Audit Logs
Skycloak automatically records all user actions and system events in your workspace, providing a complete audit trail for compliance, security monitoring, and forensic analysis.
Overview
The Audit Logs feature gives you visibility into:
- User Actions: Who did what and when — cluster creation, member invitations, configuration changes, and more
- Security Events: Failed login attempts, API key operations, permission changes
- System Events: Automated operations, background processes, webhook deliveries
- Resource Changes: Before/after values for configuration updates
What Gets Tracked
Audit logs capture all meaningful platform actions across your workspace, including:
- Cluster Operations: Creating, updating, deleting, and upgrading Keycloak clusters
- Settings Changes: Workspace settings, branding, custom domains, and security configurations
- Member Management: Inviting members, changing roles, and removing team members
- Application Management: Creating, updating, and deleting applications and client secrets
- Extension Management: Installing, uninstalling, and configuring extensions
- Billing Actions: Plan changes, subscription updates, and add-on modifications
- Security Operations: API key creation/rotation, IP whitelist changes, and policy updates
Internal engagement and analytics tracking events are automatically excluded from audit logs to keep the trail focused on actionable platform activity.
Access Control
Audit logs are available to workspace owners and workspace admins only. Members with the standard “member” role cannot view, export, or access audit log data.
This ensures that sensitive operational data — including IP addresses, user agents, and change details — is only visible to users with appropriate authority in the workspace.
Viewing Audit Logs
Navigate to Settings > Workspace > Audit Logs to view your workspace’s activity history.
Filtering & Search
- Date Range: Filter by time period (7 days, 30 days, 90 days, or all time — based on your plan’s retention)
- User Actions Only: Toggle to show only user-initiated actions, hiding automated API calls and background operations
- Search: Find logs by user email, resource name, IP address, or description
Log Details
Click on any audit log entry to see detailed information including:
- Event type and severity
- User information (name, email, IP address, user agent)
- Resource type and ID
- Before/after change values (for update operations)
- Request metadata (HTTP method, path, status code, duration)
Plan Availability
| Plan | Retention | Export | Compliance Reports |
|---|---|---|---|
| Trial | 7 days | — | — |
| Launch | 3 days | — | — |
| Business | 30 days | CSV, JSON | — |
| Enterprise | 90 days | CSV, JSON | Available |
Exporting Audit Logs
Business and Enterprise plans can export audit logs in CSV or JSON format for offline analysis or integration with external tools.
Use the export buttons in the top-right of the audit log view to download your logs.
SIEM Integration
Enterprise plans with the SIEM Integration add-on can continuously forward audit logs to external Security Information and Event Management (SIEM) platforms. When configuring a SIEM destination, select Skycloak Audit Logs as the event source type to stream platform audit events to your SIEM in real time.
This enables centralized monitoring of both Keycloak authentication events and Skycloak platform activity in a single security dashboard.
See the SIEM Integration Guide for setup instructions.
Compliance Reports
Enterprise plans include compliance reports that summarize:
- Total events within a reporting period
- Unique active users
- Security events and failed login attempts
- Data export activity
- Event breakdown by type
Event Types
Audit events are automatically categorized based on the action performed:
| Category | Events |
|---|---|
| Authentication | Login, logout, failed login, password reset, MFA changes |
| Workspace | Workspace creation/update, member invitations, role changes |
| Clusters | Cluster creation/deletion, realm management, feature changes |
| Applications | App creation/update/deletion, secret regeneration |
| Billing | Plan changes, subscription events |
| Extensions | Extension install/uninstall/configuration |
| Security | API key operations, policy changes, IP whitelist updates |
| Data | Exports, imports, backups |
User Action vs. System Events
Skycloak distinguishes between user-initiated actions and automated system events:
- User Actions: Direct actions taken by workspace members (creating a cluster, inviting a member, changing settings)
- System Events: Automated operations like health checks, status polling, token refreshes, and webhook deliveries
Use the “User actions only” toggle to filter the view.
Data Retention
Audit logs are retained according to your plan’s retention period. Logs older than the retention period are automatically cleaned up. Enterprise customers can contact support for custom retention requirements.