Observability
To ensure the deployment are running properly, Cloud-IAM has set a lot of monitoring probes and log collection at various levels. Some of those are re exposed through our Cloud-IAM API.
All the data are kept for 30 days on Cloud-IAM infrastructure.
Logs
What would be a managed service without real-time logs? Cloud-IAM dashboard displays real-time logs for every dedicated deployments (starting from Roaring Rabbit plan).
Logs access are the best way to understand what is going on with your deployment and how your custom extensions are doing.
Keycloak
Load balancer
Logs ingestion
Keycloak
Keycloak cluster logs can be integrated into customer's own logging infrastructure when polling Cloud-IAM REST API /deployments/{deploymentId}/logs
endpoint with the source
field to keycloak
.
$ curl -H "Authorization: Bearer $TOKEN" 'https://api.cloud-iam.com/deployments/00000000-0000-0000-0000-000000000000/logs?source=keycloak&since=2023-02-26T23:17:06Z' | jq .
[
"2023-03-07T10:00:05.85104771Z 2023-03-07 10:00:05,850 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-727) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, auth-cookie]\n",
...
]
$ curl -H "Authorization: Bearer $TOKEN" 'https://api.cloud-iam.com/deployments/00000000-0000-0000-0000-000000000000/logs?source=keycloak&since=2023-02-26T23:17:06Z' | jq .
[
"2023-03-07T10:00:05.85104771Z 2023-03-07 10:00:05,850 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-727) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, auth-cookie]\n",
...
]
Load balancer
Load balancer cluster logs can be integrated into customer's own logging infrastructure when polling Cloud-IAM REST API /deployments/{deploymentId}/logs
endpoint with the source
field to load-balancer
.
$ curl -H "Authorization: Bearer $TOKEN" 'https://api.cloud-iam.com/deployments/00000000-0000-0000-0000-000000000000/logs?source=load-balancer&since=2023-02-26T23:17:06Z' | jq .
[
"2023-03-07T10:00:05.85104771Z 1.2.3.4 - - [07/Mar/2023:10:00:05 +0000] \"GET / HTTP/1.0\" 403 0.000 548 \"Mozilla/5.0 (Linux; Android 9; Nokia 7.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36\" \"-\" \"-\" \"-\" \"-\" \"h:-\"",
...
]
$ curl -H "Authorization: Bearer $TOKEN" 'https://api.cloud-iam.com/deployments/00000000-0000-0000-0000-000000000000/logs?source=load-balancer&since=2023-02-26T23:17:06Z' | jq .
[
"2023-03-07T10:00:05.85104771Z 1.2.3.4 - - [07/Mar/2023:10:00:05 +0000] \"GET / HTTP/1.0\" 403 0.000 548 \"Mozilla/5.0 (Linux; Android 9; Nokia 7.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36\" \"-\" \"-\" \"-\" \"-\" \"h:-\"",
...
]
Metrics
A custom extension that helps us to monitor the deployment is automatically added to your deployment. This can not be removed.
It collects various metrics about the cluster health and some anonymous metrics about the usage of the cluster.
Cloud-IAM REST API /deployments/{deployment_id}/metrics
endpoint yield functional metrics about your Keycloak in OpenMetrics format textual representation that came from Prometheus textual representation.
A response from the endpoint will return lines (called a MetricPoint
) like this one:
keycloak_login_attempts{application="keycloak",client_id="account-console",realm="master"} 2 1645446218620
keycloak_login_attempts{application="keycloak",client_id="account-console",realm="master"} 2 1645446218620
For each MetricPoint
:
- A MetricPoint in a Metric with the type Counter MUST have one value called Total (
2
in the line example). A Total is a non-NaN and MUST be monotonically non-decreasing over time, starting from 0. - A MetricPoint in a Metric with the type Counter SHOULD have a Timestamp (
1645446218620
from the line example) value called Created. This can help ingestors discern between new metrics and long-running ones it did not see before. - A MetricPoint in a Metric Counter's Total MAY reset to 0. If present, the corresponding Created time MUST also be set to the timestamp of the reset.
Prometheus configuration
Here is an example of Prometheus configuration to scrape metrics from Cloud-IAM deployment. You might need to request for a service account to the Cloud-IAM support team.
scrape_configs:
- job_name: cloud-iam
scrape_interval: 30s
scheme: https
metrics_path: /deployments/{deployment-id}/metrics
static_configs:
- targets:
- api.cloud-iam.com
labels:
host: '{my-deployment}'
oauth2:
client_id: '{service-account-client-id}'
client_secret: '{service-account-client-secret}'
token_url: 'https://iam.cloud-iam.com/auth/realms/cloud-iam/protocol/openid-connect/token'
endpoint_params:
grant_type: 'client_credentials'
scrape_configs:
- job_name: cloud-iam
scrape_interval: 30s
scheme: https
metrics_path: /deployments/{deployment-id}/metrics
static_configs:
- targets:
- api.cloud-iam.com
labels:
host: '{my-deployment}'
oauth2:
client_id: '{service-account-client-id}'
client_secret: '{service-account-client-secret}'
token_url: 'https://iam.cloud-iam.com/auth/realms/cloud-iam/protocol/openid-connect/token'
endpoint_params:
grant_type: 'client_credentials'
Metrics for Keycloak versions from 23.0.0
Since 23.0.0, the http metrics are not enabled by default. In order to gather this information, the http metrics collection must be enabled.
