Configuring logging
Logging is a key mechanism for understanding and operating NQRust-Identity. It should help you to monitor NQRust-Identity’s health, debug issues, and maintain an audit trail of important events.
You can configure logging for the root log level or for more specific categories such as org.hibernate or org.keycloak.
It is also possible to tailor log levels for each particular log handler.
In NQRust-Identity, logging goes beyond setting log levels — you can direct output to different handlers, use asynchronous logging for performance, capture HTTP access logs, and more. These features make it possible to adapt logging to your operational needs and integrate with observability platforms.
NQRust-Identity uses the NQRust Logging framework under the hood.
Available log handlers
| Console Logs to standard output | File Persists logs to disk | Syslog Sends logs to Syslog server |
To enable log handlers, enter the following command:
bin/kc.[sh|bat] start --log="<handler1>,<handler2>"Log levels
The following table defines the available log levels.
| Level | Description |
|---|---|
| FATAL | Critical failures with complete inability to serve any kind of request. |
| ERROR | A significant error or problem leading to the inability to process requests. |
| WARN | A non-critical error or problem that might not require immediate correction. |
| INFO | NQRust-Identity lifecycle events or important information. Low frequency. |
| DEBUG | More detailed information for debugging purposes, such as database logs. Higher frequency. |
| TRACE | Most detailed debugging information. Very high frequency. |
| ALL | Special level for all log messages. |
| OFF | Special level to turn logging off entirely (not recommended). |
Configuring the root log level
When no log level configuration exists for a more specific category logger, the enclosing category is used instead. When there is no enclosing category, the root logger level is used.
To set the root log level, enter the following command:
bin/kc.[sh|bat] start --log-level=<root-level>Use these guidelines for this command:
- For
<root-level>, supply a level defined in the preceding table. - The log level is case-insensitive. For example, you could either use
DEBUGordebug. - If you were to accidentally set the log level twice, the last occurrence in the list becomes the log level. For example, if you included the syntax
--log-level="info,…,DEBUG,…", the root logger would beDEBUG.
Configuring category-specific log levels
You can set different log levels for specific areas in NQRust-Identity. Use this command to provide a comma-separated list of categories for which you want a different log level:
bin/kc.[sh|bat] start --log-level="<root-level>,<org.category1>:<org.category1-level>"A configuration that applies to a category also applies to its sub-categories unless you include a more specific matching sub-category.
Example
bin/kc.[sh|bat] start --log-level="INFO,org.hibernate:debug,org.hibernate.hql.internal.ast:info"This example sets the following log levels:
- Root log level for all loggers is set to INFO.
- The hibernate log level in general is set to debug.
- To keep SQL abstract syntax trees from creating verbose log output, the specific subcategory
org.hibernate.hql.internal.astis set to info. As a result, the SQL abstract syntax trees are omitted instead of appearing at thedebuglevel.
Configuring levels as individual options
When configuring category-specific log levels, you can also set the log levels as individual log-level-<category> options instead of using the log-level option for that.
This is useful when you want to set the log levels for selected categories without overwriting the previously set log-level option.
Example
If you start the server as:
bin/kc.[sh|bat] start --log-level="INFO,org.hibernate:debug"you can then set an environmental variable KC_LOG_LEVEL_ORG_KEYCLOAK=trace to change the log level for the org.keycloak category.
The log-level-<category> options take precedence over log-level. This allows you to override what was set in the log-level option.
For instance if you set KC_LOG_LEVEL_ORG_HIBERNATE=trace for the CLI example above, the org.hibernate category will use the trace level instead of debug.
Bear in mind that when using the environmental variables, the category name must be in uppercase and the dots must be replaced with underscores. When using other config sources, the category name must be specified "as is", for example:
bin/kc.[sh|bat] start --log-level="INFO,org.hibernate:debug" --log-level-org.keycloak=traceSpecify log level for each handler
The log-level property specifies the global root log level and levels for selected categories.
However, a more fine-grained approach for log levels is necessary to comply with the modern application requirements.
To set log levels for particular handlers, properties in format log-<handler>-level (where <handler> is available log handler) were introduced.
It means properties for log level settings look like this:
log-console-level- Console log handlerlog-file-level- File log handlerlog-syslog-level- Syslog log handler
The log-<handler>-level properties are available only when the particular log handlers are enabled.
