Skip to main content

Logs

Control audit log retention and logging options.

What you can do

  • Set retention policies
  • Configure logging behavior to match compliance needs

Log providers (application logs)

You can forward application logs to an external provider for centralized observability. Supported providers:

  • Splunk (HTTP Event Collector)
  • Grafana Loki
  • Coralogix
  • CrowdStrike (Falcon LogScale / NG-SIEM)
  • Generic Webhook

To add a provider, navigate to Admin Settings → Logs and click Add Provider. Select the provider type and fill in the required fields.


Splunk (HEC)

Forward audit logs to Splunk via the HTTP Event Collector.

Prerequisites

  1. Enable HEC on your Splunk instance.
  2. Create a new HEC token (or reuse an existing one) with permission to write to the desired index.
  3. Ensure network egress from your deployment to your Splunk host is allowed on the configured port.

Configuration fields

FieldRequiredDescription
TokenYesYour Splunk HEC token.
HostYesSplunk hostname (e.g., splunk.example.com). Do not include the protocol — HTTPS is used automatically.
PortNoHEC port. Defaults to 8088 if left empty.
IndexNoTarget Splunk index. Defaults to mcp-s if left empty.
Anonymous ModeNoToggle to send only statistical data (see Anonymous Mode).

How it works

Logs are sent as JSON payloads to https://<host>:<port> with sourcetype set to audit_log and the source set to audit-logs.

Tips

  • If your HEC uses TLS with a custom CA, configure your environment to trust it.
  • Verify the token is active and has not been disabled in Splunk.
  • Use a dedicated index to isolate audit logs from other data.

Grafana Loki

Push audit logs to a Grafana Loki instance for querying with LogQL.

Prerequisites

  1. A running Loki instance with a push endpoint available (typically at /loki/api/v1/push).
  2. Basic auth credentials with permission to push logs to the target tenant.
  3. Network connectivity from your deployment to the Loki URL.

Configuration fields

FieldRequiredDescription
URLYesYour Loki base URL (e.g., https://loki.example.com). The /loki/api/v1/push path is appended automatically.
UsernameYesBasic auth username.
PasswordYesBasic auth password.
App LabelNoSets the app label on log streams (e.g., my-app).
Environment LabelNoSets the env label (e.g., production, staging).
Service LabelNoSets the service label (e.g., api).
Anonymous ModeNoToggle to send only statistical data (see Anonymous Mode).

How it works

Each audit log is pushed as a Loki stream entry with the following default labels:

  • app: mcp-s-db-service
  • level: info
  • action: the audit log action
  • org_id: the organization ID

Any custom labels you configure are merged with these defaults.

Tips

  • Labels help you filter and query logs efficiently in Grafana. Keep cardinality low.
  • Ensure your credentials have permission to push logs to the correct tenant.
  • Test connectivity by running a curl to your Loki endpoint before configuring.

Coralogix

Stream audit logs to Coralogix for full-stack observability.

Prerequisites

  1. A Coralogix account with a Send-Your-Data API key (found under Settings → Send Your Data in the Coralogix dashboard).
  2. Know which Coralogix region/domain your account is hosted on.
  3. Network egress allowed to ingress.<your-domain> on port 443.

Configuration fields

FieldRequiredDescription
Send-Your-Data API KeyYesYour Coralogix ingestion API key.
DomainYesYour Coralogix region. Available options:
us1.coralogix.com (US1)
us2.coralogix.com (US2)
eu1.coralogix.com (EU1)
eu2.coralogix.com (EU2)
ap1.coralogix.com (AP1)
ap2.coralogix.com (AP2)
ap3.coralogix.com (AP3)
Application NameNoApplication name in Coralogix. Defaults to mcp-s.
Subsystem NameNoSubsystem name in Coralogix. Defaults to audit-logs.
Anonymous ModeNoToggle to send only statistical data (see Anonymous Mode).

How it works

Logs are sent to https://ingress.<domain>/logs/v1/singles as JSON with severity level 3 (info). The API key is passed as a Bearer token in the Authorization header.

