Keycloak Events
Overview
Events in Keycloak track important actions performed by users and administrators. Events help you to detect suspicious or unauthorized activity, audit changes and access within your IAM system and comply with security policies and regulations.
Supported by Keycloak
Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.
Admin Events
Admin events track actions performed in the Keycloak Admin Console. Examples include (might vary depending on configuration):
- Creating, updating, or deleting:
- Users
- Groups
- Roles
- Clients
- Client scopes
- Changing realm settings or configurations
- Managing authentication flows or identity providers
- Granting or revoking user roles
- Configuring password policies or MFA settings
- Deleting sessions or tokens
- Impersonation of a user
User Events
User events track actions performed by end-users. Examples include (might vary depending on configuration):
- Login successes and failures
- Logout events
- Password changes or resets
- Account updates (profile, email, attributes)
- Registration events (new account creation)
- Email verification events
- TOTP or MFA configuration changes
- Consent given or revoked for client applications
- Account disabling or deletion
Configuring Keycloak Events
Enable and Configure Admin Events
- Log in to Keycloak using an Admin account.
- Select the realm to be configured.
- Navigate to
Realm Settingsthen clickEventsandAdmin Events Settings - Enable the
Save Eventstoggle. - Enable
Include Representationcaptures the full details of the changed object, which is helpful for audits - Set the Expiration period (minimum recommended: 7 days).
- Click
Saveto apply the configuration.
Enable and Configure User Events
- Log in to Keycloak using an Admin account.
- Select the realm to be configured.
- Navigate to
Realm Settingsthen clickEventsandUser Events Settings - Enable the
Save Eventstoggle. - Set the Expiration period (minimum recommended: 7 days).
- Click
Saveto apply the configuration.
Accessing Keycloak Events
Accessing Admin Events
- Log in to Keycloak using an Admin account.
- Select the realm you want to inspect (e.g., Master or another realm).
- Navigate to
Eventsthen clickAdmin Events - You will see a list of recorded admin events.
Accessing User Events
- Log in to Keycloak using an Admin account.
- Select the realm you want to inspect (e.g., Master or another realm).
- Navigate to
Eventsthen clickUser Events - You will see a list of recorded admin events.
Collecting Keycloak Events via Keycloak API
Using curl to retrieve Users Events
Once you have a valid access token stored in the $TOKEN variable, you can retrieve events using the command below. You may adjust the query parameters to filter results by date, event type, or pagination.
# === Event query parameters ===
DATE_FROM="2026-01-06"
DATE_TO="2026-01-07"
FIRST=0
MAX=100
TYPE=RESET_PASSWORD_ERROR
# === Retrieve events ===
curl -sS -X GET "${BASE_URL}/admin/realms/${REALM_NAME}/events?dateFrom=${DATE_FROM}&dateTo=${DATE_TO}&first=${FIRST}&max=${MAX}&type=${TYPE}" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Accept: application/json"The API returns a list of users events, allowing you to monitor activity and audit actions in your Keycloak realm.
Using Postman to retrieve Users Events
- Generate your Access Token from Keycloak
- Create a new
GETrequest in Postman. - Use the following URL as the request endpoint: https://{your-deployment-name}.cloud-iam.com/admin/realms/{your-realm-name}/events
- Add the following
Paramsto refine your query parameters search:
| Key | Value |
|---|---|
| dateFrom | YYYY-MM-DD |
| dateTo | YYYY-MM-DD |
| first | 0 |
| max | 100 |
Additional filtering options are available in the official Keycloak API documentation
- In the Authorization tab, set the type to
Bearer Tokenand paste in your access token - Send the request
The API returns a list of events, allowing you to monitor activity and audit actions in your Keycloak realm.
