Skip to main content
Stream Policy Gateway policy events to Elasticsearch or OpenSearch via the Bulk API.

Configure

In the console, add a connector with:
FieldValue
TypeElastic
URLhttps://<cluster>:9200
AuthAPI key or basic auth
Indexe.g. ai-audit or a data stream
CA cert (optional)For self-signed clusters

Event shape

Events are sent via _bulk as NDJSON:
{"index":{"_index":"ai-audit"}}
{"@timestamp":"2026-04-20T18:30:00Z","event_id":"3d14a2b8-...","event_type":"enforcement","policy_id":"support-bot","decision":"refuse","effective_decision":"allow","enforced":false,"rollout_mode":"shadow","reason_code":"REFUSE","policy_target":"chat.completions","project_id":"proj_support_bot","model":"abliterated-model","denylist_hits":["competitor-x"]}

Index template

Recommended mapping:
{
  "mappings": {
    "properties": {
      "@timestamp":           { "type": "date" },
      "event_id":             { "type": "keyword" },
      "event_type":           { "type": "keyword" },
      "policy_id":             { "type": "keyword" },
      "decision":              { "type": "keyword" },
      "effective_decision":    { "type": "keyword" },
      "enforced":              { "type": "boolean" },
      "rollout_mode":          { "type": "keyword" },
      "reason_code":           { "type": "keyword" },
      "policy_target":         { "type": "keyword" },
      "project_id":            { "type": "keyword" },
      "model":                 { "type": "keyword" },
      "triggered_categories":  { "type": "keyword" },
      "allowlist_hits":        { "type": "keyword" },
      "denylist_hits":         { "type": "keyword" }
    }
  }
}

Verify

GET ai-audit/_search
{ "query": { "term": { "decision": "refuse" } } }
See the full field list in connectors.