Skip to main content
Configure Elasticsearch export to send audit logs to your Elasticsearch cluster for search, analytics, and long-term retention.

Prerequisites

  • Golf Gateway deployed and running
  • Elasticsearch cluster (self-hosted or Elastic Cloud)
  • API key with write permissions - See Create API keys in Elastic documentation
Required API key privileges on golf-gateway-* indices:
  • write
  • create_index
  • manage

Configure Elasticsearch export

Self-Hosted Elasticsearch:
exporters:
  elasticsearch:
    - name: primary-es
      enabled: true
      url: https://elasticsearch.example.com:9200
      api_key: ${ELASTICSEARCH_API_KEY}
      index_prefix: golf-gateway
Elastic Cloud:
exporters:
  elasticsearch:
    - name: cloud-es
      enabled: true
      cloud_id: ${ELASTIC_CLOUD_ID}
      api_key: ${ELASTIC_CLOUD_API_KEY}
      index_prefix: golf-gateway

Index naming

Golf Gateway creates daily indices with the pattern: 
{index_prefix}-YYYY.MM.DD
Example: golf-gateway-2026.01.08

Index mapping

The index mapping is created automatically with these key fields:
FieldTypeDescription
timestampdateEvent timestamp
event_typekeywordEvent type (request, response, security)
session_idkeywordMCP session identifier
security.threat_scorefloatThreat detection score
security.blockedbooleanWhether request was blocked
mcp_methodkeywordMCP method called
mcp_tool_namekeywordTool name (for tool calls)

Verify export is working

  1. Check gateway health: 
    curl http://localhost:8080/health
# Should show export adapter status
  2. Generate some traffic, then search in Kibana: 
    GET golf-gateway-*/_search
{
  "query": { "match_all": {} },
  "size": 10
}

Troubleshooting

  • Connection refused: Verify Elasticsearch URL and network connectivity
  • 401 Unauthorized: Check API key has correct permissions
  • Index not created: Verify API key has create_index privilege