bin/kc.[sh|bat] start --features=user-event-metrics --metrics-enabled=true --event-metrics-user-enabled=true ...
This guide is describing a feature which is currently in preview. Please provide your feedback while we’re continuing to work on this. |
Event metrics can provide admins an overview of the different activities in a Keycloak instance. For now, only metrics for user events are captured. For example, you can monitor the number of logins, login failures, or token refreshes performed.
The metrics are exposed using the standard metrics endpoint, and you can use it in your own metrics collection system to create dashboards and alerts.
The metrics are reported as counters per Keycloak instance. The counters are reset on the restart of the instance. If you have multiple instances running in a cluster, you will need to collect the metrics from all instances and aggregate them to get per a cluster view.
To start collecting metrics, enable the feature user-event-metrics
, enable metrics, and enable the metrics for user events.
The following shows the required startup parameters:
bin/kc.[sh|bat] start --features=user-event-metrics --metrics-enabled=true --event-metrics-user-enabled=true ...
By default, there is a separate metric for each realm.
To break down the metric by client and identity provider, you can add those metrics dimension using the configuration option event-metrics-user-tags
.
This can be useful on installations with a small number of clients and IDPs.
This is not recommended for installations with a large number of clients or IDPs as it will increase the memory usage of Keycloak and as it will increase the load on your monitoring system.
The following shows how to configure Keycloak to break down the metrics by all three metrics dimensions:
bin/kc.[sh|bat] start ... --event-metrics-user-tags=realm,idp,clientId ...
You can limit the events for which Keycloak will expose metrics. See the Server Administration Guide on event types for an overview of the available events.
The following example limits the events collected to LOGIN
and LOGOUT
events:
bin/kc.[sh|bat] start ... --event-metrics-user-events=login,logout ...
All error events will be collected with the primary event type and will have the error
tag filled with the error code.
The snippet below is an example of a response provided by the metric endpoint:
# HELP keycloak_user_events_total Keycloak user events
# TYPE keycloak_user_events_total counter
keycloak_user_events_total{client_id="security-admin-console",error="",event="code_to_token",idp="",realm="master",} 1.0
keycloak_user_events_total{client_id="security-admin-console",error="",event="login",idp="",realm="master",} 1.0
keycloak_user_events_total{client_id="security-admin-console",error="",event="logout",idp="",realm="master",} 1.0
keycloak_user_events_total{client_id="security-admin-console",error="invalid_user_credentials",event="login",idp="",realm="master",} 1.0
Value | |
---|---|
|
|
Available only when metrics are enabled and feature user-event-metrics is enabled |
|
Available only when user event metrics are enabled Use |
|
Available only when user event metrics are enabled |
|