02/02/2019

Monitor Keycloak - TICK/Prometheus.

One of pretty interesting components I worked with it last 2 years was "Keycloak" by Red Hat! Keycloak has many use cases, and I did see many projects use it in different ways especially SSO (Single Sign-On). You will be impressed how many features it has!

And as usual, let me first quote this from its official page:
Keycloak is an Open Source Identity and Access Management (IAM) solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

However, till latest version (4.8), to monitor Keycloak internal operations (like register, login, reset password ... etc) you need to parse Keycloak log files after enable Login Events.

This is not a problem for TCIK stack using Telegraf (an agent for collecting and reporting metrics & data). Telegraf already has logparser plugin which has the capability to parse "grok" patterns also it supports regex patterns.

But this is not the case for Prometheus where you will need an "exporter" if the application doesn't export the metrics.

Fortunately, Keycloak is highly customizable and has something called "Service Provider Interfaces". Which is simply an interface extends Keycloak functionality.

Keycloak Metrics SPI is one of AeroGear projects was created to fix this issue and adds a metrics endpoint to Keycloak. So we can collect some crucial data about the activities in Keycloak.

By default the endpoint returns metrics data ready to be scraped by Prometheus. But also could be used by TICK Stack since Telegraf (the agent) has support for Prometheus endpoint format out-of-the-box.

So all what you need is to copy "Keycloak Metrics SPI" jar file to /$KEYCLOAK_HOME/lib/ path in your Keycloak setup. After that, you need to enable the Event Listener for each realm.

NOTE:
If you have many realms, you can enable the Event Listener directly from the database. You can find the details inside the following table: realm_events_listeners.

Now you can use the URL to access all login events for all realms (and yes, it will return data for all realms, no matter which realm you use in the URL).

https://KEYCLOAK_URL/auth/realms/master/metrics

Now you just need to get the data from that URL:

Telegraf config:

[[inputs.prometheus]]
  ## An array of urls to scrape metrics from.
  urls = ["https://KEYCLOAK_URL/auth/realms/master/metrics"]
Prometheus:
  - job_name: keycloak
    # Or whatever service discovery that you have.
    static_configs:
      - targets: ['https://KEYCLOAK_URL/auth/realms/master/metrics']

Now you have the metrics for crucial service like identity and access management by Keycloak, you can do visualization (e.g. using Grafana), alerting, and so on.

And if you didn't check the other use case for Keycloak, I highly recommend to check some, because they are pretty interesting.

enjoy :-)

Powered by Blogger.

Hello, my name is Ahmed AbouZaid and this is my "lite" technical blog!

I'm a passionate DevOps, Linux system engineer, RHCE, AWS SysOps/Solutions Architect, Free/Open source geek, author, interested in environment, calligraphy, and I believe that “Details Matter”!

Automation, data, and metrics are my preferred areas. I have a built-in monitoring chip, and too lazy to do anything manually :D

Popular Posts