SIEM integration logs


We would like to integrate KeyCloak with our SIEM but I am unable to find any documentation method to forward the logs.

I have done some testing and can see 2 log files keycloak-11.0.2/standalone/log/server.log and keycloak-11.0.2/standalone/log/audit.log and have been able to forward these logs to our SIEM using rsyslog.

It seems like the audit logs are logged in server.log and nothing appears to be logged in audit.log in my tests. For some reason only the failed login attempts are logged. No successful logins are logged.

2020-10-13 12:44:35,483 WARN  [] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/admin/master/console/, code_id=fd94200e-66d2-4a17-a2c3-6ca354a5fac0, username=tom, authSessionParentId=fd94200e-66d2-4a17-a2c3-6ca354a5fac0, authSessionTabId=jjs3cwY15r0

2020-10-13 12:45:46,168 WARN  [] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=6f2956b6-941c-4065-82aa-7f06579c1d7d, ipAddress=, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/admin/master/console/#/realms/vpn, code_id=302362cf-fef6-4383-8e7e-b2259ed042dd, username=mick, authSessionParentId=302362cf-fef6-4383-8e7e-b2259ed042dd, authSessionTabId=Bvv3GXcFmAl

Is there a supported method to collect and forward all logs to a SIEM?

Any help or advise is welcome.

If your SIEM accepts deliveries via syslog, you can use a syslog appender and send all the logs via syslog to your SIEM system.

1 Like