Tested on Centos 7.
Deployent: Keycloak with an Nginx proxy_pass

Add regular-expression filter under `/etc/fail2ban/filter.d/keycloak.conf`:
```
[INCLUDES]

before = common.conf

[Definition]

_threadName = [a-z][-_0-9a-z]*(\s[a-z][-_0-9a-z]*)*
_userId = (null|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})
_realmName = ([a-zA-Z][-_a-zA-Z0-9]*)

failregex =
    ^.*WARN\s+\[org\.keycloak\.events\]\s+\(%(_threadName)s\) type=LOGIN_ERROR, realmId=%(_realmName)s, clientId=security-admin-console, userId=%(_userId)s, ipAddress=<HOST> 

ignoreregex = 
```

Configure a new jail to get keycloak log messages directly from systemd, it will block http (80) and https (443) for the ofending IP. Create the file `/etc/fail2ban/jail.d/keycloak.conf`:
```
[keycloak]
enabled  = true
filter   = keycloak
maxretry = 2
findtime = 10 
bantime = 10
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
backend  = systemd
journalmatch = _SYSTEMD_UNIT=keycloak.service
```

Simulate some failed logins and test your regular expressions:
    
    sudo fail2ban-regex -v /opt/keycloak/standalone/log/server.log /etc/fail2ban/filter.d/keycloak.conf
    
Restart `fail2ban` for jail to be enabled:
 
    sudo systemctl restart fail2ban.service
    
During normal operation of `fail2ban`, we can check the status of a particular jail:

    sudo fail2ban-client status keycloak