> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Export Logs to Elasticsearch

> Configure Elasticsearch audit log export for search and analytics.

Configure Elasticsearch export to send audit logs to your Elasticsearch cluster for search, analytics, and long-term retention.

## Prerequisites

* Golf Gateway deployed and running
* Elasticsearch cluster (self-hosted or Elastic Cloud)
* API key with write permissions - See [Create API keys](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html) in Elastic documentation

Required API key privileges on `golf-gateway-*` indices:

* `write`
* `create_index`
* `manage`

## Configure Elasticsearch export

<Tabs>
  <Tab title="YAML">
    **Self-Hosted Elasticsearch:**

    ```yaml theme={null}
    exporters:
      elasticsearch:
        - name: primary-es
          enabled: true
          url: https://elasticsearch.example.com:9200
          api_key: ${ELASTICSEARCH_API_KEY}
          index_prefix: golf-gateway
    ```

    **Elastic Cloud:**

    ```yaml theme={null}
    exporters:
      elasticsearch:
        - name: cloud-es
          enabled: true
          cloud_id: ${ELASTIC_CLOUD_ID}
          api_key: ${ELASTIC_CLOUD_API_KEY}
          index_prefix: golf-gateway
    ```
  </Tab>

  <Tab title="Admin Portal">
    1. Go to **Connections** > **Add Connection**
    2. Select **Elasticsearch**
    3. Choose deployment type (Self-hosted or Elastic Cloud)
    4. Enter connection details
    5. Click **Test Connection**
    6. Click **Save**
  </Tab>
</Tabs>

## Index naming

Golf Gateway creates daily indices with the pattern:

```
{index_prefix}-YYYY.MM.DD
```

Example: `golf-gateway-2026.01.08`

## Index mapping

The index mapping is created automatically with these key fields:

| Field                   | Type    | Description                              |
| ----------------------- | ------- | ---------------------------------------- |
| `timestamp`             | date    | Event timestamp                          |
| `event_type`            | keyword | Event type (request, response, security) |
| `session_id`            | keyword | MCP session identifier                   |
| `security.threat_score` | float   | Threat detection score                   |
| `security.blocked`      | boolean | Whether request was blocked              |
| `mcp_method`            | keyword | MCP method called                        |
| `mcp_tool_name`         | keyword | Tool name (for tool calls)               |

## Verify export is working

1. Check gateway health:
   ```bash theme={null}
   curl http://localhost:8080/health
   # Should show export adapter status
   ```

2. Generate some traffic, then search in Kibana:
   ```
   GET golf-gateway-*/_search
   {
     "query": { "match_all": {} },
     "size": 10
   }
   ```

## Troubleshooting

* **Connection refused**: Verify Elasticsearch URL and network connectivity
* **401 Unauthorized**: Check API key has correct permissions
* **Index not created**: Verify API key has `create_index` privilege

## Related guides

* [Export Logs to OpenTelemetry](/gateway/guides/audit-trail/export-to-opentelemetry) - OTLP export
* [Set Up Metrics and Monitoring](/gateway/guides/operations/setup-monitoring) - Health monitoring