Events for auditing and looking to understand if there’s any impact of enabling all the “Login” and “Admin” events on system performance.

Also, does toggling this setting for “master” realm enables it for all the other realms as well?

You don’t “enable” KC events itself with this setting, you just enable saving the events to the KC database. The events will be created anyway. :slightly_smiling_face:

Saving the events to the KC database is just inserting new values into the events table, which is not bound with or queried by other tables. So, there’s no real performance impact while writing the events.
It “just” increases the size of your KC database, which might be an issue while doing backup/restore tasks, because it takes longer (depending on the usage - much longer :wink:)

The query and reporting capabilities in KC are (very) limited, IMHO.
So, I’d prefer to write/use a custom event listener implementation, listening to the events and pushing them to another system, where you can evaluate the data according to your needs. This might be something like ElasticSearch or similar, or a message broker, from where you pick the events and process them further, etc…

2 Likes

Just sharing….
Take note that when the event expired (say keep a yr)….keycloak will delete events expired in a single SQL transaction ….
Which will hang your DB if there are large no. of events record needed to be deleted…say 100k records.(in case there is high login/logout count)…

2 Likes

Totally right.
And also for me another reason to store the events externally, not in KC itself.

Agree with @dasniko on externalizing events. Keycloak isn’t really set up for storage or processing/reporting on large event volumes.

For example, for many customers I have used the events library I built (GitHub - p2-inc/keycloak-events: Useful Keycloak event listener implementations and utilities.) to send the events via HTTP to a service like Pipedream, which accepts any kind of events, and allows you to route them to other services (e.g. something like Google BigQuery for scalable analysis) or run code directly on the events as they come in.