More information in log handlers settings below.
Only log levels specified in Log levels section are accepted, and must be in lowercase. There is no support for specifying particular categories for log handlers yet.
General principle
It is necessary to understand that setting the log levels for each particular handler does not override the root level specified in the log-level property.
Log handlers respect the root log level, which represents the maximal verbosity for the whole logging system.
It means individual log handlers can be configured to be less verbose than the root logger, but not more.
Specifically, when an arbitrary log level is defined for the handler, it does not mean the log records with the log level will be present in the output.
In that case, the root log-level must also be assessed.
Log handler levels provide the restriction for the root log level, and the default log level for log handlers is all - without any restriction.
Examples
Example: debug for file handler, but info for console handler:
bin/kc.[sh|bat] start --log=console,file --log-level=debug --log-console-level=infoThe root log level is set to debug, so every log handler inherits the value - so does the file log handler.
To hide debug records in the console, we need to set the minimal (least severe) level to info for the console handler.
Example: warn for all handlers, but debug for file handler:
bin/kc.[sh|bat] start --log=console,file,syslog --log-level=debug --log-console-level=warn --log-syslog-level=warnThe root level must be set to the most verbose required level (debug in this case), and other log handlers must be amended accordingly.
Example: info for all handlers, but debug+org.nqrust-identity.events:trace for Syslog handler:
bin/kc.[sh|bat] start --log=console,file,syslog --log-level=debug,org.keycloak.events:trace, --log-syslog-level=trace --log-console-level=info --log-file-level=infoIn order to see the org.keycloak.events:trace, the trace level must be set for the Syslog handler.
Adding context for log messages
You can enable additional context information for each log line like the current realm and client that is executing the request.
Use the option log-mdc-enabled to enable it.
Example configuration
bin/kc.[sh|bat] start --log-mdc-enabled=trueExample output
2025-06-20 14:13:01,772 {kc.clientId=security-admin-console, kc.realmName=master} INFO ...Specify which keys to be added by setting the configuration option log-mdc-keys.
Use different JSON format for log handlers
Every log handler provides the ability to have structured log output in JSON format.
It can be enabled by properties in the format log-<handler>-output=json (where <handler> is a log handler).
If you need a different format of the produced JSON, you can leverage the following JSON output formats:
default(default)ecs
The ecs value refers to the ECS (opens in a new tab) (Elastic Common Schema).
ECS is an open-source, community-driven specification that defines a common set of fields to be used with Elastic solutions. The ECS specification is being converged with OpenTelemetry Semantic Conventions (opens in a new tab) with the goal of creating a single standard maintained by OpenTelemetry.
In order to change the JSON output format, properties in the format log-<handler>-json-format (where <handler> is a log handler) were introduced:
log-console-json-format- Console log handlerlog-file-json-format- File log handlerlog-syslog-json-format- Syslog log handler
Customize the service fields
When using JSON log output, NQRust-Identity includes service.name and potentially service.environment fields in the log entries.
By default, service.name is set to keycloak, and service.environment is not set for the default JSON format.
For the ECS format, the service.environment is set to the Quarkus profile (e.g. prod).
You can customize these fields across all log handlers using the following options:
log-service-name- Set theservice.namefield (default:keycloak)log-service-environment- Set theservice.environmentfield
These options apply to all log handlers (console, file, and syslog) that have JSON output enabled.
Example
bin/kc.[sh|bat] start --log-console-output=json --log-service-name=my-keycloak --log-service-environment=productionExample
If you want to have JSON logs in ECS (Elastic Common Schema) format for the console log handler, you can enter the following command:
bin/kc.[sh|bat] start --log-console-output=json --log-console-json-format=ecsExample Log Message
{"@timestamp":"2025-02-03T14:53:22.539484211+01:00","event.sequence":9608,"log.logger":"io.quarkus","log.level":"INFO","message":"Keycloak 999.0.0-SNAPSHOT on JVM (powered by Quarkus 3.17.8) started in 4.615s. Listening on: http://0.0.0.0:8080","process.thread.name":"main","process.thread.id":1,"mdc":{},"ndc":"","host.hostname":"host-name","process.name":"/usr/lib/jvm/jdk-21.0.3+9/bin/java","process.pid":77561,"data_stream.type":"logs","ecs.version":"1.12.2","service.environment":"prod","service.name":"Keycloak","service.version":"999.0.0-SNAPSHOT"}Asynchronous logging
NQRust-Identity supports asynchronous logging, which might be useful for deployments requiring high throughput and low latency. Asynchronous logging uses a separate thread to take care of processing all log records. The logging handlers are invoked in exactly the same way as with synchronous logging, only done in separate threads. You can enable asynchronous logging for all NQRust-Identity log handlers. A dedicated thread will be created for every log handler with enabled asynchronous logging.
