Skip to content

Events & audit

Event logging is your audit trail — who logged in, what failed, and what an admin changed.

Login successes/failures, logouts, registrations, and credential changes.

  • Recommended: on, with a retention window that matches your compliance needs.
  • Ask the assistant: “Turn on login event logging for acme-prod.”
  • Keycloak: Realm settings → Events → User events settings.

Every administrative change to the realm (clients, roles, flows, settings).

  • Recommended: on, with Include representation so the change detail is captured.
  • Ask the assistant: “Enable admin event logging for acme-prod.”
  • Keycloak: Realm settings → Events → Admin events settings.

Events feed the platform’s analytics/SIEM pipeline — exported and queryable for usage reporting and security signals (brute-force spikes, anomalous logins). See Reporting & Analytics for the dashboards and the event pipeline.

Set an expiry on stored events so the pool doesn’t accumulate them unbounded; long-term audit copies live in the analytics pipeline, not the realm database.