Citadel
Documentation menu

Audit forwarding (SIEM)

Stream your cloud-side audit events to your own SIEM or log platform. A Citadel Cloud feature for teams that need their security and operational events in Splunk, Datadog, or any HTTPS endpoint they already monitor.

What gets forwarded

Two event streams, both scoped strictly to your account — you never receive another customer's events:

  • Cloud Bans audit — your own submissions, unenrolls, and any moderation actions you took (each ban_audit_log entry where you are the actor).
  • Plugin auth/connection — your servers' plugin events: plugin.auth.ok, plugin.auth.failed (with reason), plugin.connection.opened, and plugin.connection.closed (with close code/reason).

You choose which streams each destination receives.

How delivery works

Forwarding runs on a background sweep — never on a request path — so a slow or down collector on your side can never affect Citadel or your servers.

  • Events are delivered in batches, ordered chronologically.
  • Each destination tracks a per-stream cursor (occurred_at + row id), so delivery is ordered with no gaps and no duplicates, even across restarts.
  • A destination that fails repeatedly is auto-paused after a streak of errors so we don't hammer a dead host. Re-enable it from the account page once it's healthy; delivery resumes from where it left off.

Audit events are low-volume by nature, so you'll typically see deliveries within a minute of an event occurring.

Setting up a destination

On citadels.cc/account, with Cloud active, open Audit log forwarding (SIEM) → Add destination:

  1. Name — a label for your reference (e.g. "Splunk prod").
  2. Type — Splunk (HEC), Datadog Logs, or Generic webhook.
  3. Endpoint URL — the collector URL (see formats below).
  4. Token — your HEC token / Datadog API key / bearer token. It's encrypted at rest (AES-256-GCM) and never shown again.
  5. Streams — pick Cloud Bans audit, Plugin auth/connection, or both.

Use Test on any destination to send a single synthetic event and confirm the URL and token work end-to-end — it shows the collector's HTTP status or error.

Destination formats

TypeURL exampleAuth headerBody
Splunk (HEC)https://<host>:8088/services/collector/eventAuthorization: Splunk <token>Newline-delimited HEC events ({time, source, sourcetype, event})
Datadog Logshttps://http-intake.logs.datadoghq.com/api/v2/logsDD-API-KEY: <token>Array of log objects (ddsource: citadel, message = the event JSON)
Generic webhookany HTTPS URL you controlAuthorization: Bearer <token> (if a token is set){ source: "citadel", count, events: [...] }

Event shape

Every event carries a stable envelope:

{
  "id": "…",                       // the source row id
  "stream": "cloud_bans" | "plugin",
  "action": "submit",              // or plugin.auth.ok, plugin.connection.closed, …
  "occurredAt": "2026-05-24T22:00:00.000Z",
  // …stream-specific fields (payload, serverId, ip, reason, closeCode, …)
}

Notes

  • Tier-gated. Audit forwarding requires an active Citadel Cloud subscription. If Cloud lapses, forwarders stop delivering (and disappear from the UI) until it's reactivated.
  • Security. Tokens are encrypted at rest and redacted from all API responses — the account page only shows whether a token is set. Use HTTPS endpoints.
  • Scope. This forwards cloud-side audit events. In-game telemetry (kills, chat, positions) is not part of this stream.
  • Coming later: S3 / object-store batch export and Grafana Loki push are on the roadmap; today's targets are Splunk HEC, Datadog, and generic JSON webhooks.
Edit this page on GitHub