Tips

  • Use Application Name and Subsystem Name to organize logs in the Coralogix dashboard.
  • Set up Coralogix alerts on audit log actions for real-time notifications.
  • The request timeout is 5 seconds — ensure low-latency connectivity to your chosen region.

CrowdStrike (Falcon LogScale / NG-SIEM)

Forward audit logs to CrowdStrike Falcon LogScale (Humio) or NG-SIEM via the Splunk-HEC-compatible ingest endpoint.

Prerequisites

  1. A LogScale repository or NG-SIEM tenant with HEC ingest enabled.
  2. An ingest token (HEC token) with permission to write to the target repository.
  3. Network egress allowed from your deployment to the ingest URL on port 443.

Configuration fields

FieldRequiredDescription
Ingest URLYesThe Falcon LogScale / NG-SIEM base URL (e.g., https://cloud.community.humio.com). The /services/collector path is appended automatically — do not include it.
Ingest TokenYesYour LogScale/NG-SIEM ingest (HEC) token. Sent as a Bearer token.
Anonymous ModeNoToggle to send only statistical data (see Anonymous Mode).

How it works

Each audit log is POSTed to <url>/services/collector as a Splunk-HEC-compatible JSON event with sourcetype set to audit_log and source set to audit-logs. The action and org_id are also sent as indexed fields. The API key is passed as a Bearer token in the Authorization header. The request timeout is 5 seconds.

Tips

  • LogScale's HEC endpoint is Splunk-compatible, so the token must be a LogScale ingest token (not a search/API token).
  • Use a dedicated repository to isolate audit logs and apply retention policies.
  • Verify connectivity with a curl to <url>/services/collector before configuring.

Webhook

Send audit logs to any HTTP endpoint for custom processing.

Prerequisites

  1. An HTTP(S) endpoint that accepts POST requests with JSON payloads.
  2. Network connectivity from your deployment to the webhook URL.

Configuration fields

FieldRequiredDescription
URLYesThe full webhook URL (e.g., https://api.example.com/logs).
Anonymous ModeNoToggle to send only statistical data (see Anonymous Mode).

How it works

Each audit log is sent as a POST request with the following JSON structure:

{
"timestamp": "2024-01-15T10:30:00.000Z",
"type": "audit_log",
"data": { ... }
}

The Content-Type header is set to application/json. The request timeout is 5 seconds.

Tips

  • Implement idempotency on your receiver to handle potential retries.
  • Add authentication on your endpoint (e.g., verify a shared secret in headers).
  • Use this for custom pipelines, SIEM integrations, or forwarding to collectors not natively supported.

Anonymous Mode

Available on all providers. When enabled, only aggregated/statistical data is forwarded — sensitive fields (such as request data and user details) are excluded from the payload.

Use this if you need basic operational telemetry without exposing PII.

Tip: Combine Anonymous Mode with provider-side redaction rules for defense in depth.


Best practices

  • Use least-privilege credentials for any outbound log sink.
  • Add provider-side retention and lifecycle rules to control storage costs.
  • Tag logs with env (e.g., production, staging) to separate flows.
  • Validate network egress/firewall rules from your deployment to the provider.
  • Test provider connectivity before relying on it for compliance.
  • Use Anonymous Mode when forwarding to less-trusted or shared environments.

Troubleshooting

  • No logs appearing:
    • Verify provider credentials/URL, and that outbound egress is allowed.
    • For Splunk, check HEC status and token permissions.
    • For Loki, confirm tenant/auth and that labels are not over-constraining queries.
    • For Coralogix, verify the API key and that the correct domain/region is selected.
    • For CrowdStrike, verify the ingest token is a LogScale/NG-SIEM ingest token and the URL omits the /services/collector path.
    • For Webhook, confirm your endpoint returns a 2xx status code.
  • Errors in UI when saving:
    • Ensure all required fields are filled for the selected provider.
    • Check that URLs include the protocol (https://).
  • Timeout errors:
    • Webhook and Coralogix requests timeout after 5 seconds. Ensure your endpoint or region is reachable with low latency.

See also: Monitor Logs (read-only viewing and searches).