How to configure Keycloak Log Level

In this brief tutorial, we will explore how to configure the log level for a Keycloak distribution powered by Quarkus. We’ll walk through the process of applying this change persistently or as a startup option, providing administrators with flexibility in managing logging settings.

The latest Keycloak distribution runs on top of Quarkus Runtime. If you are new to this topic, we recommend checking this article: Getting started with Keycloak powered by Quarkus

In terms of configuration, by default, Keycloak uses the keycloak.conf file which is available in the conf folder. Here is a tree view of a Keycloak installation:

.
├── bin
│   ├── bin
│   ├── client
│   ├── federation-sssd-setup.sh
│   ├── kcadm.bat
│   ├── kcadm.sh
│   ├── kc.bat
│   ├── kcreg.bat
│   ├── kcreg.sh
│   └── kc.sh
├── conf
│   ├── cache-ispn.xml
│   ├── keycloak.conf
│   └── truststores
├── data
│   └── h2
├── lib
│   ├── app
│   ├── lib
│   ├── quarkus
│   └── quarkus-run.jar
├── LICENSE.txt
├── providers
│   ├── event-listener-sysout.jar
├── README.md
├── themes
└── version.txt

Therefore, in order to change the default Log Level of Keycloak, you can add the log-level property in the keycloak.conf. For example, to set to TRACE the verbosity of org.keycloak packages, you can add the following property:

log-level=org.keycloak:TRACE

Then, verify with the show-config command that the log-level is set to TRACE:

./kc.sh show-config | grep TRACE
	kc.log-level =  org.keycloak:TRACE (PropertiesConfigSource[source=file:/home/jboss/keycloak-24.0.1/bin/../conf/keycloak.conf])

By changing the configuration file, the log level change will persist across restarts. On the other hand, to provide the log level without modifying the configuration file you can also add the --log-level parameter at start-up. For example:

./kc.sh start-dev --log-level=org.keycloak:TRACE

You should then see a verbose output from the server:

keycloak change log level

Finally, it is worth mentioning that, in order to set the log level with Keycloak Operator, you have to apply the following additional option to your Keycloak Custom Resource:

spec:
  additionalOptions:
    - name: log-level
      value: 'INFO:org.keycloak:TRACE'

Conclusion

By following the steps outlined in this article, you will be able to change the current log level of Keycloak. Changing the log level is crucial to identify potential issues, and optimize the overall security and stability of their Keycloak deployments.