The underlying mechanism for asynchronous logging uses a queue for processing log records. Every new log record is added to the queue and then published to the particular log handler with enabled asynchronous logging. Every log handler has a different queue.
If the queue is already full, it blocks the main thread and waits for free space in the queue.
When to use asynchronous logging
- You need lower latencies for incoming requests
- You need higher throughput
- You have small worker thread pool and want to offload logging to separate threads
- You want to reduce the impact of I/O-heavy log handlers
- You are logging to remote destinations (e.g., network syslog servers) and want to avoid blocking worker threads
Be aware that enabling asynchronous logging might bring some additional memory overhead due to the additional separate thread and the inner queue. In that case, it is not recommended to use it for resource-constrained environments. Additionally, unexpected server shutdowns create a risk of losing log records.
Enable asynchronous logging
You can enable asynchronous logging globally for all log handlers by using log-async property as follows:
bin/kc.[sh|bat] start --log-async=trueOr you can enable the asynchronous logging for every specific handler by using properties in the format log-<handler>-async (where <handler> is a log handler).
If the property for a specific handler is not set, the value from the parent log-async property is used.
You can use these properties as follows:
bin/kc.[sh|bat] start --log-console-async=true --log-file-async=true --log-syslog-async=truelog-console-async- Console log handlerlog-file-async- File log handlerlog-syslog-async- Syslog log handler
Change queue length
You can change the size of the queue used for the asynchronous logging. The default size is 512 log records in the queue.
You can change the queue length as follows:
bin/kc.[sh|bat] start --log-console-async-queue-length=512 --log-file-async-queue-length=512 --log-syslog-async-queue-length=512These properties are available only when asynchronous logging is enabled for these specific log handlers.
HTTP Access Logging
NQRust-Identity supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring, helping administrators track access patterns, identify suspicious activity, and maintain audit trails.
These logs are written at the INFO level, so make sure your logging configuration includes this level — either globally (e.g. log-level=info) or specifically for the access log category (e.g. log-level=org.keycloak.http.access-log:info).
When HTTP access logs are enabled, they are shown by default, as INFO level is the default log level for NQRust-Identity.
How to enable
You can enable HTTP access logging by using http-access-log-enabled property as follows:
bin/kc.[sh|bat] start --http-access-log-enabled=trueChange log format/pattern
You can change format/pattern of the access log records by using http-access-log-pattern property as follows:
bin/kc.[sh|bat] start --http-access-log-pattern=combinedPredefined named patterns:
common(default) - prints basic information about the requestcombined- prints basic information about the request + information about referer and user agentlong- prints comprehensive information about the request with all its headers
You can even specify your own pattern with your required data to be logged, such as:
bin/kc.[sh|bat] start --http-access-log-pattern='%A %{METHOD} %{REQUEST_URL} %{i,User-Agent}'HTTP Access logs may contain sensitive HTTP headers like Authorization, Cookie, or external API keys references.
The Authorization header and selected sensitive cookies are automatically masked in the HTTP Access log. However, the list of masked items might not be complete. Be careful with using the long pattern or printing the headers by the custom format - you should use it only for development purposes. To extend the list of the masked items, see below.
Consult the Quarkus documentation (opens in a new tab) for the full list of variables that can be used.
Mask specific HTTP headers and cookies
Selected sensitive HTTP headers and cookies are automatically masked in the HTTP Access log.
