Events & audit
Event logging is your audit trail — who logged in, what failed, and what an admin changed.
User events
Section titled “User events”Login successes/failures, logouts, registrations, and credential changes.
- Recommended: on, with a retention window that matches your compliance needs.
- Ask the assistant: “Turn on login event logging for acme-prod.”
- Keycloak: Realm settings → Events → User events settings.
Admin events
Section titled “Admin events”Every administrative change to the realm (clients, roles, flows, settings).
- Recommended: on, with Include representation so the change detail is captured.
- Ask the assistant: “Enable admin event logging for acme-prod.”
- Keycloak: Realm settings → Events → Admin events settings.
Where the data goes
Section titled “Where the data goes”Events feed the platform’s analytics/SIEM pipeline — exported and queryable for usage reporting and security signals (brute-force spikes, anomalous logins). See Reporting & Analytics for the dashboards and the event pipeline.
Retention
Section titled “Retention”Set an expiry on stored events so the pool doesn’t accumulate them unbounded; long-term audit copies live in the analytics pipeline, not the realm database.