Keycloak Integration

edit

Keycloak Integration

edit

Version

1.23.2 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Community

The Keycloak integration collects events from the Keycloak log files.

To enable logging of all Keycloak events like logins, user creation/updates/deletions…​. add the below

    <logger category="org.keycloak.events">
        <level name="DEBUG"/>
    </logger>

to your configuration XML file (ie standalone.xml) under the path below

<server>
    <profile>
        <subsystem xmlns="urn:jboss:domain:logging:8.0">
            ....
        </subsystem>
    </profile>
</server>

Note:

  • Keycloak log files could contain multiline logs. In order to process them, the multiline configuration should be added to the parsers section when deploying the integration.

Logs

edit

log

edit
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

cloud.image.id

Image ID for the cloud instance.

keyword

data_stream.dataset

Data stream dataset name.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset

constant_keyword

event.module

Event module

constant_keyword

host.containerized

If the host is a container.

boolean

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

input.type

Type of Filebeat input.

keyword

keycloak.admin.operation

Keycloak admin operation; Add, Update, Delete

keyword

keycloak.admin.resource.path

Path to affected resource

keyword

keycloak.admin.resource.type

Type of keycloak resource being acted upon; Group, User, Client, Scope…​

keyword

keycloak.client.id

ID of the Keycloak client

keyword

keycloak.event_type

Keycloak event type; Login or Admin

keyword

keycloak.login.auth_method

Keycloak authentication method (SAML or OpenID Connect)

keyword

keycloak.login.auth_session_parent_id

Parent session ID

keyword

keycloak.login.auth_session_tab_id

Session Tab ID

keyword

keycloak.login.auth_type

OpenID Connect authentication type (code, implicit…​)

keyword

keycloak.login.code_id

OpenID Connect Code ID

keyword

keycloak.login.redirect_uri

Keycloak redirect URL

keyword

keycloak.login.type

Event Type

keyword

keycloak.realm.id

Keycloak Realm ID

keyword

log.file.device_id

ID of the device containing the filesystem where the file resides.

keyword

log.file.fingerprint

The sha256 fingerprint identity of the file when fingerprinting is enabled.

keyword

log.file.idxhi

The high-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.idxlo

The low-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.inode

Inode number of the log file.

keyword

log.file.vol

The serial number of the volume that contains a file. (Windows-only)

keyword

log.flags

Flags for the log file.

keyword

log.offset

Offset of the entry in the log file.

long

url.scheme

Example

An example event for log looks as following:

{
    "@timestamp": "2021-10-22T21:01:42.667-05:00",
    "agent": {
        "ephemeral_id": "bb6d890f-5c05-4247-b410-8f3b914e5293",
        "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.2"
    },
    "data_stream": {
        "dataset": "keycloak.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a",
        "snapshot": false,
        "version": "8.10.2"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "keycloak.log",
        "ingested": "2023-10-03T10:29:46Z",
        "original": "2021-10-22 21:01:42,667 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication",
        "timezone": "-05:00"
    },
    "host": {
        "architecture": "x86_64",
        "containerized": true,
        "hostname": "docker-fleet-agent",
        "id": "efe661d97f0c4d9883075c393da6b0d8",
        "ip": [
            "172.30.0.7"
        ],
        "mac": [
            "02-42-AC-1E-00-07"
        ],
        "name": "docker-fleet-agent",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "5.15.90.1-microsoft-standard-WSL2",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.6 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "filestream"
    },
    "log": {
        "file": {
            "device_id": 2080,
            "inode": 90612,
            "path": "/tmp/service_logs/test-log.log"
        },
        "level": "INFO",
        "logger": "org.jboss.resteasy.resteasy_jaxrs.i18n",
        "offset": 658
    },
    "message": "RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication",
    "process": {
        "thread": {
            "name": "ServerService Thread Pool -- 64"
        }
    },
    "tags": [
        "preserve_original_event",
        "keycloak-log"
    ]
}

Changelog

edit
Changelog
Version Details Kibana version(s)

1.23.2

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

1.23.1

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

1.23.0

Enhancement (View pull request)
Make condition configurable to control when to apply the log data stream.

