fleetpkg-mcp is a Model Context Protocol (MCP) server that enables
LLMs to query metadata about Elastic Fleet integration packages.
It loads metadata from a local copy of the elastic/integrations repository
into a SQLite database and exposes query capabilities through the
Model Context Protocol.
- Indexes all Elastic Fleet packages (integration, input, and content) from your local
elastic/integrationsrepository - Creates a queryable SQLite database with comprehensive package metadata including fields, pipelines, transforms, variables, and test configurations
- Full-text search over package documentation, changelog entries, security detection rules, and ECS field definitions using SQLite FTS5 with porter stemming
- ECS field discovery and matching — search ~1990 ECS fields by concept or check field names against ECS to identify
external: ecscandidates - Exposes seven MCP tools: schema discovery, arbitrary SQL queries, doc search, changelog search, security rule search, ECS field search, and ECS field matching
- Periodic background refresh with optional
git pullto keep data current - Kubernetes-ready with
/healthzand/readyzhealth check endpoints
Requires Go. No install step needed — MCP clients run it directly with go run.
The Docker image includes git and automatically clones the integrations repository on first run. It listens on HTTP port 8080 and refreshes every 24 hours by default:
docker run -p 8080:8080 -v fleetpkg-data:/data \
-e FLEETPKG_MCP_REFRESH_INTERVAL=1h \
ghcr.io/andrewkroh/fleetpkg-mcp:latest| Variable | Description | Default |
|---|---|---|
FLEETPKG_MCP_REFRESH_INTERVAL |
Duration between automatic database refreshes (e.g., 1h, 30m, 24h). Set to empty string to disable. |
24h |
FLEETPKG_MCP_PPROF_ADDR |
Address for the pprof debug HTTP server (e.g., 0.0.0.0:6060). Disabled if empty. |
(disabled) |
The server requires a local checkout of the elastic/integrations repository.
claude mcp add --scope user fleetpkg -- go run github.com/andrewkroh/fleetpkg-mcp@latest -dir /path/to/integrations{
"mcpServers": {
"fleetpkg": {
"command": "go",
"args": [
"run",
"github.com/andrewkroh/fleetpkg-mcp@latest",
"-dir",
"/path/to/integrations"
]
}
}
}For HTTP-based clients, start the server separately then point your client at the URL:
go run github.com/andrewkroh/fleetpkg-mcp@latest -dir /path/to/integrations -http 127.0.0.1:8080| Tool | Description |
|---|---|
fleetpkg_get_sql_tables |
Returns the complete catalog of available tables and columns. Call this first. |
fleetpkg_execute_sql_query |
Executes an arbitrary read-only SQLite query. |
fleetpkg_search_docs |
Full-text search across package documentation. Supports FTS5 syntax: phrases, prefix matching, and boolean operators. |
fleetpkg_search_changelogs |
Full-text search across changelog entries. Same FTS5 syntax support. |
fleetpkg_search_security_rules |
Full-text search across security detection rules (title, description, query, setup, investigation notes). |
fleetpkg_search_ecs_fields |
Full-text search across ECS field definitions. Accepts plain keywords, dotted field names, or camelCase identifiers — automatically normalized for broad discovery. |
fleetpkg_match_ecs_fields |
Check whether field names exist in ECS. Returns each annotated with match status, data type, and description. |
| Flag | Description |
|---|---|
-dir <path> |
Path to your local checkout of the elastic/integrations repository |
| Flag | Description |
|---|---|
-http <address> |
Listen for HTTP connections at the specified address instead of using stdin/stdout (e.g., 127.0.0.1:8080) |
-pprof <address> |
Start a pprof debug HTTP server at the specified address (e.g., 127.0.0.1:6060) |
-git-pull |
Clone the repository if missing, or git pull --ff-only if it exists. Updates before each periodic refresh |
-refresh <duration> |
Periodically refresh the database (e.g., 1h, 30m). Falls back to FLEETPKG_MCP_REFRESH_INTERVAL env var |
-log-level <level> |
Log level: debug, info, warn, error (default: info) |
-no-log |
Disable all logging output |
-version |
Print version information and exit |
The database is built by go-package-spec/pkgsql, which reads packages using pkgreader and writes them into a self-documenting SQLite schema. For the complete schema, see schema.sql.