In the configuration panel of the deployment in the Cloud-IAM Console, set:
METRICS_HTTP_MONITOR_ENABLED
totrue
METRICS_HTTP_MONITOR_RESOURCE_FILTER
to select which paths will be collected (ex:openid-connect
to gather statistics about Open ID endpoints). The value support multiple comma separated value to collect multiple paths. The filter must not be empty.
If instead of percentiles you prefer to get elapsed time buckets, please set METRICS_HTTP_MONITOR_USE_PERCENTILES
to false
.
Metrics for Keycloak versions from 21.0.0:
keycloak_user_event_total
counter: Number of user events per type, realm
keycloak_admin_event_total
counter: Number of admin events per type, realm
keycloak_logins_total
counter: Number of login success per realm
keycloak_failed_login_attempts_total
counter: Number of failed login attempts per realm
keycloak_registrations_total
counter: Number of user registration success per realm
keycloak_registrations_errors_total
counter: Number of failed user registration per realm
keycloak_client_logins_total
counter: Number of client login success per realm
keycloak_failed_client_login_attempts_total
counter: Number of failed client login attempts per realm
keycloak_refresh_tokens_total
counter: Number of refresh token usage success per realm
keycloak_refresh_tokens_errors_total
counter: Number of failed refresh token per realm
keycloak_code_to_tokens_total
counter: Number of code to token success per realm
keycloak_code_to_tokens_errors_total
counter: Number of failed code to token per realm
keycloak_response_total
counter: Total number of success responses per code, method, resource
keycloak_response_errors_total
counter: Total number of failed responses per code, method, resource
keycloak_monthly_active_user_count_total
counter: Monthly active user per realm
keycloak_request_duration_seconds
gauge: Requests duration
keycloak_request_duration_seconds_count
counter: Request count
keycloak_request_duration_seconds_max
counter: Maximum request duration
keycloak_request_duration_seconds_sum
counter: Total request duration
Metrics for Keycloak versions prior to 21.0.0:
keycloak_client_logins
counter Total successful client logins
keycloak_code_to_tokens
counter Total number of successful code to token
keycloak_login_attempts
counter Total number of login attempts
keycloak_logins
counter Total successful logins
keycloak_refresh_tokens
counter Total number of successful token refreshes
keycloak_refresh_tokens_errors
counter Total number of failed token refreshes
keycloak_request_duration_bucket
histogram Request duration
keycloak_request_duration_count
histogram Request duration
keycloak_request_duration_sum
histogram Request duration
keycloak_response_errors
counter Total number of error responses
keycloak_user_event_LOGIN
counter Generic Keycloak User event
keycloak_user_event_LOGIN_ERROR
counter Generic Keycloak User event
keycloak_user_event_REGISTER
counter Generic Keycloak User event
keycloak_user_event_REGISTER_ERROR
counter Generic KeyCloak User event
keycloak_user_event_LOGOUT
counter Generic KeyCloak User event
keycloak_user_event_LOGOUT_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CODE_TO_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_CODE_TO_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_LOGIN
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_LOGIN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_REFRESH_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_REFRESH_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_VALIDATE_ACCESS_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_VALIDATE_ACCESS_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_INTROSPECT_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_INTROSPECT_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_FEDERATED_IDENTITY_LINK
counter Generic KeyCloak User event
keycloak_user_event_FEDERATED_IDENTITY_LINK_ERROR
counter Generic KeyCloak User event
keycloak_user_event_REMOVE_FEDERATED_IDENTITY
counter Generic KeyCloak User event
keycloak_user_event_REMOVE_FEDERATED_IDENTITY_ERROR
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_EMAIL
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_EMAIL_ERROR
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_PROFILE
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_PROFILE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_PASSWORD
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_PASSWORD_ERROR
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_TOTP
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_TOTP_ERROR
counter Generic KeyCloak User event
keycloak_user_event_VERIFY_EMAIL
counter Generic KeyCloak User event
keycloak_user_event_VERIFY_EMAIL_ERROR
counter Generic KeyCloak User event
keycloak_user_event_VERIFY_PROFILE
counter Generic KeyCloak User event
keycloak_user_event_VERIFY_PROFILE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_REMOVE_TOTP
counter Generic KeyCloak User event
keycloak_user_event_REMOVE_TOTP_ERROR
counter Generic KeyCloak User event
keycloak_user_event_GRANT_CONSENT
