Sign in Subscribe
Concepts

Tracking User Access with Keycloak Event Logging

Andrios Robert

1 min read

The logs don’t lie. Every click, token request, and login attempt tells a story — if you know where to look. Keycloak can tell you exactly who accessed what and when, but you have to set it up right and know how to read the data.

Keycloak is more than an identity provider. With its event logging features, you can track user activity across every realm and client. The Admin Console gives you a quick view, but for serious audits you need to dig into the Admin REST API or configure Event Listeners. These listeners capture authentication events, such as login success, login errors, token refreshes, and logout timestamps. Every event contains a user ID, the client accessed, the IP address, and the precise time in UTC.

To enable detailed tracking, go to your realm settings and turn on Admin Events and User Events. Configure them to store events in the database or push them to an external system via Kafka or HTTP. Storing events internally lets you query them later by user, by client, or by date range — perfect for answering the question: Who accessed what and when?

For finer control, set Event Types so you don’t drown in irrelevant data. You can log only login events and token requests, or capture resource access through client scopes and custom endpoints. Integrating Keycloak with your API gateway or resource server lets you tag each access with context, so you’re not just tracking logins, but actual protected resource usage.

Audit accuracy depends on correlating identities with actions. Use User Attribute Mapping to link Keycloak identities to external identifiers like employee IDs or system usernames. This ensures your “who” isn’t just a UUID, but a real name tied to organizational records. Then, combine these logs with downstream service logs to form a complete timeline.

For security teams, retention matters. Configure Event Retention Policies to keep records long enough for compliance requirements but without overloading your database. Push old records to a centralized logging system like ELK or Grafana Loki for long-term analysis.

When tuned correctly, Keycloak’s event logging answers the core audit question with precision: Who accessed what, from where, and exactly when. It's not optional for production systems — it’s foundational.

Want to see how clean, real-time user access tracking can look without spending weeks on setup? Check out hoop.dev and watch it live in minutes.