Ship audit to a SIEM webhook

Problem: you want audit lines copied to a SIEM or log intake HTTP endpoint.

Solution: add a webhook audit sink. mcpgw batches JSONL lines and sends them with application/x-ndjson.

Recipe

audit:
  path: /var/log/mcpgw/audit.jsonl
  max_size_mb: 100
  compress_rotated: true
  sinks:
    - type: webhook
      url: https://siem.acme.com/ingest
      method: POST
      headers:
        Authorization: "Bearer ${SIEM_TOKEN}"
      flush_interval: 30s
      flush_batch_lines: 1000
      flush_batch_bytes: 1000000
      retry:
        max_attempts: 5
        backoff: exponential
        initial_interval: 1s
        max_interval: 60s

Header values expand environment variables when config loads.

HTTP endpoints

Webhook URLs must use HTTPS. For local development only, set:

allow_insecure: true
Previous ← Ship audit to Kafka Next Tail and parse the audit log →