Masked sensitive HTTP headers:
Authorization
Masked sensitive NQRust-Identity cookies:
AUTH_SESSION_IDKC_AUTH_SESSION_HASHKEYCLOAK_IDENTITYKEYCLOAK_SESSIONAUTH_SESSION_ID_LEGACYKEYCLOAK_IDENTITY_LEGACYKEYCLOAK_SESSION_LEGACY
In order to extend the list of the masked items (e.g. to accommodate for headers and cookies used by your custom extensions), configure the http-access-log-masked-headers and http-access-log-masked-cookies options.
bin/kc.[sh|bat] start --http-access-log-enabled=true --http-access-log-masked-headers=X-Custom,Y-Api-Token --http-access-log-masked-cookies=MY_COOKIE,MY_SECOND_COOKIEExclude specific URL paths
It is possible to exclude specific URL paths from the HTTP access logging, so they will not be recorded.
You can use regular expressions to exclude them, such as:
bin/kc.[sh|bat] start --http-access-log-exclude='/realms/my-internal-realm/.*'In this case, all calls to the /realms/my-internal-realm/ and subsequent paths will be excluded from the HTTP Access log.
Log to dedicated file with rotation
Instead of keeping the HTTP access logs in the normal server log, you can write them to a dedicated log file. This helps you separate HTTP access logs from the server logs and maintain audit trails. When file logging is enabled, HTTP access logs are not written to the console.
Enable file logging
You can enable file logging as follows:
bin/kc.[sh|bat] start --http-access-log-enabled=true --http-access-log-file-enabled=trueThis automatically creates a file called keycloak-http-access.log in the /data/log directory of your distribution.
Change file name and suffix
You can change the name of the log file using the http-access-log-file-name property.
To change the file suffix (.log is the default), use the http-access-log-file-suffix property.
For example, to write HTTP access logs to the file my-http-logs.txt:
bin/kc.[sh|bat] start --http-access-log-enabled=true --http-access-log-file-enabled=true --http-access-log-file-name=my-http-logs --http-access-log-file-suffix=txtFile rotation
By default, the HTTP access log file is rotated daily.
When the daily rotation occurs, a date-based suffix '.{yyyy-MM-dd}' is added to the log file name from the previous day, keeping access logs separated by date (for example, keycloak-http-access.2052-02-29.log).
To disable rotation, use the following configuration:
bin/kc.[sh|bat] start --http-access-log-enabled=true --http-access-log-file-enabled=true --http-access-log-file-rotate=falseTelemetry Logs export (OpenTelemetry)
It is possible to export OpenTelemetry logs from your deployment to the OpenTelemetry collector for centralized log management.
For more details, see the Centralize your observability stack with OpenTelemetry guide.
Relevant options
| Option | Type or Values | Default |
|---|---|---|
logEnable one or more log handlers in a comma-separated list. CLI: --logEnv: KC_LOG | console, file, syslog | console |
log-asyncIndicates whether to log asynchronously to all handlers. CLI: --log-asyncEnv: KC_LOG_ASYNC | true, false | false |
log-levelThe log level of the root category or a comma-separated list of individual categories and their levels. For the root category, you don’t need to specify a category. CLI: --log-levelEnv: KC_LOG_LEVEL | List | info |
log-level-<category>The log level of a category. Takes precedence over the log-level option.CLI: --log-level-<category>Env: KC_LOG_LEVEL_<CATEGORY> | off, fatal, error, warn, info, debug, trace, all | |
log-service-environmentSet the service.<br/>environment field in JSON log entries for all log handlers. In ECS format, defaults to the Quarkus profile if not set.CLI: --log-service-environmentEnv: KC_LOG_SERVICE_ENVIRONMENT | String | |
log-service-nameSet the service.<br/>name field in JSON log entries for all log handlers.CLI: --log-service-nameEnv: KC_LOG_SERVICE_NAME | String | keycloak |
Console
| Option | Type or Values | Default |
|---|---|---|
log-console-asyncIndicates whether to log asynchronously to console. If not set, value from the parent property log-async is used.CLI: --log-console-asyncEnv: KC_LOG_CONSOLE_ASYNC | true, false | false |
