cscli parsers install inherent-io/keycloak-logsYour one fits-all keycloak parser with support for the most common kind of failed authentications and errors.
1filter: evt.Parsed.program == 'keycloak'2onsuccess: next_stage3name: inherent-io/keycloak-logs4description: "Parse keycloak logs"5pattern_syntax:6 KEYCLOAK_DATETIME: "[0-9]+-[0-9]+-[0-9]+ [0-2][0-9]:[0-5][0-9]:[0-5][0-9],[0-9]{3}"7 KEYCLOAK_LOG_LEVEL: "(DEBUG|WARN|ERROR|INFO)"8 KEYCLOAK_LOG_LINE: '^%{KEYCLOAK_DATETIME:datetime} %{KEYCLOAK_LOG_LEVEL:log_level}\s+\[org.*\]\s+\(executor-thread-\d+\)\s+%{GREEDYDATA:parsed_message}'9nodes:10 - grok:11 name: "KEYCLOAK_LOG_LINE"12 apply_on: message13 nodes:14 - filter: ParseKV(evt.Parsed.parsed_message, evt.Unmarshaled, "keycloak") in ["", nil]15 statics:16 - meta: log_type17 expression: trimSuffix(evt.Unmarshaled.keycloak.type, ",")18 - meta: error19 expression: trimSuffix(evt.Unmarshaled.keycloak.error ?? "", ",")20 - meta: source_ip21 expression: trimSuffix(evt.Unmarshaled.keycloak.ipAddress, ",")22 - meta: username23 expression: trimSuffix(evt.Unmarshaled.keycloak.username, ",")24statics:25 - meta: service26 value: keycloak27 - target: evt.StrTime28 expression: evt.Parsed.datetime29 - meta: log_level30 expression: evt.Parsed.log_level31 - target: evt.StrTimeFormat32 value: "2006-01-02 15:04:05,999999999"33