elasticmachine
commented
1 month ago Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
Closed dmgeurts closed 1 month ago
elasticmachine
commented
1 month ago Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
tehbooom
commented
1 month ago @dmgeurts The keycloak integration already uses the GeoIP processor for events with log.logger == 'org.keycloak.events'
See here
Could you provide an example event and the custom processor you added?
dmgeurts
commented
1 month ago @tehbooom I'm running v8.14.3 of the agent and v1.22.3 of the Keycloak integration.
⚠ I've just realised that my logs (testing phase) don't contain public IPs, so I imagine this is likely why I don't see GeoIP data. In this case apologies for taking up your time!
The custom pipeline I added, when trying to get GeoIP data:
This is the first logged event (without any custom processor applied):
{
"_index": ".ds-logs-keycloak.log-default-2024.09.18-000001",
"_id": "1RH3BJIBOBo7EklYjjAK",
"_version": 1,
"_score": 0,
"_source": {
"agent": {
"name": "sso.domain.com",
"id": "c81cfee0-a1fb-414d-a493-1de737f1f30e",
"ephemeral_id": "2eee9ec4-969f-4752-9e93-f0c71e08f1f3",
"type": "filebeat",
"version": "8.14.3"
},
"process": {
"thread": {
"name": "executor-thread-2"
}
},
"keycloak": {
"event_type": "login",
"client": {
"id": "security-admin-console"
},
"realm": {
"id": "849e9b0c-5ff4-47fb-bdda-513eb94617e0"
},
"login": {
"auth_method": "openid-connect",
"auth_type": "code",
"auth_session_parent_id": "737e2e78-14c4-4729-b743-aaaf70e2113f",
"auth_session_tab_id": "IG5_YIPNk_0",
"redirect_uri": "https://auth.domain.com/admin/master/console/#/master/realm-settings/events",
"type": "LOGIN",
"code_id": "737e2e78-14c4-4729-b743-aaaf70e2113f"
}
},
"log": {
"file": {
"inode": "1573288",
"path": "/var/log/keycloak/keycloak.log",
"device_id": "64512"
},
"offset": 7561,
"level": "INFO",
"logger": "org.keycloak.events"
},
"elastic_agent": {
"id": "c81cfee0-a1fb-414d-a493-1de737f1f30e",
"version": "8.14.3",
"snapshot": false
},
"source": {
"address": "10.0.0.2",
"ip": "10.0.0.2"
},
"url": {
"path": "/admin/master/console/",
"fragment": "/master/realm-settings/events",
"original": "https://auth.domain.com/admin/master/console/#/master/realm-settings/events",
"scheme": "https",
"domain": "auth.domain.com"
},
"tags": [
"keycloak-log"
],
"input": {
"type": "filestream"
},
"@timestamp": "2024-09-18T13:45:23.661+02:00",
"ecs": {
"version": "8.11.0"
},
"related": {
"hosts": [
"auth.domain.com"
],
"ip": [
"10.0.0.2"
],
"user": [
"efc13275-b358-4b89-8af1-2fe50bd61c6b"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "keycloak.log"
},
"host": {
"hostname": "sso.domain.com",
"os": {
"kernel": "6.8.0-40-generic",
"codename": "jammy",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "22.04.5 LTS (Jammy Jellyfish)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"10.0.0.29",
"fe80::250:56ff:feaa:d331"
],
"name": "sso.domain.com",
"id": "afca511480b34b76aa42ab8ab860cdea",
"mac": [
"00-50-56-AA-D3-31"
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"ingested": "2024-09-18T11:49:44Z",
"timezone": "+02:00",
"kind": "event",
"action": "LOGIN",
"category": [
"authentication"
],
"type": [
"info",
"start"
],
"dataset": "keycloak.log"
},
"user": {
"name": "user",
"id": "efc13275-b358-4b89-8af1-2fe50bd61c6b"
}
},
"fields": {
"elastic_agent.version": [
