Logging username in access-log

In KeyCLoak 14.0, I’m trying to configure access-log to also include username (or some ID of the user) when a user is logged in. In standalone.xml, I configured
XML:/server/profile/subsystem[@xmlns=“urn:jboss:domain:undertow:12.0”]/server/host/access-log/@pattern
pattern="%h %l %u %t “%r” %s/%S %b %T %I “%{i,User-Agent}”"

The log gets correctly printed in the file I configured. However, the value of %u is always empty (that is “-”).

The only way to log some user ID I found was logging session cookie value with
%{c,KEYCLOAK_SESSION}
Which isn’t a good idea to do in production.

Any idea on how to log username or userID in access-log?
Is it a bug that %u is empty even when there is an active user session?

Alternativelly, how to put the userID in some header to use one of the following?

  • %{i,xxx} for incoming headers
  • %{o,xxx} for outgoing response headers
  • %{c,xxx} for a specific cookie
  • %{r,xxx} where xxx is an attribute in the ServletRequest
  • %{s,xxx} where xxx is an attribute in the HttpSession