Monitor Keycloak - TICK/Prometheus

One of pretty interesting components I worked with it last 2 years was "Keycloak" by Red Hat! Keycloak has many use cases, and I did see many projects use it in different ways especially SSO (Single Sign-On). You will be impressed how many features it has!

And as usual, let me first quote this from its official page:
Keycloak is an Open Source Identity and Access Management (IAM) solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

However, till latest version (4.8), to monitor Keycloak internal operations (like register, login, reset password ... etc) you need to parse Keycloak log files after enable Login Events.

This is not a problem for TCIK stack using Telegraf (an agent for collecting and reporting metrics & data). Telegraf already has logparser plugin which has the capability to parse "grok" patterns also it supports regex patterns.

But this is not the case for Prometheus where you will need an "exporter" if the application doesn't export the metrics.

Fortunately, Keycloak is highly customizable and has something called "Service Provider Interfaces". Which is simply an interface extends Keycloak functionality.

Keycloak Metrics SPI is one of AeroGear projects was created to fix this issue and adds a metrics endpoint to Keycloak. So we can collect some crucial data about the activities in Keycloak.

By default the endpoint returns metrics data ready to be scraped by Prometheus. But also could be used by TICK Stack since Telegraf (the agent) has support for Prometheus endpoint format out-of-the-box.

So all what you need is to copy "Keycloak Metrics SPI" jar file to /$KEYCLOAK_HOME/lib/ path in your Keycloak setup. After that, you need to enable the Event Listener for each realm.

If you have many realms, you can enable the Event Listener directly from the database. You can find the details inside the following table: realm_events_listeners.

Now you can use the URL to access all login events for all realms (and yes, it will return data for all realms, no matter which realm you use in the URL).


Now you just need to get the data from that URL:

Telegraf config:

  ## An array of urls to scrape metrics from.
  urls = ["https://KEYCLOAK_URL/auth/realms/master/metrics"]
# This is for static config, but any also could be replaced with any service discovery that you have.
  - job_name: keycloak
    scheme: https 
      - targets: ['KEYCLOAK_HOST']
    metrics_path: /auth/realms/master/metrics

Now you have the metrics for crucial service like identity and access management by Keycloak, you can do visualization (e.g. using Grafana), alerting, and so on.

And if you didn't check the other use case for Keycloak, I highly recommend to check some, because they are pretty interesting.

enjoy :-)

Powered by Blogger.

Hello, my name is Ahmed AbouZaid and this is my "lite" technical blog!

I'm a passionate DevOps engineer, Cloud/Kubernetes specialist, Free/Open source geek, and an author.

I believe in self CI/CD (Continuous Improvements/Development), also that "the whole is greater than the sum of its parts".

DevOps transformation, automation, data, and metrics are my preferred areas. And I like to help both businesses and people to grow.

Contact Me


Email *

Message *

Latest Post

DevOps is not only a culture - Discussion Panel

Today is my second session JobStack 2023 after my previous one yesterday titled " Platform Engineering: Manage your infrastructure u...

Popular Posts

Blog Archive