View/configure access log of Keycloak HTTP server

Question

How to view/configure access logs of HTTP server Keycloak uses?

I'm trying to investigate connection_refused_error to Keycloak admin UI.

Answer 1

Try adding the following <access-log/> tag to your server configuration file, for example: standalone/configuration/standalone.xml.

        <subsystem xmlns="urn:jboss:domain:undertow:4.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                ...
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <!-- Add the following one line -->
                    <access-log prefix="access." />
                    <http-invoker security-realm="ApplicationRealm"/>
                    <filter-ref name="proxy-peer"/>
                </host>
            </server>

You can see access.log in your standalone/log/ directory after restarting your Keycloak server and the log file is rotated daily with a name like access.2019-07-26.log.

EDIT:

You can also use JBoss CLI as follows:

$ ./jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/setting=access-log:add
{"outcome" => "success"}

these commands adds the one line to standalone.xml:

<access-log/>

the next command shows the access log settings (default values):

[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/setting=access-log:read-resource
{
    "outcome" => "success",
    "result" => {
        "directory" => expression "${jboss.server.log.dir}",
        "extended" => false,
        "pattern" => "common",
        "predicate" => undefined,
        "prefix" => "access_log.",
        "relative-to" => undefined,
        "rotate" => true,
        "suffix" => "log",
        "use-server-log" => false,
        "worker" => "default"
    },
    "response-headers" => {"process-state" => "reload-required"}
}

You can change an attribute (for example, prefix) by the command:

[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/setting=access-log:write-attribute(name=prefix,value=access.)

Answer 2

To extend Kohei TAMURA answer:

In order configure the access log without reloading Keycloak:

1. Add line <access-log worker="default" directory="${jboss.server.log.dir}" prefix="access." suffix="log"/> to standalone/configuration/standalone.xml or standalone/configuration/standalone-ha.xml if clustered configuration is used.

2. Reload Wildfly server configuration without restarting it:

   jboss/keycloak/bin/jboss-cli.sh --connect
   [standalone@localhost:9990 /] reload