log-console-async-queue-lengthThe queue length to use before flushing writing when logging to console. CLI: --log-console-async-queue-lengthEnv: KC_LOG_CONSOLE_ASYNC_QUEUE_LENGTH | Integer | 512 |
log-console-colorEnable or disable colors when logging to console. If this is not present then an attempt will be made to guess if the terminal supports color. CLI: --log-console-colorEnv: KC_LOG_CONSOLE_COLOR | true, false | |
log-console-formatThe format of unstructured console log entries. If the format has spaces in it, escape the value using "<format>". CLI: --log-console-formatEnv: KC_LOG_CONSOLE_FORMAT | String | %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n |
log-console-include-mdcInclude mdc information in the console log. If the log-console-format option is specified, this option has no effect.CLI: --log-console-include-mdcEnv: KC_LOG_CONSOLE_INCLUDE_MDC | true, false | true |
log-console-include-traceInclude tracing information in the console log. If the log-console-format option is specified, this option has no effect.CLI: --log-console-include-traceEnv: KC_LOG_CONSOLE_INCLUDE_TRACE | true, false | true |
log-console-json-formatSet the format of the produced JSON. CLI: --log-console-json-formatEnv: KC_LOG_CONSOLE_JSON_FORMAT | default, ecs | default |
log-console-levelSet the log level for the console handler. It specifies the most verbose log level for logs shown in the output. It respects levels specified in the log-level option, which represents the maximal verbosity for the whole logging system. For more information, check the Logging guide.CLI: --log-console-levelEnv: KC_LOG_CONSOLE_LEVEL | off, fatal, error, warn, info, debug, trace, all | all |
log-console-outputSet the log output to JSON or default (plain) unstructured logging. CLI: --log-console-outputEnv: KC_LOG_CONSOLE_OUTPUT | default, json | default |
File
| Option | Type or Values | Default |
|---|---|---|
log-fileSet the log file path and filename. CLI: --log-fileEnv: KC_LOG_FILE | File | data/log/keycloak.log |
log-file-asyncIndicates whether to log asynchronously to file log. If not set, value from the parent property log-async is used.CLI: --log-file-asyncEnv: KC_LOG_FILE_ASYNC | true, false | false |
log-file-async-queue-lengthThe queue length to use before flushing writing when logging to file log. CLI: --log-file-async-queue-lengthEnv: KC_LOG_FILE_ASYNC_QUEUE_LENGTH | Integer | 512 |
log-file-formatSet a format specific to file log entries. CLI: --log-file-formatEnv: KC_LOG_FILE_FORMAT | String | %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n |
log-file-include-mdcInclude MDC information in the file log. If the log-file-format option is specified, this option has no effect.CLI: --log-file-include-mdcEnv: KC_LOG_FILE_INCLUDE_MDC | true, false | true |
log-file-include-traceInclude tracing information in the file log. If the log-file-format option is specified, this option has no effect.CLI: --log-file-include-traceEnv: KC_LOG_FILE_INCLUDE_TRACE | true, false | true |
log-file-json-formatSet the format of the produced JSON. CLI: --log-file-json-formatEnv: KC_LOG_FILE_JSON_FORMAT | default, ecs | default |
log-file-levelSet the log level for the file handler. It specifies the most verbose log level for logs shown in the output. It respects levels specified in the log-level option, which represents the maximal verbosity for the whole logging system. For more information, check the Logging guide.CLI: --log-file-levelEnv: KC_LOG_FILE_LEVEL | off, fatal, error, warn, info, debug, trace, all | all |
log-file-outputSet the log output to JSON or default (plain) unstructured logging. CLI: --log-file-outputEnv: KC_LOG_FILE_OUTPUT | default, json | default |
log-file-rotation-enabledEnables log file rotation. CLI: --log-file-rotation-enabledEnv: KC_LOG_FILE_ROTATION_ENABLED | true, false | true |
log-file-rotation-file-suffixSet the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Example: .yyyy-MM-dd to rotate daily. Note: If the suffix ends with .zip or .gz, the rotation file will also be compressed.CLI: --log-file-rotation-file-suffixEnv: KC_LOG_FILE_ROTATION_FILE_SUFFIX | String | |