8.13.0 or higher

1.22.3

Bug fix (View pull request)
Fix missing value in pipeline condition.

8.13.0 or higher

1.22.2

Bug fix (View pull request)
Enhanced kv processor to trim escape sequences properly.

8.13.0 or higher

1.22.1

Bug fix (View pull request)
Fixed parser config default value and updated GROK pattern to account for multiline logs.

8.13.0 or higher

1.22.0

Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.21.0

Enhancement (View pull request)
Update manifest format version to v3.0.3.

7.16.0 or higher
8.0.0 or higher

1.20.1

Enhancement (View pull request)
Changed owners

7.16.0 or higher
8.0.0 or higher

1.20.0

Enhancement (View pull request)
Make parsers configurable for Keycloak logs.

7.16.0 or higher
8.0.0 or higher

1.19.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

7.16.0 or higher
8.0.0 or higher

1.18.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

7.16.0 or higher
8.0.0 or higher

1.17.0

Enhancement (View pull request)
Adapt fields for changes in file system info

7.16.0 or higher
8.0.0 or higher

1.16.0

Enhancement (View pull request)
Set community owner type.

7.16.0 or higher
8.0.0 or higher

1.15.0

Enhancement (View pull request)
Update the package format_version to 3.0.0.

7.16.0 or higher
8.0.0 or higher

1.14.0

Enhancement (View pull request)
Update package to ECS 8.10.0 and align ECS categorization fields.

7.16.0 or higher
8.0.0 or higher

1.13.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

7.16.0 or higher
8.0.0 or higher

1.12.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

7.16.0 or higher
8.0.0 or higher

1.11.0

Enhancement (View pull request)
Update package-spec to 2.9.0.

7.16.0 or higher
8.0.0 or higher

1.10.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

7.16.0 or higher
8.0.0 or higher

1.9.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

7.16.0 or higher
8.0.0 or higher

1.8.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

7.16.0 or higher
8.0.0 or higher

1.7.2

Enhancement (View pull request)
Added categories and/or subcategories.

7.16.0 or higher
8.0.0 or higher

1.7.1

Bug fix (View pull request)
Ensure numeric timezones are correctly interpreted.

7.16.0 or higher
8.0.0 or higher

1.7.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

7.16.0 or higher
8.0.0 or higher

1.6.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

7.16.0 or higher
8.0.0 or higher

1.5.1

Enhancement (View pull request)
Use ECS geo.location definition.

7.16.0 or higher
8.0.0 or higher

1.5.0

Enhancement (View pull request)
Update package to ECS 8.4.0

7.16.0 or higher
8.0.0 or higher

1.4.2

Bug fix (View pull request)
Fix typo in Timezone Offset description.

7.16.0 or higher
8.0.0 or higher

1.4.1

Enhancement (View pull request)
Update package name and description to align with standard wording

7.16.0 or higher
8.0.0 or higher

1.4.0

Enhancement (View pull request)
Update package to ECS 8.3.0.

7.16.0 or higher
8.0.0 or higher

1.3.1

Enhancement (View pull request)
Add link to keycloak documentation

7.16.0 or higher
8.0.0 or higher

1.3.0

Enhancement (View pull request)
Update to ECS 8.2

7.16.0 or higher
8.0.0 or higher

1.2.1

Enhancement (View pull request)
Add documentation for multi-fields

7.16.0 or higher
8.0.0 or higher

1.2.0

Enhancement (View pull request)
Update to ECS 8.0

7.16.0 or higher
8.0.0 or higher

1.1.0

Enhancement (View pull request)
Add 8.0.0 version constraint

7.16.0 or higher
8.0.0 or higher

1.0.0

Enhancement (View pull request)
initial release

7.16.0 or higher