keycloak/keycloak

Admin Events log the authRealm instead of the event realm

Open

#46080 opened on Feb 6, 2026

View on GitHub
 (5 comments) (2 reactions) (0 assignees)Java (34,398 stars) (8,346 forks)batch import
area/corehelp wantedkind/bugpriority/lowstatus/auto-bumpstatus/auto-expireteam/core-authnteam/core-clientsteam/core-shared

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

When logging admin events in https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/events/log/JBossLoggingEventListenerProvider.java#L153, Keycloak logs the realmId and realmName of the AuthDetails, rather than those of the realm itself.

Version

26.5.2

Regression

  • The issue is a regression

Expected behavior

Keycloak should log the realm the event happened in, rather than the auth realm, or log both, but explicitly mark the authRealm as an authRealm. This would be consistent with User Events.

Maybe a log line could look like this: INFO [org.keycloak.events] (executor-thread-35) operationType="CREATE", authRealmId="b31ce2a8-2b57-41fb-adfe-dfa270e8af51", authRealmName="master", clientId="babfa0d1-351f-4220-97ad-f16c7c424991", userId="6aa77a7c-a13c-4e20-a9ca-d21d9840c76b", ipAddress="192.168.127.1", resourceType="USER", resourcePath="users/a13130ae-ab37-47bd-88a5-de157e5da4c2", realm="my-custom-realm", realmId="my-custom-realm-id"

Actual behavior

This log line is produced when using the master admin console to delete a user in a non-master realm:

INFO [org.keycloak.events] (executor-thread-35) operationType="CREATE", realmId="b31ce2a8-2b57-41fb-adfe-dfa270e8af51", realmName="master", clientId="babfa0d1-351f-4220-97ad-f16c7c424991", userId="6aa77a7c-a13c-4e20-a9ca-d21d9840c76b", ipAddress="192.168.127.1", resourceType="USER", resourcePath="users/a13130ae-ab37-47bd-88a5-de157e5da4c2"

How to Reproduce?

Delete any user (or perform any other action that fires an AdminEvent)

Anything else?

When looking at the logs, this may confuse admins. Seeing that a new user was created (or deleted) in the master realm, may trigger some alarms. It should be clear from the log entry in which realm the action was actually performed, as well as providing the authInfo (client, realm, user)

It might be considered a breaking change to use "realm" and "realmId" for consistency, because users may be analyzing their logs and depending on the current behaviour. So there might need to be some discussion if it's better to have consistency with user events, or non-breaking behaviour.

Contributor guide

Tech stack
java
Domain
backendsecurityauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaKeycloak basicslogging conceptsadmin events understanding
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Review the file services/src/main/java/org/keycloak/events/log/JBossLoggingEventListenerProvider.java around line 153 where admin events are logged. The bug shows that realmId and realmName from AuthDetails are used instead of the event's realm. The fix could involve either logging both realms (auth realm and actual realm) or renaming the fields to be consistent with user events. Check the AdminEvent model to see how to access the event's realm. Also consider discussion about breaking changes noted in the issue.