Monitor Keycloak - TICK/Prometheus

One of pretty interesting components I worked with it last 2 years was "Keycloak" by Red Hat! Keycloak has many use cases, and I did see many projects use it in different ways especially SSO (Single Sign-On). You will be impressed how many features it has!

And as usual, let me first quote this from its official page:
Keycloak is an Open Source Identity and Access Management (IAM) solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

However, till latest version (4.8), to monitor Keycloak internal operations (like register, login, reset password ... etc) you need to parse Keycloak log files after enable Login Events.

This is not a problem for TCIK stack using Telegraf (an agent for collecting and reporting metrics & data). Telegraf already has logparser plugin which has the capability to parse "grok" patterns also it supports regex patterns.

But this is not the case for Prometheus where you will need an "exporter" if the application doesn't export the metrics.

Fortunately, Keycloak is highly customizable and has something called "Service Provider Interfaces". Which is simply an interface extends Keycloak functionality.

Keycloak Metrics SPI is one of AeroGear projects was created to fix this issue and adds a metrics endpoint to Keycloak. So we can collect some crucial data about the activities in Keycloak.

By default the endpoint returns metrics data ready to be scraped by Prometheus. But also could be used by TICK Stack since Telegraf (the agent) has support for Prometheus endpoint format out-of-the-box.

So all what you need is to copy "Keycloak Metrics SPI" jar file to /$KEYCLOAK_HOME/lib/ path in your Keycloak setup. After that, you need to enable the Event Listener for each realm.

If you have many realms, you can enable the Event Listener directly from the database. You can find the details inside the following table: realm_events_listeners.

Now you can use the URL to access all login events for all realms (and yes, it will return data for all realms, no matter which realm you use in the URL).


Now you just need to get the data from that URL:

Telegraf config:

  ## An array of urls to scrape metrics from.
  urls = ["https://KEYCLOAK_URL/auth/realms/master/metrics"]
# This is for static config, but any also could be replaced with any service discovery that you have.
  - job_name: keycloak
    scheme: https 
      - targets: ['KEYCLOAK_HOST']
    metrics_path: /auth/realms/master/metrics

Now you have the metrics for crucial service like identity and access management by Keycloak, you can do visualization (e.g. using Grafana), alerting, and so on.

And if you didn't check the other use case for Keycloak, I highly recommend to check some, because they are pretty interesting.

enjoy :-)

Powered by Blogger.

Hello, my name is Ahmed AbouZaid, I'm a passionate Tech Lead DevOps Engineer. 👋

With 16+ years of open-source contributions, 12+ years of professional hands-on experience in DevOps, and an M.Sc. in Data Engineering from Edinburgh Napier University (UK), I enjoy facilitating the growth of both businesses and individuals.

I specialize in Cloud-Native and Kubernetes. I'm also a Free/Open source geek and book author. My favorite topics are DevOps transformation, automation, data, and metrics.

Contact Me


Email *

Message *

Start Your DevOps Engineer Journey!

Start Your DevOps Engineer Journey!
Start your DevOps career for free the Agile way in 2024 with the Dynamic DevOps Roadmap ⭐

Latest Post

2023 Highlights

Image generated with Craiyon . Finally, 2023 is over! What a year! One more crazy year, but it was the culmination ...

Popular Posts

Blog Archive