Integrations
SIEM Integrations
Splunk Integration

Splunk Integration

Splunk Integration Guide

Forward Keycloak authentication events and logs to Splunk for centralized security monitoring, threat detection, and compliance reporting.

Overview

This guide walks you through configuring Skycloak to send security events to Splunk using syslog. Splunk is ideal for organizations requiring powerful search capabilities, custom dashboards, and advanced threat detection.

What You’ll Achieve

  • Real-time authentication event forwarding to Splunk
  • Searchable logs with Keycloak event context
  • Custom dashboards for security monitoring
  • Alerting on suspicious authentication patterns

Prerequisites

Before starting, ensure you have:

  1. Skycloak Requirements

    • Enterprise plan with SIEM Integration add-on
    • Workspace Owner or Admin permissions
    • Network connectivity from Skycloak to your Splunk instance

  2. Splunk Requirements

    • Splunk Enterprise 8.0+ or Splunk Cloud
    • Permission to create data inputs
    • Network access to accept syslog data

Step 1: Configure Splunk Data Input

Option A: UDP Syslog (Simple Setup)

  1. Log in to Splunk Web

  2. Navigate to SettingsData Inputs

  3. Click UDPNew Local UDP

  4. Configure the input:

    • Port: 514 (or custom port like 10514)
    • Source type: Select Automatic or create custom keycloak_syslog
    • Index: Select destination index (e.g., security or main)
    • Source name override: keycloak

  5. Click ReviewSubmit

Option B: TCP Syslog (Recommended for Production)

  1. Navigate to SettingsData Inputs

  2. Click TCPNew Local TCP

  3. Configure the input:

    • Port: 514 (or custom port like 10514)
    • Source type: keycloak_syslog (create if needed)
    • Index: security or main
    • Connection Host: dns (recommended)

  4. Click ReviewSubmit

Option C: TLS Syslog (Most Secure)

For encrypted syslog over TLS:

  1. Configure SSL/TLS certificate on Splunk:

    • Navigate to SettingsServer SettingsServer Certificates
    • Upload your SSL certificate and private key

  2. Enable TLS for TCP input:

    • Edit inputs.conf on your Splunk server:
    [tcp-ssl:6514]
sourcetype = keycloak_syslog
index = security
connection_host = dns

  3. Configure SSL settings in server.conf:

    [sslConfig]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = your_password

  4. Restart Splunk: $SPLUNK_HOME/bin/splunk restart

Step 2: Configure Skycloak SIEM Destination

  1. Log in to your Skycloak dashboard
  2. Navigate to SIEM Integration in the left sidebar
  3. Click Add Destination
  4. Configure the destination:

Basic Information

  • Name: Production Splunk
  • Destination Type: Syslog

Connection Details

  • Syslog Host: Your Splunk server hostname or IP (e.g., splunk.company.com or 10.0.1.50)
  • Port: Match your Splunk data input port (e.g., 514, 10514, or 6514 for TLS)
  • Protocol:
    • UDP for simple setup
    • TCP for reliable delivery (recommended)
    • TLS for encrypted transmission (most secure)
  • Format: CEF (recommended) or JSON

Event Filtering

Select events to forward:

  • LOGIN - Successful logins
  • LOGIN_ERROR - Failed login attempts
  • LOGOUT - User logouts
  • UPDATE_PASSWORD - Password changes
  • REGISTER - New user registrations
  • Add more based on your security monitoring needs

Include Server Logs: Toggle on if you need detailed application logs (increases volume)

Batching Configuration

  • Batch Size: 500 (recommended for production)
  • Batch Interval: 120 seconds
  1. Click Complete Setup
  2. Toggle Enable to start forwarding events

Step 3: Verify Data Flow

Check Data Input Status

  1. In Splunk Web, go to SettingsData Inputs
  2. Click your configured input type (UDP/TCP)
  3. Verify the input shows as Enabled

Search for Keycloak Events

Run this search in Splunk:

index=security sourcetype=keycloak_syslog
| head 10

Expected result: Recent Keycloak events should appear within 2-3 minutes of enabling the destination.

Test with Login Event

  1. Log in to one of your Keycloak realms
  2. Wait 2-3 minutes for batch processing
  3. Run this search:
index=security sourcetype=keycloak_syslog "LOGIN"
| head 1

Step 4: Create Custom Dashboards

Example: Login Activity Dashboard

  1. Navigate to DashboardsCreate New Dashboard
  2. Add panels using these searches:

Panel 1: Login Success Rate

index=security sourcetype=keycloak_syslog (LOGIN OR LOGIN_ERROR)
| stats count by event_type
| eval success_rate=round(count/total*100,2)

Panel 2: Failed Logins by User

index=security sourcetype=keycloak_syslog event_type=LOGIN_ERROR
| stats count by username
| sort -count
| head 10