"8.14.3"
],
"event.category": [
"authentication"
],
"keycloak.client.id": [
"security-admin-console"
],
"host.os.name.text": [
"Ubuntu"
],
"host.name.text": [
"sso.domain.com"
],
"host.hostname": [
"sso.domain.com"
],
"url.original.text": [
"https://auth.domain.com/admin/master/console/#/master/realm-settings/events"
],
"host.mac": [
"00-50-56-AA-D3-31"
],
"keycloak.login.type": [
"LOGIN"
],
"agent.name.text": [
"sso.domain.com"
],
"host.os.version": [
"22.04.5 LTS (Jammy Jellyfish)"
],
"host.os.name": [
"Ubuntu"
],
"log.level": [
"INFO"
],
"source.ip": [
"10.0.0.2"
],
"agent.name": [
"sso.domain.com"
],
"keycloak.login.auth_session_parent_id": [
"737e2e78-14c4-4729-b743-aaaf70e2113f"
],
"host.name": [
"sso.domain.com"
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"keycloak.login.auth_type": [
"code"
],
"url.fragment": [
"/master/realm-settings/events"
],
"process.thread.name": [
"executor-thread-2"
],
"keycloak.event_type": [
"login"
],
"host.os.type": [
"linux"
],
"user.id": [
"efc13275-b358-4b89-8af1-2fe50bd61c6b"
],
"input.type": [
"filestream"
],
"log.offset": [
7561
],
"data_stream.type": [
"logs"
],
"related.user": [
"efc13275-b358-4b89-8af1-2fe50bd61c6b"
],
"tags": [
"keycloak-log"
],
"host.architecture": [
"x86_64"
],
"keycloak.login.redirect_uri": [
"https://auth.domain.com/admin/master/console/#/master/realm-settings/events"
],
"url.path": [
"/admin/master/console/"
],
"agent.id": [
"c81cfee0-a1fb-414d-a493-1de737f1f30e"
],
"ecs.version": [
"8.11.0"
],
"host.containerized": [
false
],
"agent.version": [
"8.14.3"
],
"related.hosts": [
"auth.domain.com"
],
"host.os.family": [
"debian"
],
"user.name": [
"user"
],
"source.address": [
"10.0.0.2"
],
"url.scheme": [
"https"
],
"log.logger": [
"org.keycloak.events"
],
"keycloak.login.auth_session_tab_id": [
"IG5_YIPNk_0"
],
"process.thread.name.text": [
"executor-thread-2"
],
"host.ip": [
"10.0.0.29"
],
"agent.type": [
"filebeat"
],
"keycloak.login.code_id": [
"737e2e78-14c4-4729-b743-aaaf70e2113f"
],
"event.module": [
"keycloak"
],
"related.ip": [
"10.0.0.2"
],
"host.os.kernel": [
"6.8.0-40-generic"
],
"log.file.device_id": [
"64512"
],
"log.file.path.text": [
"/var/log/keycloak/keycloak.log"
],
"elastic_agent.snapshot": [
false
],
"host.id": [
"afca511480b34b76aa42ab8ab860cdea"
],
"event.timezone": [
"+02:00"
],
"keycloak.login.auth_method": [
"openid-connect"
],
"elastic_agent.id": [
"c81cfee0-a1fb-414d-a493-1de737f1f30e"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"jammy"
],
"keycloak.realm.id": [
"849e9b0c-5ff4-47fb-bdda-513eb94617e0"
],
"event.action": [
"LOGIN"
],
"event.ingested": [
"2024-09-18T11:49:44.000Z"
],
"url.original": [
"https://auth.domain.com/admin/master/console/#/master/realm-settings/events"
],
"@timestamp": [
"2024-09-18T11:45:23.661Z"
],
"host.os.platform": [
"ubuntu"
],
"log.file.inode": [
"1573288"
],
"data_stream.dataset": [
"keycloak.log"
],
"event.type": [
"info",
"start"
],
"log.file.path": [
"/var/log/keycloak/keycloak.log"
],
"url.domain": [
"auth.domain.com"
],
"agent.ephemeral_id": [
"2eee9ec4-969f-4752-9e93-f0c71e08f1f3"
],
"event.dataset": [
"keycloak.log"
],
"user.name.text": [
"user"
]
}
}
Please could the GeoIP processor be added to the Keycloak Integration?
I worked out how to add a custom processor, but having a GeoIP option integrated would be preferred.