fleetpkg-mcp is a Model Context Protocol (MCP) server that enables
LLMs to query low-level metadata about Elastic Fleet integration packages.
It loads metadata from a local copy of the elastic/integrations repository
into a SQLite database and exposes SQL query capabilities to the LLM through the
Model Context Protocol.
Each time the MCP is started, it will rebuild the database. This takes about 10 seconds on a fast machine.
- Scans and indexes all Elastic Fleet integration packages from your local
elastic/integrationsrepository - Creates a queryable SQLite database with comprehensive package metadata
- Exposes readonly database access to LLMs through the Model Context Protocol
- Enables AI assistants to answer detailed questions about Elastic Fleet integrations
go install github.com/andrewkroh/fleetpkg-mcp@latestThis will install the binary to your $GOPATH/bin directory (typically ~/go/bin).
You can also run the server directly without installing:
go run github.com/andrewkroh/fleetpkg-mcp@main -dir /path/to/integrationsThe fleetpkg-mcp server can be configured as an MCP server in your AI
assistant. The server requires the -dir argument pointing to your local
checkout of the elastic/integrations
repository.
Add the server using the Claude CLI:
claude mcp add --scope user fleetpkg -- /Users/<USERNAME>/go/bin/fleetpkg-mcp -dir /path/to/integrationsOr manually add to your Claude Desktop configuration file:
{
"mcpServers": {
"fleetpkg": {
"command": "/Users/<USERNAME>/go/bin/fleetpkg-mcp",
"args": [
"-dir",
"/path/to/integrations"
]
}
}
}To remove:
claude mcp remove fleetpkgFirst, start the server in HTTP mode:
fleetpkg-mcp -dir /path/to/integrations -http 127.0.0.1:1234Then add the HTTP endpoint to Claude Desktop:
claude mcp add --scope user --transport http fleetpkg http://127.0.0.1:1234For other MCP-compatible clients, use one of these configuration formats:
{
"mcpServers": {
"fleetpkg": {
"command": "/path/to/fleetpkg-mcp",
"args": ["-dir", "/path/to/integrations"]
}
}
}{
"mcpServers": {
"fleetpkg": {
"command": "go",
"args": [
"run",
"github.com/andrewkroh/fleetpkg-mcp@main",
"-dir",
"/path/to/integrations"
]
}
}
}The server can be run directly from the command line for testing or HTTP mode:
# Basic usage with stdio (for MCP)
fleetpkg-mcp -dir /path/to/integrations
# HTTP mode (for HTTP-based MCP clients)
fleetpkg-mcp -dir /path/to/integrations -http 127.0.0.1:1234
# With custom log level
fleetpkg-mcp -dir /path/to/integrations -log-level debug
# Disable logging
fleetpkg-mcp -dir /path/to/integrations -no-log
# Show version
fleetpkg-mcp -version-dir <path>: Path to your local checkout of the elastic/integrations repository.
-http <address>: Listen for HTTP connections at the specified address instead of using stdin/stdout. Example:127.0.0.1:1234-log-level <level>: Set log level. Options:debug,info,warn,error. Default:info-no-log: Disable all logging output-version: Print version information and exit
The SQLite database contains information about Fleet integrations including:
- Integrations: Core metadata about each package (name, version, type, description, ownership)
- Policy Templates: Configuration templates for deploying integrations with deployment modes
- Data Streams: Information about the data streams each integration produces
- Fields: Detailed field definitions from fields.yml files with ECS mappings
- Transforms: Data transformation configurations with pivot and latest operations
- Variables: Configuration variables for customizing integrations with options for select types
- Ingest Pipelines: Elasticsearch ingest pipeline configurations
- Ingest Processors: Individual processors within pipelines including nested on_failure handlers
- Sample Events: Example event data for data streams
- Icons and Screenshots: Visual assets for integrations and policy templates with image metadata
- Discovery Fields: Package discovery capability metadata
- Build Manifests: Build configuration and ECS dependencies
- Changelogs: Version history with releases and individual changes
- Categories: Categorization for integrations and policy templates
For the complete database schema, see schema.sql.
Here's an example of how you can use this server with an LLM to answer questions about Elastic Fleet integrations:
Q: Use the fleetpkg tools to answer: What integrations configure a pivot type transform?
A: The following integrations configure a pivot type transform:
- aws_billing
- beaconing
- ded
- elasticsearch
- lmd
- pad
Q: Of those, which do not have an ingest node pipeline associated with the transform?
A: The integrations that configure a pivot type transform and do not have an ingest node pipeline associated with the transform are:
- lmd
- pad
Q: What github team owns those two integrations?
A: The
elastic/sec-applied-mlGitHub team owns both thelmdandpadintegrations.
Q: Use the fleetpkg tools to answer the following question. What integration data streams define a 'resource' field? And what are the data types of the fields?
A: The following integration data streams define a 'resource' field of type 'keyword':
- endace > flow
- network_traffic > amqp
- network_traffic > cassandra
- network_traffic > dhcpv4
- network_traffic > dns
- network_traffic > flow
- network_traffic > http
- network_traffic > icmp
- network_traffic > memcached
- network_traffic > mongodb
- network_traffic > mysql
- network_traffic > nfs
- network_traffic > pgsql
- network_traffic > redis
- network_traffic > sip
- network_traffic > thrift
- network_traffic > tls
Q: Analyze the screenshots to determine the percentage of screenshots that have the correct 'size' column in comparison to the computed width and height column values. Include the total numbers as well.
A: Based on my analysis of the screenshots in the database, here are the results:
Summary Statistics
- Total screenshots: 932
- Correct size values: 169 (18.13%)
- Incorrect size values: 763 (81.87%)
Analysis
Only 18.13% of screenshots have the correct 'size' column value that matches the computed dimensions from the width and height columns. This means that 81.87% of the screenshots have mismatched or incorrect size specifications.
Common Issues Found
Looking at the sample data, I can see several types of mismatches:
- Placeholder values: Many screenshots have size="600x600" when the actual dimensions are different (e.g., 1920x1080, 1899x2069, 1920x1233)
- Scaled/resized values: Screenshots show evidence of being resized - the size column contains smaller dimensions than the actual image dimensions (e.g., size shows 1896x961 but actual is 2880x1800)
- Character encoding issues: At least one case shows size="1608×2692" (using × instead of x) while computed is "1608x2692"
- Minor width discrepancies: Some have small differences in width (e.g., size="1280x1329" vs computed "1268x1329")
Q: Use the fleetpkg MCP tool. Analyze the number of 'set' ingest processors that use the 'copy_from' attribute vs the 'value' attribute with a Mustache template value matching '{{%}}'
A: Here are the results of the analysis of 'set' ingest processors:
- Number of processors using the
copy_fromattribute: 6992- Number of processors using the
valueattribute with a Mustache template: 1174Q: What are the top 5 teams responsible for the packages using 'set' with a Mustache template instead of 'copy_from'?
A: Here are the top 5 teams using 'set' with a Mustache template instead of 'copy_from':
- elastic/security-service-integrations: 395 uses
- elastic/integration-experience: 321 uses
- elastic/obs-infraobs-integrations: 245 uses
- elastic/obs-ds-hosted-services: 100 uses
- elastic/elastic-agent-data-plane: 36 uses
This project is licensed under the Apache License 2.0 - see the LICENSE.txt file for details.