Panel 3: Login Locations

index=security sourcetype=keycloak_syslog event_type=LOGIN
| iplocation ip_address
| geostats count by Country

Panel 4: Hourly Login Volume

index=security sourcetype=keycloak_syslog event_type=LOGIN
| timechart span=1h count

Step 5: Set Up Alerts

Example: Detect Brute Force Attacks

  1. Navigate to SettingsSearches, Reports, and Alerts
  2. Click New Alert
  3. Configure:
    • Title: Keycloak Brute Force Detection
    • Search:
    index=security sourcetype=keycloak_syslog event_type=LOGIN_ERROR
| stats count by username, ip_address
| where count > 5
    • Run: Every 5 minutes
    • Trigger: Number of Results is greater than 0
    • Actions: Send email, trigger webhook, or create incident

Example: Detect Account Changes

Alert on password or email changes:

index=security sourcetype=keycloak_syslog (event_type=UPDATE_PASSWORD OR event_type=UPDATE_EMAIL)
| table _time, username, event_type, ip_address, user_agent

Format Reference

CEF Format (Recommended)

CEF (Common Event Format) is optimized for Splunk and provides structured fields:

CEF:0|Skycloak|Keycloak|1.0|LOGIN|User Login|5|rt=1642089600000 suser=john.doe src=203.0.113.42 cs1Label=Realm cs1=production cs2Label=ClientID cs2=web-app

Field Mapping:

  • rt - Event timestamp
  • suser - Username
  • src - Source IP address
  • cs1 - Realm name
  • cs2 - Client ID
  • cs3 - User ID

JSON Format (Alternative)

JSON format provides full flexibility:

{
  "timestamp": "2024-01-15T14:30:00Z",
  "event_type": "LOGIN",
  "realm": "production",
  "username": "john.doe",
  "ip_address": "203.0.113.42",
  "user_agent": "Mozilla/5.0...",
  "details": {
    "client_id": "web-app",
    "auth_method": "password"
  }
}

Useful Splunk Queries

Recent Failed Logins 

index=security sourcetype=keycloak_syslog event_type=LOGIN_ERROR
| table _time, username, ip_address, realm
| sort -_time

Users with Most Activity 

index=security sourcetype=keycloak_syslog
| stats count by username
| sort -count
| head 20

Login Activity by Realm 

index=security sourcetype=keycloak_syslog event_type=LOGIN
| stats count by realm
| sort -count

Suspicious Login Patterns 

index=security sourcetype=keycloak_syslog event_type=LOGIN
| stats dc(ip_address) as unique_ips by username
| where unique_ips > 5

Troubleshooting

No Events Appearing in Splunk

  1. Check Skycloak destination status:

    • Go to SIEM Integration page
    • Verify destination shows “Healthy” status
    • Check “Events Sent” metric is increasing

  2. Verify Splunk data input:

    • Go to SettingsData Inputs → your input type
    • Ensure input is Enabled
    • Check port is correct and not blocked by firewall

  3. Test network connectivity:

    # From Skycloak network (if you have access):
telnet splunk.company.com 514

  4. Check Splunk logs:

    tail -f $SPLUNK_HOME/var/log/splunk/splunkd.log | grep -i syslog

Events Delayed

  • Check batch settings: Lower batch interval for faster delivery (trade-off: more network calls)
  • Check Splunk indexing: Look for indexing delays in Splunk monitoring console
  • Network latency: Use TLS/TCP for better reliability over UDP

Firewall Issues

If Skycloak cannot reach Splunk:

  1. Ensure outbound traffic is allowed from Skycloak to your Splunk host
  2. Common ports: 514 (UDP/TCP), 6514 (TLS)
  3. Work with your network team to whitelist Skycloak IP ranges

Format Parsing Issues

If events aren’t being parsed correctly:

  1. Create custom source type in Splunk:

    • Navigate to SettingsSource TypesNew Source Type
    • Name: keycloak_syslog
    • Configure field extraction based on your format

  2. For CEF format, use built-in CEF field extraction:

    • Splunk automatically parses CEF fields
    • Access fields with CEF_field_name prefix

Best Practices

  1. Use TCP or TLS: UDP may lose events under high load
  2. Start with key events: Begin with login-related events, expand gradually
  3. Monitor destination health: Check Skycloak SIEM page regularly
  4. Create retention policies: Configure index retention in Splunk based on compliance needs
  5. Set up alerting: Don’t just collect data - act on security events
  6. Regular dashboard reviews: Schedule weekly security reviews using your dashboards

Next Steps

  • Create custom dashboards for your security team
  • Set up automated alerting for critical events
  • Integrate with incident response workflows
  • Review Splunk Enterprise Security app for advanced features
  • Configure log retention policies for compliance

Support

For assistance:

IBM QRadar Integration