Ship audit to S3

Problem: you want a durable copy of audit.jsonl in S3.

Solution: add an s3 audit sink. mcpgw keeps writing the local JSONL file first, then asynchronously uploads batches to S3.

Prerequisites

  • An S3 bucket.
  • AWS credentials available to the mcpgw process through the AWS SDK default credential chain.
  • IAM permission to put objects in the bucket.
  • If object_lock: true, the bucket must have S3 Object Lock enabled.

Recipe

audit:
  path: /var/log/mcpgw/audit.jsonl
  max_size_mb: 100
  compress_rotated: true
  sinks:
    - type: s3
      bucket: acme-mcpgw-audit
      region: us-east-1
      prefix: prod/
      flush_interval: 60s
      flush_batch_lines: 10000
      flush_batch_bytes: 5000000
      compress: true
      object_lock: true
      retention_days: 2555

Reload with SIGHUP:

docker kill --signal=HUP mcpgw

Uploaded object keys include the prefix, UTC date/hour partitions, and a random id:

prod/2026/05/07/14/6f4f1f80-3d5a-47cf-a07a-fef16a8b4f1d.jsonl.gz

Notes

  • The local audit file remains canonical.
  • Sink failures do not block MCP requests.
  • compress: true writes gzip objects with content type application/gzip.
  • object_lock: true sends governance-mode retention headers using retention_days.
Previous ← Enable Datadog tracing Next Ship audit to GCS →