Configuring logging

Learn how to configure Logging

Keycloak uses the jboss logmanager logging framework. The high-level overview for the available log handlers is shown below:

  • root

    • console (default)

    • file

Logging: Root configuration

Logging is done on a per-category basis in Keycloak. You can configure logging for the root log level, or for more specific categories like org.hibernate or org.keycloak. In this guide, you will learn how to configure logging.

Root Log level

The available log levels are listed in the following Table:




critical failures / complete inability to serve requests of any kind.


significant error or problem leading to the inability to process requests.


A non-critical error or problem that may not require immediate correction.


Keycloak lifecycle events or important information. Low frequency.


More detailed information for debugging purposes, including e.g. database logs. Higher frequency.


Most detailed debugging information. Very high frequency.


Special level for all log messages


Special level to turn logging off entirely (not recommended)

Configuring the root log level

The root loggers log level can be set using the following command:

bin/kc.[sh|bat] start --log-level=<root-level>

using one of the levels mentioned in the table above. When no log level configuration exists for a more specific category logger (see below), the enclosing category is used instead. When there is no enclosing category, the root logger level is used.

Setting the log level is case-insensitive, so you could either use for example DEBUG or debug.

When you accidentally set the log level twice, for example when you invoke --log-level=info,…​,debug,…​ the last occurence in the list will be used as the log level, so for the example the root logger would be set to DEBUG.

Configuring category-specific log levels

It is possible to set a different log level for specific areas in Keycloak. To enable category-specific logging, provide a comma-separated list containing the categories you want another log level than for the root category to the --log-level configuration:

bin/kc.[sh|bat] start --log-level=<root-level>,<org.category1>:<org.category1-level>

A configuration that applies to a category also applies to all sub-categories of that category, unless a more specific matching sub-category configuration is provided in the list.

bin/kc.[sh|bat] start --log-level=INFO,org.hibernate:debug,org.hibernate.hql.internal.ast:info

The example above sets the root log level for all loggers to INFO, and the hibernate log level in general to debug. But as we don’t want SQL abstract syntax trees to make the log output verbose, we set the more specific sub category org.hibernate.hql.internal.ast to info, so the SQL abstract syntax trees, which would be shown at debug level, don’t show up anymore.

Enabling log handlers

To enable one or more log handlers, run the following command:

bin/kc.[sh|bat] start --log=<handler1>,<handler2>

The available handlers are console and file. The more specific handler configuration mentioned below will only take effect when the handler is added to this comma-separated list.

Console Log Handler

The console log handler is enabled by default, providing unstructured log messages for the console.

Configuring the console log format

Keycloak uses a pattern-based logging formatter that generates human-readable text logs by default.

The default format template is:

  • %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n

The format string supports the following symbols:






Renders a simple % character.



Renders the log category name.



Renders a date with the given date format string.String syntax defined by java.text.SimpleDateFormat



Renders the thrown exception, if any.



Renders the simple host name.


Qualified host name

Renders the fully qualified hostname, which may be the same as the simple host name, depending on the OS configuration.


Process ID

Renders the current process PID.


Full Message

Renders the log message plus exception (if any).



Renders the platform-specific line separator string.


Process name

Renders the name of the current process.



Renders the log level of the message.


Relative time

Render the time in milliseconds since the start of the application log.


Simple message

Renders only the log message, without exception trace.


Thread name

Renders the thread name.


Thread ID

Render the thread ID.

%z{<zone name>}


Set the time zone of log output to <zone name>.

To set the logging format for a logged line, build your desired format template using the table above and run the following command:

bin/kc.[sh|bat] start --log-console-format="'<format>'"

Be aware that you need to escape characters when invoking commands containing special shell characters such as ; using the CLI, so you might want to set it in the configuration file instead.

Example: Abbreviate the fully qualified category name
bin/kc.[sh|bat] start --log-console-format="'%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c{3.}] (%t) %s%e%n'"

The example above abbreviates the category name to three characters by setting [%c{3.}] in the template instead of the default [%c].

Configuring JSON or plain console logging

By default, the console log handler logs plain unstructured data to the console. To use structured JSON log output instead, run the following command:

bin/kc.[sh|bat] start --log-console-output=json
Example Log Message
{"timestamp":"2022-02-25T10:31:32.452+01:00","sequence":8442,"loggerClassName":"org.jboss.logging.Logger","loggerName":"io.quarkus","level":"INFO","message":"Keycloak 18.0.0-SNAPSHOT on JVM (powered by Quarkus 2.7.2.Final) started in 3.253s. Listening on:","threadName":"main","threadId":1,"mdc":{},"ndc":"","hostName":"host-name","processName":"QuarkusEntryPoint","processId":36946}

When using JSON output, colors are disabled and the format settings set by --log-console-format will not apply.

To use unstructured logging, run the following command:

bin/kc.[sh|bat] start --log-console-output=default
Example Log Message:
2022-03-02 10:36:50,603 INFO  [io.quarkus] (main) Keycloak 18.0.0-SNAPSHOT on JVM (powered by Quarkus 2.7.2.Final) started in 3.615s. Listening on:


Colored console log output for unstructured logs is disabled by default. It may lead to better readability, but can cause problems when shipping logs to external log aggregation systems. If you want to enable or disable color-coded console log output, run following command:

bin/kc.[sh|bat] start --log-console-color=<false|true>

File logging

Instead of logging to the console, Keycloak also supports unstructured logging to a file.

Enable file logging

Logging to a file is disabled by default. To enable it, run the following command:

bin/kc.[sh|bat] start --log=console,file

Configuring path and name of the generated log file

By enabling the file log handler, a log file named keycloak.log will be created inside the data/log directory of your Keycloak installation.

To change the location and name of the generated log file, run the following command:

bin/kc.[sh|bat] start --log=console,file --log-file=<path-to>/<your-file.log>

Please make sure the location for the logfile is writeable. If not, an error will be thrown at start-up. Keycloak will start correctly, but no file containing logs will be created.

Configuring the file handler format

You can configure a different logging format for the file log handler by running the following command:

bin/kc.[sh|bat] start --log-file-format=<pattern>

Please see the Configuring the console log format section in this guide for more information and a table of the available pattern configuration.

Configuring raw quarkus logging properties

At the time of writing, the logging features of the quarkus based Keycloak are basic, yet powerful. Nevertheless, expect more to come and feel free to join the discussion at GitHub.

When you need a temporary solution, e.g. for logging to a file or using syslog isntead of console, you can check out the Quarkus logging guide. It is possible to use all properties mentioned there, as long as no other than the base logging dependency is involved. For example it is possible to set the log handler to file, but not to use json output, yet, as you would need to provide another dependency for json output to work.

To use raw quarkus properties, please refer to the Configuring Keycloak guide at section Using unsupported server options.

Relevant options

Type Default


Enable or disable colors when logging to console.

CLI: --log-console-color




The format of unstructured console log entries.

If the format has spaces in it, escape the value using "<format>".

CLI: --log-console-format


%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n


Set the log output to JSON or default (plain) unstructured logging.

CLI: --log-console-output


default, json



Set the log file path and filename.

CLI: --log-file




Set a format specific to file log entries.

CLI: --log-file-format


%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n


The log level of the root category or a comma-separated list of individual categories and their levels.

For the root category, you don’t need to specify a category.

CLI: --log-level



On this page