log-file-rotation-max-backup-indexThe maximum number of backup log files to keep. CLI: --log-file-rotation-max-backup-indexEnv: KC_LOG_FILE_ROTATION_MAX_BACKUP_INDEX | Integer | 5 |
log-file-rotation-max-file-sizeThe maximum log file size, after which a rotation is executed. Supports size suffixes (e.g. 10M, 1G). CLI: --log-file-rotation-max-file-sizeEnv: KC_LOG_FILE_ROTATION_MAX_FILE_SIZE | String | 10M |
log-file-rotation-rotate-on-bootIndicates whether to rotate log files on server start. CLI: --log-file-rotation-rotate-on-bootEnv: KC_LOG_FILE_ROTATION_ROTATE_ON_BOOT | true, false | true |
Syslog
| Option | Type or Values | Default |
|---|---|---|
log-syslog-app-nameSet the app name used when formatting the message in RFC5424 format. CLI: --log-syslog-app-nameEnv: KC_LOG_SYSLOG_APP_NAME | String | keycloak |
log-syslog-asyncIndicates whether to log asynchronously to Syslog. If not set, value from the parent property log-async is used.CLI: --log-syslog-asyncEnv: KC_LOG_SYSLOG_ASYNC | true, false | false |
log-syslog-async-queue-lengthThe queue length to use before flushing writing when logging to Syslog. CLI: --log-syslog-async-queue-lengthEnv: KC_LOG_SYSLOG_ASYNC_QUEUE_LENGTH | Integer | 512 |
log-syslog-counting-framingIf true, the message being sent is prefixed with the size of the message. If protocol-dependent, the default value is true when log-syslog-protocol is tcp or ssl-tcp, otherwise false.CLI: --log-syslog-counting-framingEnv: KC_LOG_SYSLOG_COUNTING_FRAMING | true, false, protocol-dependent | protocol-dependent |
log-syslog-endpointSet the IP address and port of the Syslog server. CLI: --log-syslog-endpointEnv: KC_LOG_SYSLOG_ENDPOINT | String | localhost:514 |
log-syslog-formatSet a format specific to Syslog entries. CLI: --log-syslog-formatEnv: KC_LOG_SYSLOG_FORMAT | String | %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n |
log-syslog-include-mdcInclude MDC information in the Syslog. If the log-syslog-format option is specified, this option has no effect.CLI: --log-syslog-include-mdcEnv: KC_LOG_SYSLOG_INCLUDE_MDC | true, false | true |
log-syslog-include-traceInclude tracing information in the Syslog. If the log-syslog-format option is specified, this option has no effect.CLI: --log-syslog-include-traceEnv: KC_LOG_SYSLOG_INCLUDE_TRACE | true, false | true |
log-syslog-json-formatSet the format of the produced JSON. CLI: --log-syslog-json-formatEnv: KC_LOG_SYSLOG_JSON_FORMAT | default, ecs | default |
log-syslog-levelSet the log level for the Syslog handler. It specifies the most verbose log level for logs shown in the output. It respects levels specified in the log-level option, which represents the maximal verbosity for the whole logging system. For more information, check the Logging guide.CLI: --log-syslog-levelEnv: KC_LOG_SYSLOG_LEVEL | off, fatal, error, warn, info, debug, trace, all | all |
log-syslog-max-lengthSet the maximum length, in bytes, of the message allowed to be sent. The length includes the header and the message. If not set, the default value is 2048 when log-syslog-type is rfc5424 (default) and 1024 when log-syslog-type is rfc3164.CLI: --log-syslog-max-lengthEnv: KC_LOG_SYSLOG_MAX_LENGTH | String | |
log-syslog-outputSet the Syslog output to JSON or default (plain) unstructured logging. CLI: --log-syslog-outputEnv: KC_LOG_SYSLOG_OUTPUT | default, json | default |
log-syslog-protocolSet the protocol used to connect to the Syslog server. CLI: --log-syslog-protocolEnv: KC_LOG_SYSLOG_PROTOCOL | tcp, udp, ssl-tcp | tcp |
log-syslog-typeSet the Syslog type used to format the sent message. CLI: --log-syslog-typeEnv: KC_LOG_SYSLOG_TYPE | rfc5424, rfc3164 | rfc5424 |
HTTP Access log
| Option | Type or Values | Default |
|---|---|---|
http-access-log-enabledIf HTTP access logging is enabled. By default this will log records in console. CLI: --http-access-log-enabledEnv: KC_HTTP_ACCESS_LOG_ENABLED | true, false | false |
