Logs
Control audit log retention and logging options.
What you can do
- Set retention policies
- Configure logging behavior to match compliance needs
Log providers (application logs)
You can forward application logs to an external provider for centralized observability. Supported providers:
- Splunk (HTTP Event Collector)
- Grafana Loki
- Coralogix
- Generic Webhook
To add a provider, navigate to Admin Settings → Logs and click Add Provider. Select the provider type and fill in the required fields.
Splunk (HEC)
Forward audit logs to Splunk via the HTTP Event Collector.
Prerequisites
- Enable HEC on your Splunk instance.
- Create a new HEC token (or reuse an existing one) with permission to write to the desired index.
- Ensure network egress from your deployment to your Splunk host is allowed on the configured port.
Configuration fields
| Field | Required | Description |
|---|---|---|
| Token | Yes | Your Splunk HEC token. |
| Host | Yes | Splunk hostname (e.g., splunk.example.com). Do not include the protocol — HTTPS is used automatically. |
| Port | No | HEC port. Defaults to 8088 if left empty. |
| Index | No | Target Splunk index. Defaults to mcp-s if left empty. |
| Anonymous Mode | No | Toggle to send only statistical data (see Anonymous Mode). |
How it works
Logs are sent as JSON payloads to https://<host>:<port> with sourcetype set to audit_log and the source set to audit-logs.
Tips
- If your HEC uses TLS with a custom CA, configure your environment to trust it.
- Verify the token is active and has not been disabled in Splunk.
- Use a dedicated index to isolate audit logs from other data.
Grafana Loki
Push audit logs to a Grafana Loki instance for querying with LogQL.
Prerequisites
- A running Loki instance with a push endpoint available (typically at
/loki/api/v1/push). - Basic auth credentials with permission to push logs to the target tenant.
- Network connectivity from your deployment to the Loki URL.
Configuration fields
| Field | Required | Description |
|---|---|---|
| URL | Yes | Your Loki base URL (e.g., https://loki.example.com). The /loki/api/v1/push path is appended automatically. |
| Username | Yes | Basic auth username. |
| Password | Yes | Basic auth password. |
| App Label | No | Sets the app label on log streams (e.g., my-app). |
| Environment Label | No | Sets the env label (e.g., production, staging). |
| Service Label | No | Sets the service label (e.g., api). |
| Anonymous Mode | No | Toggle to send only statistical data (see Anonymous Mode). |
How it works
Each audit log is pushed as a Loki stream entry with the following default labels:
app:mcp-s-db-servicelevel:infoaction: the audit log actionorg_id: the organization ID
Any custom labels you configure are merged with these defaults.
Tips
- Labels help you filter and query logs efficiently in Grafana. Keep cardinality low.
- Ensure your credentials have permission to push logs to the correct tenant.
- Test connectivity by running a
curlto your Loki endpoint before configuring.
Coralogix
Stream audit logs to Coralogix for full-stack observability.
Prerequisites
- A Coralogix account with a Send-Your-Data API key (found under Settings → Send Your Data in the Coralogix dashboard).
- Know which Coralogix region/domain your account is hosted on.
- Network egress allowed to
ingress.<your-domain>on port 443.
Configuration fields
| Field | Required | Description |
|---|---|---|
| Send-Your-Data API Key | Yes | Your Coralogix ingestion API key. |
| Domain | Yes | Your Coralogix region. Available options: |
us1.coralogix.com (US1) | ||
us2.coralogix.com (US2) | ||
eu1.coralogix.com (EU1) | ||
eu2.coralogix.com (EU2) | ||
ap1.coralogix.com (AP1) | ||
ap2.coralogix.com (AP2) | ||
ap3.coralogix.com (AP3) | ||
| Application Name | No | Application name in Coralogix. Defaults to mcp-s. |
| Subsystem Name | No | Subsystem name in Coralogix. Defaults to audit-logs. |
| Anonymous Mode | No | Toggle to send only statistical data (see Anonymous Mode). |
How it works
Logs are sent to https://ingress.<domain>/logs/v1/singles as JSON with severity level 3 (info). The API key is passed as a Bearer token in the Authorization header.
Tips
- Use Application Name and Subsystem Name to organize logs in the Coralogix dashboard.
- Set up Coralogix alerts on audit log actions for real-time notifications.
- The request timeout is 5 seconds — ensure low-latency connectivity to your chosen region.
Webhook
Send audit logs to any HTTP endpoint for custom processing.
Prerequisites
- An HTTP(S) endpoint that accepts POST requests with JSON payloads.
- Network connectivity from your deployment to the webhook URL.
Configuration fields
| Field | Required | Description |
|---|---|---|
| URL | Yes | The full webhook URL (e.g., https://api.example.com/logs). |
| Anonymous Mode | No | Toggle to send only statistical data (see Anonymous Mode). |
How it works
Each audit log is sent as a POST request with the following JSON structure:
{
"timestamp": "2024-01-15T10:30:00.000Z",
"type": "audit_log",
"data": { ... }
}
The Content-Type header is set to application/json. The request timeout is 5 seconds.
Tips
- Implement idempotency on your receiver to handle potential retries.
- Add authentication on your endpoint (e.g., verify a shared secret in headers).
- Use this for custom pipelines, SIEM integrations, or forwarding to collectors not natively supported.
Anonymous Mode
Available on all providers. When enabled, only aggregated/statistical data is forwarded — sensitive fields (such as request data and user details) are excluded from the payload.
Use this if you need basic operational telemetry without exposing PII.
Tip: Combine Anonymous Mode with provider-side redaction rules for defense in depth.
Best practices
- Use least-privilege credentials for any outbound log sink.
- Add provider-side retention and lifecycle rules to control storage costs.
- Tag logs with
env(e.g.,production,staging) to separate flows. - Validate network egress/firewall rules from your deployment to the provider.
- Test provider connectivity before relying on it for compliance.
- Use Anonymous Mode when forwarding to less-trusted or shared environments.
Troubleshooting
- No logs appearing:
- Verify provider credentials/URL, and that outbound egress is allowed.
- For Splunk, check HEC status and token permissions.
- For Loki, confirm tenant/auth and that labels are not over-constraining queries.
- For Coralogix, verify the API key and that the correct domain/region is selected.
- For Webhook, confirm your endpoint returns a 2xx status code.
- Errors in UI when saving:
- Ensure all required fields are filled for the selected provider.
- Check that URLs include the protocol (
https://).
- Timeout errors:
- Webhook and Coralogix requests timeout after 5 seconds. Ensure your endpoint or region is reachable with low latency.
See also: Monitor Logs (read-only viewing and searches).