Export to SIEM

MintMCP exports activity logs to your SIEM or observability platform in real time using the OpenTelemetry Logs protocol (OTLP/HTTP). Tool invocations, prompt submissions, and gateway requests are captured and forwarded to any OTLP-compatible endpoint.

What gets exported

MintMCP exports logs from two sources:

Source	What's captured	When
Agent Monitor	Tool calls from Claude Code, Cursor, and other agents	Before each tool executes (via hooks)
Agent Monitor	Prompt submissions from Claude Code and Cursor	Before the prompt is sent to the model
MCP Gateway	Tool calls routed through the gateway	After each request completes

Each source produces OTLP log records with its own schema, described below.

Configure the export

Via the UI

1. Go to Enterprise in the sidebar
2. Under OTLP Export, enter your collector endpoint URL
3. Add any required headers (e.g., API keys or authorization tokens). Header values will be encrypted.
4. Enable the export

Log record schemas

Agent Monitor: tool call logs

Each log record contains one or more tool calls that were intercepted by the agent hook.

Attributes:

Attribute	Type	Description
org.id	string	Organization ID
event.id	string	Unique event ID (ULID)
user.id	string	User who triggered the tool call
matched_rules	string[]	IDs of any Agent Monitor rules that matched (omitted if none)

Body — an array of tool call objects, each containing:

{
  "toolUseId": "toolu_abc123",
  "tool": {
    "type": "mcp",
    "mcp": { "type": "remote", "url": "https://mcp.example.com" },
    "name": "query_database"
  },
  "input": { "sql": "SELECT * FROM users LIMIT 10" },
  "matchedRules": ["rule_block_pii_queries"]
}

The tool field identifies what was called:

Tool type	Fields	Example
Agent built-in	type: "agent", agent, name	Claude Code's Bash tool
Remote MCP	type: "mcp", mcp.type: "remote", mcp.url, name	A MintMCP gateway tool
Local stdio MCP	type: "mcp", mcp.type: "stdio", mcp.command, name	A locally-running MCP server

Agent Monitor: prompt submission logs

Each log record represents a prompt submitted by a user in Claude Code or Cursor, captured before the prompt is sent to the model.

Attributes:

Attribute	Type	Description
org.id	string	Organization ID
event.id	string	Unique event ID (ULID)
event.type	string	Always prompt_submit
event.provider	string	Agent that submitted the prompt (claudecode or cursor)
user.id	string	User who submitted the prompt
matched_rules	string[]	IDs of any Agent Monitor rules that matched (omitted if none)

Body:

{
  "prompt": "Deploy the latest changes to staging",
  "truncated": false,
  "decision": "allow",
  "sessionId": "session-abc123"
}

Field	Type	Description
prompt	string	The prompt text (truncated to 1024 characters, secrets redacted)
truncated	boolean	Whether the prompt was truncated
decision	string	allow or deny
decisionReason	string	Why the prompt was denied (only present when decision is deny)
sessionId	string	Session or conversation ID

MCP Gateway logs

Each log record represents one completed request through the gateway.

Attributes:

Attribute	Type	Description
endpoint.id	string	The MCP endpoint that handled the request
jsonrpc.method	string	JSON-RPC method (e.g., tools/call, tools/list)
tool.name	string	Tool that was called (for tools/call requests)
status	string	Result status (see below)
duration_ms	number	Request handling time in milliseconds

Status values:

Status	Meaning
jsonRpcSuccess	Tool call completed successfully
jsonRpcError	Tool call returned an error
http202	Request accepted (streaming)
http400	Bad request
http401	Unauthorized
http403	Forbidden

Body:

{
  "message": "MCP request completed",
  "tool.arguments": "{\"sql\": \"SELECT * FROM users LIMIT 10\"}"
}

The body is truncated to 16 KB to keep export volume bounded. Failed requests use "MCP request failed" as the message and set severity to WARN.

Related

• Agent Monitor overview: How hooks capture agent activity
• Agent Monitor rules: Create rules that match and block tool calls
• Authentication models: How user identity flows through logs