http-access-log-excludeA regular expression that can be used to exclude some paths from logging. For instance, /realms/my-realm/.* will exclude all subsequent endpoints for realm my-realm from the log.CLI: --http-access-log-excludeEnv: KC_HTTP_ACCESS_LOG_EXCLUDE | String | |
http-access-log-file-enabledIf HTTP access logging should be done to a separate file. CLI: --http-access-log-file-enabledEnv: KC_HTTP_ACCESS_LOG_FILE_ENABLED | true, false | false |
http-access-log-file-nameThe HTTP access log file base name, which will create a log file name concatenating base and suffix (e. g. keycloak-http-access.log). The file is located in the /data/log directory of the distribution.CLI: --http-access-log-file-nameEnv: KC_HTTP_ACCESS_LOG_FILE_NAME | String | keycloak-http-access |
http-access-log-file-rotateIf the HTTP Access log file should be rotated daily. CLI: --http-access-log-file-rotateEnv: KC_HTTP_ACCESS_LOG_FILE_ROTATE | true, false | true |
http-access-log-file-suffixThe HTTP access log file suffix. When rotation is enabled, a date-based suffix .{yyyy-MM-dd} is added before the specified suffix. If multiple rotations occur on the same day, an incremental index is appended to the date.CLI: --http-access-log-file-suffixEnv: KC_HTTP_ACCESS_LOG_FILE_SUFFIX | String | .log |
http-access-log-masked-cookiesSet of HTTP Cookie headers whose values must be masked when the long pattern or %{ALL_REQUEST_HEADERS} format is enabled with the http-access-log-pattern option. Selected security sensitive cookies are always masked. CLI: --http-access-log-masked-cookiesEnv: KC_HTTP_ACCESS_LOG_MASKED_COOKIES | List | |
http-access-log-masked-headersSet of HTTP headers whose values must be masked when the long pattern or %{ALL_REQUEST_HEADERS} format is enabled with the http-access-log-pattern option. Selected security sensitive headers are always masked. CLI: --http-access-log-masked-headersEnv: KC_HTTP_ACCESS_LOG_MASKED_HEADERS | List | |
http-access-log-patternThe HTTP access log pattern. You can use the available named formats, or use custom format described in Quarkus documentation. CLI: --http-access-log-patternEnv: KC_HTTP_ACCESS_LOG_PATTERN | common, combined, long, or any | common |
Mapped Diagnostic Context (MDC)
| Option | Type or Values | Default |
|---|---|---|
log-mdc-enabledIndicates whether to add information about the realm and other information to the mapped diagnostic context. All elements will be prefixed with kc.CLI: --log-mdc-enabledEnv: KC_LOG_MDC_ENABLED | true, false | false |
log-mdc-keysDefines which information should be added to the mapped diagnostic context as a comma-separated list. CLI: --log-mdc-keysEnv: KC_LOG_MDC_KEYS | realmName, clientId, userId, ipAddress, org, sessionId, authenticationSessionId, authenticationTabId | realmName,clientId,org,sessionId,authenticationSessionId,authenticationTabId |
Telemetry Logs (OpenTelemetry)
| Option | Type or Values | Default |
|---|---|---|
telemetry-logs-enabledEnables exporting logs to a destination handling OpenTelemetry logs. CLI: --telemetry-logs-enabledEnv: KC_TELEMETRY_LOGS_ENABLED | true, false | false |
telemetry-logs-endpointOpenTelemetry endpoint to export logs to. If not given, the value is inherited from the telemetry-endpoint option.CLI: --telemetry-logs-endpointEnv: KC_TELEMETRY_LOGS_ENDPOINT | String | |
telemetry-logs-header-<header>OpenTelemetry header that will be part of the log exporter request (mainly useful for providing Authorization header). Check the documentation on how to set environment variables for headers containing special characters or custom case-sensitive headers. CLI: --telemetry-logs-header-<header>Env: KC_TELEMETRY_LOGS_HEADER_<HEADER> | String | |
telemetry-logs-levelThe most verbose log level exported to the telemetry endpoint. For more information, check the Telemetry guide. CLI: --telemetry-logs-levelEnv: KC_TELEMETRY_LOGS_LEVEL | off, fatal, error, warn, info, debug, trace, all | all |
telemetry-logs-protocolOpenTelemetry protocol used for exporting logs. If not given, the value is inherited from the telemetry-protocol option.CLI: --telemetry-logs-protocolEnv: KC_TELEMETRY_LOGS_PROTOCOL | grpc, http/protobuf |