Ship audit to GCS

Problem: you want a durable copy of audit.jsonl outside the gateway host.

Solution: add a gcs audit sink. mcpgw keeps writing the local JSONL file first, then asynchronously uploads batches to GCS.

Prerequisites

  • A GCS bucket.
  • Application Default Credentials available to the mcpgw process.
  • IAM permission to create objects in the bucket, such as roles/storage.objectCreator.

For tamper-evidence, configure a bucket retention policy and lock it with GCS Bucket Lock.

Recipe

audit:
  path: /var/log/mcpgw/audit.jsonl
  max_size_mb: 100
  compress_rotated: true
  sinks:
    - type: gcs
      bucket: acme-mcpgw-audit
      prefix: prod/
      flush_interval: 60s
      flush_batch_lines: 10000
      flush_batch_bytes: 5000000
      compress: true

Reload with SIGHUP:

docker kill --signal=HUP mcpgw

Uploaded object names include the prefix, UTC date/hour partitions, and a random id:

prod/2026/05/07/14/6f4f1f80-3d5a-47cf-a07a-fef16a8b4f1d.jsonl.gz

Notes

  • The local audit file remains canonical.
  • Sink failures do not block MCP requests.
  • compress: true writes gzip objects with content type application/gzip.
Previous ← Ship audit to S3 Next Ship audit to Kafka →