Sending Keycloak logs to Wazuh

114 views
Skip to first unread message

Álvaro Boza Hurtado

unread,
Oct 16, 2025, 6:56:18 AM (3 days ago) Oct 16
to Wazuh | Mailing List

Good morning,

I am trying to send Keycloak logs to Wazuh for analysis, but by following the guide (https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html), I haven’t been able to receive anything. This is the configuration I have on the agent to send the logs:

<localfile>
    <log_format>json</log_format>
    <location>/var/log/pods/default_keycloak-*/*/*.log</location>
</localfile>

Am I missing any steps? Thank you very much in advance.

Best regards,


Álvaro Boza Hurtado

unread,
Oct 16, 2025, 6:56:20 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Álvaro

diego...@wazuh.com

unread,
Oct 16, 2025, 7:28:40 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi Álvaro

Thanks for reaching out! To help you troubleshoot this, I need a bit more context:

Basic info:

  • Which Wazuh version are you running (manager and agent)?
  • What OS is the agent on?

About the logs:

  • Can you confirm there are actual log files matching that path pattern on the agent? (e.g., ls -lh /var/log/pods/default_keycloak-*/*/*.log)
  • Are the logs in valid JSON format? Could you share a sample line?

Wazuh side:

  • After restarting the agent, do you see any errors in /var/ossec/logs/ossec.log related to that localfile configuration?
  • Have you checked if events are arriving at the manager but perhaps not generating alerts? (You can check archives or run a quick query in the Wazuh dashboard)

Once I have this info, we can pinpoint where things might be getting stuck.

Message has been deleted

diego...@wazuh.com

unread,
Oct 16, 2025, 11:18:06 AM (3 days ago) Oct 16
to Wazuh | Mailing List

Hello Diego,

Thank you very much for your response. Please find my answers below:

**Which Wazuh version are you running (manager and agent)?**
Version 4.12 on both the manager and the agent.

**What OS is the agent on?**
Ubuntu 22.04.1

**About the logs:**

**Can you confirm there are actual log files matching that path pattern on the agent?**
Yes, I’ve just confirmed it. There are two log files, and both match the pattern using that command.

**Are the logs in valid JSON format? Could you share a sample line?**
Yes, here’s a sample line:

```
{
  "log": "2025-10-16 09:44:30,906 DEBUG [org.example.authentication.Flow] (executor-thread-XX) client authenticator SUCCESS: [redacted-secret]",
  "stream": "stdout",
  "time": "2025-10-16T09:44:30.906317482Z"
}
```

**Wazuh side:**

**After restarting the agent, do you see any errors in `/var/ossec/logs/ossec.log` related to that localfile configuration?**
No, I don’t see any errors.

**Have you checked if events are arriving at the manager but perhaps not generating alerts?**
Yes, I’ve just checked, but there are no events being generated related to the Keycloak logs.

Many thanks in advance for your help!

Best regards,
Álvaro
-------------------------------------

Álvaro,

I've successfully replicated your exact setup with Keycloak logs in Kubernetes format and confirmed everything works correctly. The issue is most likely that log archiving isn't enabled on your manager.

My test setup:

I created the same configuration on an agent and tested with logs matching your exact format:

{"log":"2025-10-16 09:44:30,906 DEBUG [org.example.authentication.Flow] (executor-thread-XX) client authenticator SUCCESS: [redacted-secret]","stream":"stdout","time":"2025-10-16T09:44:30.906317482Z"} Result: The manager successfully received and parsed the logs. Here's what I see in /var/ossec/logs/archives/archives.json: { "timestamp":"2025-10-16T11:18:26.371-0300", "agent":{"id":"001","name":"centos9s.localdomain","ip":"xxx.xxx.xx.xxx"}, "decoder":{"name":"json"}, "data":{ "log":"2025-10-16 09:44:30,906 DEBUG [org.example.authentication.Flow] (executor-thread-XX) client authenticator SUCCESS: [redacted-secret]", "stream":"stdout", "time":"2025-10-16T09:44:30.906317482Z" }, "location":"/var/log/pods/default_keycloak-test/keycloak/test.log" } The JSON decoder correctly parsed all fields (log, stream, time), and Wazuh even generated alerts automatically for WARN/ERROR logs.

Steps to fix your setup:

1. Enable log archiving on the manager (this is likely what's missing):

Edit /var/ossec/etc/ossec.conf:

<global> <jsonout_output>yes</jsonout_output> <alerts_log>yes</alerts_log> <logall>yes</logall> <logall_json>yes</logall_json> </global>

Restart the manager:

sudo systemctl restart wazuh-manager

Verify the agent can read your logs:

sudo -u wazuh cat /var/log/pods/default_keycloak-*/*/*.log | head -5

Monitor events on the manager:

sudo tail -f /var/ossec/logs/archives/archives.json | grep keycloak


Once you enable archiving, you should start seeing logs immediately. Let me know what you find!

Note: Please use "Reply All" when responding so other Wazuh community members can follow the thread and benefit from the solution. Thanks!

Álvaro Boza Hurtado

unread,
Oct 17, 2025, 7:00:20 AM (2 days ago) Oct 17
to Wazuh | Mailing List
Hi Diego,

Thank you very much — I’ve managed to see the traces in archives file!
To move it to Alerts, is there anything else I should do?

Thanks again,

Best regards,

Álvaro

diego...@wazuh.com

unread,
Oct 17, 2025, 1:15:50 PM (2 days ago) Oct 17
to Wazuh | Mailing List

Hi Álvaro,

Great! Now that logs are being collected, you need to create custom rules to generate alerts from your Keycloak logs.

Understanding the difference:

  • Archives = all collected logs (what you're seeing now)
  • Alerts = logs that match specific rules you define

Steps to create alerts:

  1. Create a custom rules file on your Wazuh manager:
    sudo nano /var/ossec/etc/rules/local_rules.xml
  2. Add rules for Keycloak events. Here's a starting example:
<group name="keycloak,">
  <!-- Rule for any Keycloak log -->
  <rule id="100010" level="3">
    <decoded_as>json</decoded_as>
    <field name="log">\.org\.example</field>
    <description>Keycloak: Log detected</description>
  </rule>

  <!-- Rule for ERROR logs -->
  <rule id="100011" level="7">
    <if_sid>100010</if_sid>
    <field name="log">ERROR</field>
    <description>Keycloak: Error detected</description>
  </rule>

  <!-- Rule for WARN logs -->
  <rule id="100012" level="5">
    <if_sid>100010</if_sid>
    <field name="log">WARN</field>
    <description>Keycloak: Warning detected</description>
  </rule>

  <!-- Rule for authentication success -->
  <rule id="100013" level="3">
    <if_sid>100010</if_sid>
    <field name="log">authenticator SUCCESS</field>
    <description>Keycloak: Authentication successful</description>
  </rule>

</group>

3. Restart the manager:
sudo systemctl restart wazuh-manager
4. Verify alerts are being generated (manager):
sudo tail -f /var/ossec/logs/alerts/alerts.json | grep keycloak

5. You can check on the dashboard if the alert was generated correctly. (attached image)

2025-10-17_14-14.pngCustomize for your needs:

  • Adjust rule levels (0-15, where higher = more critical)
  • Add more specific patterns based on what you want to monitor
  • Use rule groups to organize related alerts

You should start seeing alerts in the Wazuh dashboard shortly after restarting.


Reply all
Reply to author
Forward
0 new messages