{
"id": "987865-1a2b-3c4d-9876-654321abc",
"time": 1767799710612,
"type": "LOGIN",
"realmId": "12345abcde-1a2b-4d3c-9876-abcd456",
"clientId": "account-console",
"userId": "abcd456-1234-5678-abc9-987gfed654",
"sessionId": "efghij-9876-abcd-456-11223344",
"ipAddress": "123.456.78.910",
"details": {
"auth_method": "openid-connect",
"auth_type": "code",
"redirect_uri": "https://my-keycloak.com/realms/acme/account/",
"consent": "no_consent_required",
"code_id": "efghij-9876-abcd-456-11223344",
"username": "jdoe",
"email": "jdoe@acme.com"
}
}Getting a 401 Unauthorized Error?
Access tokens are short-lived and expire after 5 minutes by default, as defined by the realm settings. If you receive a 401 Unauthorized response, generate a new token using your Service Account credentials. You may also adjust the Access Token Lifespan in the Advanced section of your service-account client configuration (for security do not exceed 20 minutes).
More than 100 events to analyze?
If you have more than 100 events to retrieve, use pagination. Update the query parameters by increasing the first value while keeping max fixed.
Examples:
first=0&max=100first=100&max=101first=200&max=101
Repeat the request until no more events are returned.
Using curl to retrieve Admin Events
Once you have a valid access token stored in the $TOKEN variable, you can retrieve events using the command below. You may adjust the query parameters to filter results by date, event type, or pagination.
# === Event query parameters ===
DATE_FROM="2026-01-06"
DATE_TO="2026-01-07"
FIRST=0
MAX=100
TYPE=RESET_PASSWORD_ERROR
# === Retrieve events ===
curl -sS -X GET "${BASE_URL}/admin/realms/${REALM_NAME}/admin-events?dateFrom=${DATE_FROM}&dateTo=${DATE_TO}&first=${FIRST}&max=${MAX}&type=${TYPE}" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Accept: application/json"The API returns a list of admin events, allowing you to monitor administrative activity and audit changes made in your Keycloak realm.
Using Postman to retrieve Admin Events
To retrieve admin events using Postman, follow the same steps as in the user events tutorial, but use the following endpoint:
https://{your-deployment-name}.cloud-iam.com/admin/realms/{your-realm-name}/admin-eventsAll other settings remain the same:
- use a Bearer Token in the Authorization tab
- reuse the access token obtained via the Service Account
- apply pagination parameters (first, max) if needed
Advanced Analysis with SIEM
To enable advanced monitoring, Keycloak events must be collected and then forwarded to a Security Information and Event Management (SIEM) platform.
Event Collection Layer
Keycloak does not send data directly to a SIEM. The recommended approach is to use a log collector to capture and forward events.
Log Collectors / Forwarders (main method)
Export events in JSON or syslog format and use tools such as:- Logstash (with the ELK/Elastic stack)
- Fluentd or Fluent Bit
- Filebeat
- Vector
These tools normalize, enrich, and ship the data into your SIEM for analysis.
Admin REST API (complementary option)
Keycloak also provides endpoints to query Admin Events and User Events.
This method is especially useful for:- On-demand audits
- Custom integrations
- Lightweight monitoring setups without a collector
Best practice: Use a log collector for continuous SIEM integration, and the API for audits or custom checks.
SIEM Analysis Layer
Once events are ingested by the SIEM (e.g., Splunk, Elastic SIEM, QRadar, Microsoft Sentinel, etc.), you can:
- Correlate admin and user actions with other systems
- Detect suspicious activity such as brute-force attacks or privilege escalation
- Visualize trends with dashboards and reports
- Set alerts on critical security events like repeated failed logins or unauthorized admin actions
By combining Keycloak with a log collector and optionally the Admin REST API, you create a robust security monitoring pipeline that enhances visibility, detection, and compliance across your IAM infrastructure.
References
- Deploy my Keycloak on Cloud-IAM - Comprehensive guides to deploy your dedicated Keycloak on Cloud-IAM
- Keycloak Documentation – Events
- Keycloak Security and Configuration Best Practices Guide