Add vMCP audit logging documentation

[yrobla]

Description

Add comprehensive documentation for Virtual MCP Server (vMCP) audit logging capabilities.
This guide helps enterprise security teams understand and configure audit logging to meet
compliance requirements (NIST SP 800-53) and maintain operational visibility into MCP
operations.

The documentation covers:

• MCP protocol and composite workflow event types
• Configuration options for enabling, filtering, and controlling audit logs
• Structured JSON audit log format with complete field descriptions
• User identity extraction from OIDC authentication tokens
• Output destinations (stdout, file-based, and external log aggregators)
• Configuration patterns for different use cases (security compliance, performance
  optimization, debugging)
• Query examples using kubectl and jq
• Integration guides

Type of change

• New documentation

Related issues/PRs

Closes #488

Related implementation: stacklok/toolhive#2850

Screenshots

N/A - Text-based documentation

Submitter checklist

Content and formatting

• I have reviewed the content for technical accuracy
• I have reviewed the content for spelling, grammar, and style

Navigation

• New pages include a frontmatter section with title and description at a minimum
• Sidebar navigation (sidebars.ts) updated for added, deleted, reordered, or renamed
  files
• Redirects added to vercel.json for moved, renamed, or deleted pages (i.e., if the
  URL slug changed)

Reviewer checklist

Content

• I have reviewed the content for technical accuracy
• I have reviewed the content for spelling, grammar, and style

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	Feb 3, 2026 9:58am

[Copilot]

Pull request overview

This PR adds comprehensive documentation for Virtual MCP Server (vMCP) audit logging capabilities to help enterprise security teams configure and use audit logging for compliance and operational visibility.

Changes:

• Added new audit logging guide (docs/toolhive/guides-vmcp/audit-logging.mdx) covering MCP protocol event types, composite workflow operations, configuration options, log format, user identity extraction, output destinations, and integration with external logging systems
• Updated sidebar navigation (sidebars.ts) to include the new audit logging guide in the vMCP guides section

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
sidebars.ts	Added audit-logging guide to vMCP guides section navigation
docs/toolhive/guides-vmcp/audit-logging.mdx	New comprehensive guide documenting vMCP audit logging features including event types, configuration, JSON log format, query examples, and integrations with Splunk, Elasticsearch, and AWS CloudWatch

Comments suppressed due to low confidence (3)

docs/toolhive/guides-vmcp/audit-logging.mdx:493

• The Splunk and AWS CloudWatch sidecar examples reference an audit-logs volume and mount path /var/log/audit without showing the complete VirtualMCPServer configuration that includes the volume definition and the logFile: /var/log/audit/vmcp.log setting. These examples should either:

1. Show the complete configuration including the volumes and logFile setting (similar to lines 308-330), or
2. Add a note indicating these examples assume file-based logging is configured with the audit-logs volume mounted.

Without this context, readers might be confused about where the audit logs come from since the default is stdout, not file-based logging.

events and route them to your observability backend.

For detailed configuration examples and best practices for setting up log
collection with Fluentd, Filebeat, Splunk, and other systems, see the
[Kubernetes logging guide](../guides-k8s/logging.mdx#set-up-log-collection).

## Related information

- [Authentication](./authentication.mdx) - Configure client and backend
  authentication for user identity in audit logs
- [Telemetry and metrics](./telemetry-and-metrics.mdx) - Monitor vMCP
  performance with OpenTelemetry
- [Observability concepts](../concepts/observability.mdx) - Overview of
  ToolHive's observability architecture
- [Kubernetes logging guide](../guides-k8s/logging.mdx) - Configure logging for
  MCP servers in Kubernetes

docs/toolhive/guides-vmcp/audit-logging.mdx:475

• The Fluent Bit configuration example will send all stdout/stderr logs from vMCP pods to the elasticsearch vmcp-audit index, not just audit logs. Consider adding a filter to only forward audit logs, similar to the pattern in guides-k8s/logging.mdx (lines 320-337). For example, add a FILTER section that checks for the presence of metadata.auditId or add a comment noting that this basic example would forward all logs and should be enhanced with filtering in production.
  docs/toolhive/guides-vmcp/audit-logging.mdx:488
• The Fluent Bit sidecar example uses the amazon/aws-for-fluent-bit:latest image tag, which is a mutable reference and introduces supply chain risk because the pulled image can change over time without review, despite having permissions to write logs to CloudWatch. Pin this image to a specific version or image digest so that only vetted images are deployed and updates happen under controlled change management.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.