Hey,
We would like to integrate KeyCloak with our SIEM but I am unable to find any documentation method to forward the logs.
I have done some testing and can see 2 log files keycloak-11.0.2/standalone/log/server.log and keycloak-11.0.2/standalone/log/audit.log and have been able to forward these logs to our SIEM using rsyslog.
It seems like the audit logs are logged in server.log and nothing appears to be logged in audit.log in my tests. For some reason only the failed login attempts are logged. No successful logins are logged.
2020-10-13 12:44:35,483 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/admin/master/console/, code_id=fd94200e-66d2-4a17-a2c3-6ca354a5fac0, username=tom, authSessionParentId=fd94200e-66d2-4a17-a2c3-6ca354a5fac0, authSessionTabId=jjs3cwY15r0
2020-10-13 12:45:46,168 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=6f2956b6-941c-4065-82aa-7f06579c1d7d, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/admin/master/console/#/realms/vpn, code_id=302362cf-fef6-4383-8e7e-b2259ed042dd, username=mick, authSessionParentId=302362cf-fef6-4383-8e7e-b2259ed042dd, authSessionTabId=Bvv3GXcFmAl
Is there a supported method to collect and forward all logs to a SIEM?
Any help or advise is welcome.