MONITORING Claude Code and Cowork at scale through OpenTelemetry and Elastic’s ingestion stack shows Elastic Security Labs’ hands-on approach to real-time observability for AI agents. The post outlines five OpenTelemetry event types exported by Claude Code and Cowork—api_request, tool_result, tool_decision, user_prompt, and api_error—each carrying user identity, session context and, for API requests, cost and token fields, with prompts and tool details redacted by default.
Elastic’s InfoSec team uses a two-pronged data-landing approach: a self-managed EDOT gateway for deployments on Elastic Cloud on Kubernetes, and a simpler Elastic Cloud Managed OTLP endpoint that routes data directly into dedicated logs streams. Custom Elasticsearch mappings and ingest pipelines are implemented to preserve numeric fields and to flatten nested tool parameters for querying, with data streams named logs-claude_code.otel-* and logs-claude_cowork.otel-*.
Security use cases include tool invocation auditing, session reconstruction, permission decision analysis, cost anomaly detection, and correlating with Elastic Defend endpoint data. The article, dated 25 April 2026, emphasises that Claude telemetry complements Claude enterprise audit logs for full visibility, and invites organisations to explore Elastic’s telemetry ingestion options.