Cloud-IAM | DOCS

Appearance

Keycloak Events

Overview

Events in Keycloak track important actions performed by users and administrators. Events help you to detect suspicious or unauthorized activity, audit changes and access within your IAM system and comply with security policies and regulations.

Supported by Keycloak

Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.

Admin Events

Admin events track actions performed in the Keycloak Admin Console. Examples include (might vary depending on configuration):

  • Creating, updating, or deleting:
    • Users
    • Groups
    • Roles
    • Clients
    • Client scopes
  • Changing realm settings or configurations
  • Managing authentication flows or identity providers
  • Granting or revoking user roles
  • Configuring password policies or MFA settings
  • Deleting sessions or tokens
  • Impersonation of a user

User Events

User events track actions performed by end-users. Examples include (might vary depending on configuration):

  • Login successes and failures
  • Logout events
  • Password changes or resets
  • Account updates (profile, email, attributes)
  • Registration events (new account creation)
  • Email verification events
  • TOTP or MFA configuration changes
  • Consent given or revoked for client applications
  • Account disabling or deletion

Configuring Keycloak Events

Enable and Configure Admin Events

  1. Log in to Keycloak using an Admin account.
  2. Select the realm to be configured.
  3. Navigate to Realm Settings then click Events and Admin Events Settings
  4. Enable the Save Events toggle.
  5. Enable Include Representation captures the full details of the changed object, which is helpful for audits
  6. Set the Expiration period (minimum recommended: 7 days).
  7. Click Save to apply the configuration.
Keycloak admin console - Configure Admin events
Keycloak admin console - Configure Admin events

Enable and Configure User Events

  1. Log in to Keycloak using an Admin account.
  2. Select the realm to be configured.
  3. Navigate to Realm Settings then click Events and User Events Settings
  4. Enable the Save Events toggle.
  5. Set the Expiration period (minimum recommended: 7 days).
  6. Click Save to apply the configuration.
Keycloak admin console - Configure User events
Keycloak admin console - Configure User events

Accessing Events

Accessing Admin Events

  1. Log in to Keycloak using an Admin account.
  2. Select the realm you want to inspect (e.g., Master or another realm).
  3. Navigate to Events then click Admin Events
  4. You will see a list of recorded admin events.
Keycloak admin console - Accessing Admin events
Keycloak admin console - Accessing Admin events

Accessing User Events

  1. Log in to Keycloak using an Admin account.
  2. Select the realm you want to inspect (e.g., Master or another realm).
  3. Navigate to Events then click User Events
  4. You will see a list of recorded admin events.
Keycloak admin console - Accessing User events
Keycloak admin console - Accessing User events

Advanced Analysis with SIEM

To enable advanced monitoring, Keycloak events must be collected and then forwarded to a Security Information and Event Management (SIEM) platform.

Event Collection Layer

Keycloak does not send data directly to a SIEM.
The recommended approach is to use a log collector to capture and forward events.

  • Log Collectors / Forwarders (main method)
    Export events in JSON or syslog format and use tools such as:

    • Logstash (with the ELK/Elastic stack)
    • Fluentd or Fluent Bit
    • Filebeat
    • Vector

    These tools normalize, enrich, and ship the data into your SIEM for analysis.

  • Admin REST API (complementary option)
    Keycloak also provides endpoints to query Admin Events and User Events.
    This method is especially useful for:

    • On-demand audits
    • Custom integrations
    • Lightweight monitoring setups without a collector

Best practice: Use a log collector for continuous SIEM integration, and the API for audits or custom checks.

SIEM Analysis Layer

Once events are ingested by the SIEM (e.g., Splunk, Elastic SIEM, QRadar, Microsoft Sentinel, etc.), you can:

  • Correlate admin and user actions with other systems
  • Detect suspicious activity such as brute-force attacks or privilege escalation
  • Visualize trends with dashboards and reports
  • Set alerts on critical security events like repeated failed logins or unauthorized admin actions

By combining Keycloak with a log collector and optionally the Admin REST API, you create a robust security monitoring pipeline that enhances visibility, detection, and compliance across your IAM infrastructure.

References