Audit logs

Audit logs provide a structured record of administrative activity across the Authorization Hub. They are designed to answer critical security questions, such as: "Who modified this policy and when?" or "Who accessed the system and what did they do?"

The system generates audit logs for all CRUD (Create, Read, Update, Delete) operations involving authorization components, policy insights, and user management. Furthermore, logs capture critical identity and access management events occurring within Keycloak.

Logs are produced in JSON format and displayed in the console, allowing for seamless integration with the external observability or SIEM (Security Information and Event Management) system of your choice.

At a high level, each event consists of the following fields:

Log component	JSON key	Description
Action	"operation"	The specific operation that was performed. See Audit log operations for details.
Resource	"resource"	The object that was created, read, updated, or deleted. Examples: project, policy, domain.
Result	"result"	Indicates the outcome of the action.
Actor	"user"	The user or client that performed the action.
Timestamp	"event_timestamp"	When the event occurred (UTC, ISO 8601).
Details	"details"	Additional metadata, such as IDs, names, operation results, or error indicators.

tip

Keycloak is configured to output logs in ECS JSON format and the audit payload to be parsed by the log pipeline is embedded in the "message" field. See the Keycloak events section below.

Data privacy & security

Audit logs are designed to be safe for export and compliant with global privacy best practices:

• Anonymized actors: Actors are identified only by technical identifiers, such as an externalUserId (UUID). Personally Identifiable Information (PII), including usernames, emails, and full names, is never recorded.
• No sensitive data: Log payloads exclude passwords, API keys, shared secrets, and other sensitive configuration values.

Audit log operations

Operation	Description
dictionary.attribute.get	Get all active attributes from the dictionary.
dictionary.attribute.get.by.fqn	Get an attribute by its FQN.
dictionary.attribute.get.by.id	Get an attribute by its unique ID.
dictionary.attribute.create	Create a new attribute.
dictionary.attribute.update	Update an attribute.
dictionary.attribute.delete	Delete an attribute.
dictionary.attribute.export	Export all active attributes.
dictionary.attribute.import	Import attributes.
dictionary.namespace.get	Get all namespaces used in the dictionary.
dictionary.cacheprofile.get	Get all cache profiles.
dictionary.cacheprofile.create	Create a new cache profile.
dictionary.cacheprofile.get.by.name	Get a cache profile by its name.
dictionary.cacheprofile.update	Update a cache profile.
dictionary.cacheprofile.delete	Delete a cache profile.
connector.get	Get all attribute connectors.
connector.get.by.fqn	Get an attribute connector by its FQN.
connector.get.by.id	Get an attribute connector by its unique ID.
connector.get.by.attributes	Get all attribute connectors that use specific attributes.
connector.create	Create a new attribute connector.
connector.update	Update an attribute connector.
connector.delete	Delete an attribute connector.
connector.export	Export all attribute connectors.
connector.import	Import attribute connectors.
domain.list	Get all domains.
domain.get_by_id	Get a domain by its unique ID.
domain.get_by_name	Get a domain by its name.
domain.compose	Compose an authorization domain.
domain.copy	Copy a domain.
domain.store	Store a domain.
domain.rollback	Rolls back domain name.
domain.history.list	Get domain history by name.
domain.metadata.list	Retrieve the metadata of all domains under a specified namespace.
policyfile.get	Get a specific file content from a policy package.
policypackage.get	Get a policy package by name.
policypackage.create	Create a policy package.
policypackage.update	Update a policy package.
project.get	Get all projects.
project.create	Create a project.
project.update	Update a project.
project.leave	Leave a project.
principal.user.get	Get all users.
principal.user.get.by.id	Get a user by their unique ID.
principal.user.get.by.email	Get a user by their email.
principal.user.create	Create a user.
principal.user.update	Update a user.
principal.user.me	Get the details of the currently authenticated user.
principal.client.get	Get all M2M clients.
insights.template.get	Get all templates.
insights.template.get.by.name	Get a template by its name.
insights.template.get.by.id	Get a template by its unique ID.
insights.template.create	Create a template.
insights.template.update	Update a template.
insights.template.delete	Delete a template.
insights.report.get	Get all reports.
insights.report.get.by.id	Get a report by its unique ID.
insights.report.create	Create a report.
insights.endpoint.get	List configured endpoints.

Keycloak events

Keycloak user events, such as logins and logouts, are mapped to auth.<event_type>. For example:

• auth.login
• auth.logout
• auth.code_to_token.

note

Success and failure share the same operation name. To distinguish the outcome, the result field (SUCCESSFUL / FAILURE) is used.

Keycloak admin events are mapped to identity.<resource_type>.<operation_type>. For example:

• identity.client.create
• identity.identity_provider.update

Disable audit logs

Audit logs are enabled by default. Follow the steps below to disable them.

Important

This procedure requires Tenant Admin privileges.

1. Navigate to the kubernetes/charts directory and upgrade the Helm chart configuration:

   helm upgrade hub \
   -f hub/values.yaml hub \
   --set services.apiGateway.env.auditEnabled=false
   --set services.adm.env.auditEnabled=false
   --set services.hubService.env.auditEnabled=false

2. Access the Keycloak administration console

   tip

   Read the Access Keycloak section for instructions.

3. In the sidebar menu, under the Configure section, click Realm settings.

4. Switch to the Events tab. Under Event listeners, remove hub-audit-logging from the list.

5. Click Save.