counter Generic KeyCloak User event
keycloak_user_event_GRANT_CONSENT_ERROR
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_CONSENT
counter Generic KeyCloak User event
keycloak_user_event_UPDATE_CONSENT_ERROR
counter Generic KeyCloak User event
keycloak_user_event_REVOKE_GRANT
counter Generic KeyCloak User event
keycloak_user_event_REVOKE_GRANT_ERROR
counter Generic KeyCloak User event
keycloak_user_event_SEND_VERIFY_EMAIL
counter Generic KeyCloak User event
keycloak_user_event_SEND_VERIFY_EMAIL_ERROR
counter Generic KeyCloak User event
keycloak_user_event_SEND_RESET_PASSWORD
counter Generic KeyCloak User event
keycloak_user_event_SEND_RESET_PASSWORD_ERROR
counter Generic KeyCloak User event
keycloak_user_event_SEND_IDENTITY_PROVIDER_LINK
counter Generic KeyCloak User event
keycloak_user_event_SEND_IDENTITY_PROVIDER_LINK_ERROR
counter Generic KeyCloak User event
keycloak_user_event_RESET_PASSWORD
counter Generic KeyCloak User event
keycloak_user_event_RESET_PASSWORD_ERROR
counter Generic KeyCloak User event
keycloak_user_event_RESTART_AUTHENTICATION
counter Generic KeyCloak User event
keycloak_user_event_RESTART_AUTHENTICATION_ERROR
counter Generic KeyCloak User event
keycloak_user_event_INVALID_SIGNATURE
counter Generic KeyCloak User event
keycloak_user_event_INVALID_SIGNATURE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_REGISTER_NODE
counter Generic KeyCloak User event
keycloak_user_event_REGISTER_NODE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_UNREGISTER_NODE
counter Generic KeyCloak User event
keycloak_user_event_UNREGISTER_NODE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_USER_INFO_REQUEST
counter Generic KeyCloak User event
keycloak_user_event_USER_INFO_REQUEST_ERROR
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_LINK_ACCOUNT
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_LOGIN
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_LOGIN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_FIRST_LOGIN
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_FIRST_LOGIN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_POST_LOGIN
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_POST_LOGIN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_RESPONSE
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_RESPONSE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_RETRIEVE_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_IMPERSONATE
counter Generic KeyCloak User event
keycloak_user_event_IMPERSONATE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CUSTOM_REQUIRED_ACTION
counter Generic KeyCloak User event
keycloak_user_event_CUSTOM_REQUIRED_ACTION_ERROR
counter Generic KeyCloak User event
keycloak_user_event_EXECUTE_ACTIONS
counter Generic KeyCloak User event
keycloak_user_event_EXECUTE_ACTIONS_ERROR
counter Generic KeyCloak User event
keycloak_user_event_EXECUTE_ACTION_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_EXECUTE_ACTION_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_INFO
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_INFO_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_REGISTER
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_REGISTER_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_UPDATE
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_UPDATE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_DELETE
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_DELETE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_INITIATED_ACCOUNT_LINKING
counter Generic KeyCloak User event
keycloak_user_event_CLIENT_INITIATED_ACCOUNT_LINKING_ERROR
counter Generic KeyCloak User event
keycloak_user_event_TOKEN_EXCHANGE
counter Generic KeyCloak User event
keycloak_user_event_TOKEN_EXCHANGE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_OAUTH2_DEVICE_AUTH
counter Generic KeyCloak User event
keycloak_user_event_OAUTH2_DEVICE_AUTH_ERROR
counter Generic KeyCloak User event
keycloak_user_event_OAUTH2_DEVICE_VERIFY_USER_CODE
counter Generic KeyCloak User event
keycloak_user_event_OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR
counter Generic KeyCloak User event
keycloak_user_event_OAUTH2_DEVICE_CODE_TO_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_AUTHREQID_TO_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_AUTHREQID_TO_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_PERMISSION_TOKEN
counter Generic KeyCloak User event
keycloak_user_event_PERMISSION_TOKEN_ERROR
counter Generic KeyCloak User event
keycloak_user_event_DELETE_ACCOUNT
counter Generic KeyCloak User event
keycloak_user_event_DELETE_ACCOUNT_ERROR
counter Generic KeyCloak User event
keycloak_user_event_PUSHED_AUTHORIZATION_REQUEST
counter Generic KeyCloak User event
keycloak_user_event_PUSHED_AUTHORIZATION_REQUEST_ERROR
counter Generic KeyCloak User event
keycloak_admin_event_ACTION
counter Generic KeyCloak Admin event
keycloak_admin_event_CREATE
counter Generic KeyCloak Admin event
keycloak_admin_event_UPDATE
counter Generic KeyCloak Admin event
keycloak_admin_event_DELETE
counter Generic KeyCloak Admin event