2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
=== Auditing user events
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
You can record and view every event that affects users. {project_name} triggers login events for actions such as successful user login, a user entering an incorrect password, or a user account updating. By default, {project_name} does not store or display events in the Admin Console. Only the error events are logged to the Admin Console and the server’ s log file.
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
.Procedure
2022-07-26 15:50:24 +00:00
Use this procedure to start auditing user events.
. Click *Realm settings* in the menu.
. Click the *Events* tab.
. Click the *User events settings* tab.
. Toggle *Save events* to *ON*.
2021-02-19 20:29:43 +00:00
+
2022-07-26 15:50:24 +00:00
.User events settings
2022-08-19 11:15:51 +00:00
image:images/user-events-settings.png[User events settings]
2021-02-19 20:29:43 +00:00
2022-07-26 15:50:24 +00:00
. Specify the length of time to store events in the *Expiration* field.
2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
. Click *Add saved types* to see other events you can save.
+
.Add types
2022-08-19 11:15:51 +00:00
image:images/add-event-types.png[Add types]
2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
. Click *Add*.
2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
Click *Clear user events* when you want to delete all saved events.
2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
.Procedure
2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
You can now view events.
2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
. Click the *Events* tab in the menu.
+
.User events
2022-08-19 11:15:51 +00:00
image:images/user-events.png[Login Events]
2022-07-26 15:50:24 +00:00
. To filter events, click *Search user event*.
+
.Search user event
2022-08-19 11:15:51 +00:00
image:images/search-user-event.png[Search user event]
2016-05-31 16:48:15 +00:00
2021-06-17 14:39:30 +00:00
==== Event types
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
*Login events:*
[cols="2",options="header"]
|===
|Event |Description
|Login
|A user logs in.
|Register
|A user registers.
|Logout
|A user logs out.
|Code to Token
|An application, or client, exchanges a code for a token.
|Refresh Token
|An application, or client, refreshes a token.
|===
*Account events:*
[cols="2",options="header"]
|===
|Event |Description
|Social Link
|A user account links to a social media provider.
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
|Remove Social Link
|The link from a social media account to a user account severs.
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
|Update Email
|An email address for an account changes.
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
|Update Profile
|A profile for an account changes.
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
|Send Password Reset
|{project_name} sends a password reset email.
|Update Password
|The password for an account changes.
|Update TOTP
|The Time-based One-time Password (TOTP) settings for an account changes.
|Remove TOTP
|{project_name} removes TOTP from an account.
|Send Verify Email
|{project_name} sends an email verification email.
|Verify Email
|{project_name} verifies the email address for an account.
|===
Each event has a corresponding error event.
2016-05-31 16:48:15 +00:00
2021-06-17 14:39:30 +00:00
==== Event listener
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
Event listeners listen for events and perform actions based on that event. {project_name} includes two built-in listeners, the Logging Event Listener and Email Event Listener.
2016-05-31 16:48:15 +00:00
2021-06-17 14:39:30 +00:00
===== The logging event listener
2021-02-19 20:29:43 +00:00
When the Logging Event Listener is enabled, this listener writes to a log file when an error event occurs.
An example log message from a Logging Event Listener:
2016-05-31 16:48:15 +00:00
----
11:36:09,965 WARN [org.keycloak.events] (default task-51) type=LOGIN_ERROR, realmId=master,
clientId=myapp,
userId=19aeb848-96fc-44f6-b0a3-59a17570d374, ipAddress=127.0.0.1,
error=invalid_user_credentials, auth_method=openid-connect, auth_type=code,
redirect_uri=http://localhost:8180/myapp,
code_id=b669da14-cdbb-41d0-b055-0810a0334607, username=admin
----
2021-02-19 20:29:43 +00:00
You can use the Logging Event Listener to protect against hacker bot attacks:
. Parse the log file for the `LOGIN_ERROR` event.
. Extract the IP Address of the failed login event.
. Send the IP address to an intrusion prevention software framework tool.
The Logging Event Listener logs events to the `org.keycloak.events` log category. {project_name} does not include debug log events in server logs, by default.
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
To include debug log events in server logs:
2019-12-17 05:25:17 +00:00
2022-02-08 13:07:16 +00:00
. Change the log level for the `org.keycloak.events` category
. Change the log level used by the Logging Event listener.
To change the log level used by the Logging Event listener, add the following:
[source,bash]
----
bin/kc.[sh|bat] start --spi-events-listener-jboss-logging-success-level=info --spi-events-listener-jboss-logging-error-level=error
----
The valid values for log levels are `debug`, `info`, `warn`, `error`, and `fatal`.
2021-02-19 20:29:43 +00:00
===== The Email Event Listener
The Email Event Listener sends an email to the user's account when an event occurs and supports the following events:
2019-12-17 05:25:17 +00:00
2021-02-19 20:29:43 +00:00
* Login Error.
* Update Password.
* Update Time-based One-time Password (TOTP).
* Remove Time-based One-time Password (TOTP).
2019-12-17 05:25:17 +00:00
2021-02-19 20:29:43 +00:00
.Procedure
2016-05-31 16:48:15 +00:00
2021-02-19 20:29:43 +00:00
To enable the Email Listener:
2016-05-31 16:48:15 +00:00
2022-07-26 15:50:24 +00:00
. Click *Realm settings* in the menu.
. Click the *Events* tab.
. Click the *Event listeners* field.
2021-02-19 20:29:43 +00:00
. Select `email`.
2022-07-26 15:50:24 +00:00
+
.Event listeners
2022-08-19 11:15:51 +00:00
image:images/event-listeners.png[Event listeners]
2016-05-31 16:48:15 +00:00
2022-02-08 13:07:16 +00:00
You can exclude events by using the `--spi-events-listener-email-exclude-events` argument. For example:
[source,bash]
----
kc.[sh|bat] --spi-events-listener-email-exclude-events=UPDATE_TOTP,REMOVE_TOTP
----