| Table | Description |
|---|---|
packages |
Core metadata (name, version, type, description, ownership) for integration, input, and content packages |
policy_templates |
Configuration templates with deployment modes (default, agentless) |
policy_template_inputs |
Inputs defined within policy templates |
policy_template_categories |
Categories assigned to policy templates |
policy_template_icons |
Icon definitions for policy templates |
policy_template_screenshots |
Screenshot definitions for policy templates |
data_streams |
Data streams with Elasticsearch and agent configuration |
streams |
Individual streams (inputs) within data streams |
agent_templates |
Agent Handlebars template files (.yml.hbs) with raw content |
fields |
Elasticsearch field definitions, flattened from nested YAML into dotted-path names with ECS resolution |
data_stream_fields |
Join table linking fields to data streams |
package_fields |
Join table linking fields to packages (for input packages) |
transform_fields |
Join table linking fields to transforms |
transforms |
Elasticsearch transform configurations with pivot, latest, source, and destination settings |
vars |
Input variable definitions with type, default value, and validation |
package_vars |
Join table linking vars to packages |
policy_template_vars |
Join table linking vars to policy templates |
policy_template_input_vars |
Join table linking vars to policy template inputs |
stream_vars |
Join table linking vars to streams |
ingest_pipelines |
Elasticsearch ingest pipeline definitions within data streams |
ingest_processors |
Individual processors flattened from pipelines, including nested on_failure handlers |
kibana_saved_objects |
Kibana saved objects (dashboards, visualizations, security rules, etc.) from the kibana/ directory |
kibana_references |
References between Kibana saved objects, enabling dependency graph queries |
security_rules |
Security detection rule attributes (query, severity, risk score, MITRE mappings) extracted from Kibana saved objects |
security_rule_index_patterns |
Elasticsearch index patterns monitored by security rules |
security_rule_tags |
Structured tags on security rules (Domain, OS, Tactic, Data Source) |
security_rule_threats |
MITRE ATT&CK tactic and technique mappings for security rules |
security_rule_related_integrations |
Integration packages related to security rules |
security_rule_required_fields |
Fields required by security rules |
security_rules_fts |
FTS5 full-text search index over security rule title, description, query, setup, and notes |
sample_events |
Example event data for data streams |
images |
Image file metadata (dimensions, size, SHA-256) from the img/ directory |
package_icons |
Icon definitions for packages |
package_screenshots |
Screenshot definitions for packages |
docs |
Documentation files (READMEs, guides, knowledge base articles) with optional content |
docs_fts |
FTS5 full-text search index over doc content |
changelogs |
Changelog versions with release dates (via git blame) |
changelog_entries |
Individual changelog entries with description, type, and link |
changelog_entries_fts |
FTS5 full-text search index over changelog descriptions |
package_categories |
Categories assigned to packages |
discovery_fields |
Package discovery capability metadata |
build_manifests |
Build configuration and ECS dependencies |
tags |
Kibana tags associated with packages |
deprecations |
Deprecation notices for packages, policy templates, inputs, data streams, and vars |
ecs_fields |
ECS (Elastic Common Schema) field definitions from the latest version (~1990 fields) with name, data type, description, and FTS5 search text |
ecs_fields_fts |
FTS5 full-text search index over ECS field names (tokenized) and descriptions |
routing_rules |
Routing rules for rerouting documents from a source dataset |
pipeline_tests |
Pipeline test cases for data streams |
system_tests |
System test cases for data streams and input packages |
static_tests |
Static test cases for data streams |
policy_tests |
Policy test cases for data streams and input packages |
Q: Use the fleetpkg tools to answer: What integrations configure a pivot type transform?
A: The following integrations configure a pivot type transform:
- aws_billing
- beaconing
- ded
- elasticsearch
- lmd
- pad
Q: Of those, which do not have an ingest node pipeline associated with the transform?
A: The integrations that configure a pivot type transform and do not have an ingest node pipeline associated with the transform are:
- lmd
- pad
Q: What github team owns those two integrations?
A: The
elastic/sec-applied-mlGitHub team owns both thelmdandpadintegrations.
Q: Use the fleetpkg tools to answer the following question. What integration data streams define a 'resource' field? And what are the data types of the fields?
A: The following integration data streams define a 'resource' field of type 'keyword':
- endace > flow
- network_traffic > amqp
- network_traffic > cassandra
- network_traffic > dhcpv4
- network_traffic > dns
- network_traffic > flow
- network_traffic > http
- network_traffic > icmp
- network_traffic > memcached
- network_traffic > mongodb
- network_traffic > mysql
- network_traffic > nfs
- network_traffic > pgsql
- network_traffic > redis
- network_traffic > sip
- network_traffic > thrift
- network_traffic > tls
Q: Analyze the screenshots to determine the percentage of screenshots that have the correct 'size' column in comparison to the computed width and height column values. Include the total numbers as well.
A: Based on my analysis of the screenshots in the database, here are the results:
Summary Statistics
- Total screenshots: 932
- Correct size values: 169 (18.13%)
- Incorrect size values: 763 (81.87%)
Analysis
Only 18.13% of screenshots have the correct 'size' column value that matches the computed dimensions from the width and height columns. This means that 81.87% of the screenshots have mismatched or incorrect size specifications.
Common Issues Found
Looking at the sample data, I can see several types of mismatches:
- Placeholder values: Many screenshots have size="600x600" when the actual dimensions are different (e.g., 1920x1080, 1899x2069, 1920x1233)
- Scaled/resized values: Screenshots show evidence of being resized - the size column contains smaller dimensions than the actual image dimensions (e.g., size shows 1896x961 but actual is 2880x1800)
- Character encoding issues: At least one case shows size="1608x2692" (using x instead of x) while computed is "1608x2692"
- Minor width discrepancies: Some have small differences in width (e.g., size="1280x1329" vs computed "1268x1329")
Q: Use the fleetpkg MCP tool. Analyze the number of 'set' ingest processors that use the 'copy_from' attribute vs the 'value' attribute with a Mustache template value matching '{{%}}'
A: Here are the results of the analysis of 'set' ingest processors:
- Number of processors using the
copy_fromattribute: 6992- Number of processors using the
valueattribute with a Mustache template: 1174Q: What are the top 5 teams responsible for the packages using 'set' with a Mustache template instead of 'copy_from'?
A: Here are the top 5 teams using 'set' with a Mustache template instead of 'copy_from':
- elastic/security-service-integrations: 395 uses
- elastic/integration-experience: 321 uses
- elastic/obs-infraobs-integrations: 245 uses
- elastic/obs-ds-hosted-services: 100 uses
- elastic/elastic-agent-data-plane: 36 uses
This project is licensed under the Apache License 2.0 - see the LICENSE.txt file for details.