Blog / security

Auditing in Keycloak: How to Catch Them All

Guilliano Molaire Guilliano Molaire Updated June 2, 2026 6 min read
keycloak event

Last updated: June 2026

Keycloak audits activity through its event system: under Realm Settings > Events you enable Login Events (user actions like logins, logouts, and password changes) and Admin Events (configuration changes to realms, clients, roles, and users). Once enabled, Keycloak records each event and can write it to the server log, email the affected user, or push it to an external system through an Event Listener SPI. This guide shows exactly which events to capture, how to turn them on for both users and admins, and how to review them, so you end up with a complete, compliance-ready trail of who did what and when.

Keycloak is a robust open-source Identity and Access Management (IAM) solution that not only manages access but also ensures that all security-related events are monitored and recorded. Auditing is a critical aspect of security and compliance in any system, and Keycloak provides comprehensive tools for this purpose. In this blog post, we’ll explore why auditing is important, and how it can be enabled for both users and administrators in Keycloak.

Why is Auditing Important?

  1. Security Monitoring: Auditing allows organizations to monitor and record user activities and system changes. This helps in detecting potential security breaches or malicious activities by providing a trail of user and system actions. Skycloak provides built-in audit log capabilities to make this even easier.
  2. Compliance: Many industries are subject to regulations that require detailed logging of access and changes to sensitive data. Auditing helps in maintaining logs that can be reviewed to ensure compliance with various standards such as GDPR, HIPAA, or PCI-DSS.
  3. Operational Oversight: Auditing provides administrators with insights into how the system is being used. This includes understanding user behavior, which can help in optimizing system performance and user experience. The Skycloak Insights dashboard provides visual analytics for these events.
  4. Accountability: By maintaining an audit trail, organizations can attribute actions to specific individuals, which enhances accountability among users.

This article covers how to enable and configure Keycloak’s auditing capabilities, the “how-to” layer. Once you have auditing running, see our auditing best practices guide for the strategic layer: retention policies, alert design, log integrity, and compliance-oriented review processes.

Keycloak Auditing

Keycloak supports event logging for both admin and user events, providing detailed insights into operations performed within the system.

By default, all events are fired, and each has its corresponding error event. One must decide which events to track, hence the term “capturing” rather than “enabling.” You can capture them using a custom listener or by utilizing the provided jboss-logging and email event listeners.

JBoss will send the error events to the log file. To send more information, restart the server with the required log level set for the listener.

The email listener will send the events to the affected user by email. The supported events are:

  • Login Error
  • Update Password
  • Update Time-based One-time Password (TOTP)
  • Remove Time-based One-time Password (TOTP)

Here’s how you can “capture” and configure auditing events in Keycloak:

Auditing User Event

User events include logins, logouts, and account management activities by the users. To capture user event logging (The UI may vary for certain versions, but the concept is the same):

  1. Log into the Admin Console: Navigate to your Keycloak admin console.
  2. Go to the Realm Settings: Select the realm for which you want to capture the events.
  3. Access the User Events Settings Tab: Click on Events > User events settings.
  4. Configure Event Settings: Here, you can select Save events to store the events in the database and see them on the Events page (we recommend adding an SPI and forwarding the events elsewhere for such case. It keeps the DB lean). On that same page, you will see all the events fired for user events.
  5. Set up Event Listeners: Ensure that the jboss-logging listener is used at least. This is the framework that will log the actual events. You can also use your own SPI to handle and send the events somewhere else than just a log file.

Auditing Admin Event

Admin events cover actions performed by administrators, such as creating or deleting users, changing roles, or managing realm settings. To capture admin events:

  1. Access Admin Events Settings: Under the same Events > Admin events settings section in your realm settings, you can find settings related to admin events.
  2. Review Logs: Admin event errors are also logged in the server log if jboss-logging is set up as a listener.

Reviewing and Managing Audit Logs

If you decided to save the events in Keycloak, you will be able to review the logs directly from the Keycloak admin console under Events > User events for user events and Events > Admin events for admin events.

For a more robust log management solution, consider exporting these logs to an external system like ELK (Elasticsearch, Logstash, and Kibana) or Splunk for advanced analysis and real-time monitoring. Learn how to forward events to a SIEM in our guide on forwarding Keycloak events to SIEM via Skycloak HTTP webhook. You can also integrate with syslog by following our syslog integration guide. If you operate at scale, our engineering post on migrating from Loki to ClickHouse for Keycloak log analytics covers how to handle high-cardinality event data efficiently and cost-effectively.

When SAML is part of your authentication stack, audit logs are your primary defence against exploit attempts. See our guide on Keycloak SAML vulnerabilities and hardening steps for the specific events and misconfigurations to monitor for.

Skycloak Event Viewer

If you have your cluster running in Skycloak, we already have an Event Viewer that allows you to see all the events happening in your cluster. We do not save the events in your database, but manage everything in house. You can search with ease. Take a look HERE.

The Event Viewer is part of Skycloak’s broader approach to security and compliance, giving you centralized visibility into authentication events without impacting your Keycloak database performance.

Keycloak Auditing Best Practices

Capturing events is only half the job. These practices turn raw audit data into a defensible, compliance-ready trail.

Centralize and retain. Forwarding events to an external store (ELK, Splunk, or a managed viewer) gives you one searchable view and lets you set retention to match your regulations: HIPAA requires six years, and financial rules like SOX and GLBA typically require three to seven. Keeping high volumes of events inside Keycloak’s database hurts performance, so forward them out and archive older events to cold storage.

Encrypt and lock down the logs. Audit logs contain sensitive information, so encrypt them in transit (TLS for syslog and webhook endpoints) and at rest (encrypted storage backends). Apply role-based access so not every engineer can read raw authentication events, and consider write-once or signed storage to prevent tampering.

Alert on the events that matter. Configure automated notifications for the signals that indicate a real incident: brute-force patterns (repeated failed logins from one IP or against one user), admin configuration changes in production, unusual token activity, and any new admin user being created.

Review on a schedule. Periodically verify that logging is actually working, that no one has quietly changed the event configuration, and that your retention and storage still fit your volume and compliance needs.

Conclusion

Auditing is a critical feature for maintaining the security, compliance, and operational integrity of any identity management system. In Keycloak, enabling and managing auditing is straightforward and provides deep insights into both user and administrative actions. By effectively utilizing the auditing capabilities of Keycloak, you can enhance your organization’s security posture and ensure compliance with regulatory requirements, all while maintaining a clear oversight of user activities and system changes. You can find out more about auditing in Keycloak in the official documentation.

Guilliano Molaire
Written by Guilliano Molaire Founder

Guilliano is the founder of Skycloak and a cloud infrastructure specialist with deep expertise in product development and scaling SaaS products. He discovered Keycloak while consulting on enterprise IAM and built Skycloak to make managed Keycloak accessible to teams of every size.

View all posts

Ready to simplify your authentication?

Deploy production-ready Keycloak in minutes. Unlimited users, flat pricing, no SSO tax.

Start Free Trial Talk to Sales

Related Articles

security Keycloak Auditing & Event Logging: The Complete Guide May 28, 2026 · 14 min read
security Keycloak CAEP & Shared Signals: Continuous Access Evaluation May 24, 2026 · 9 min read
Log selection
security Integrating Skycloak Security Logs Using Syslog January 22, 2026 · 8 min read
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman