The Citadel audit log records a stable, machine-readable action string for every operator-visible event. This page is the canonical list — use it when writing log monitors, SIEM rules, or alerting filters.
Every audit row also carries actor (user/system that triggered it), ts (RFC3339 timestamp), and a context blob with action-specific fields (target server id, affected user id, etc.).
Authentication
Code
Trigger
auth.login.ok
Successful sign-in.
auth.login.fail
Wrong password or unknown email. Counts toward fail2ban.
auth.login.locked
Sign-in refused because the (IP, username) lockout is active.
auth.logout
/api/auth/logout called.
auth.password.change
User changed their own password.
auth.password.change-forced
Operator-forced password change.
auth.password.reset.request
Reset email requested. Always logged even if the email doesn't exist (uniform behavior is intentional).
auth.password.reset.consume
Reset link successfully used.
auth.mfa.enrolled
TOTP enrollment confirmed.
auth.mfa.disabled
TOTP disabled.
auth.mfa.backup-regenerated
Backup codes regenerated.
auth.mfa.fail
Wrong TOTP / backup code on a 2FA challenge.
Users & roles
Code
Trigger
users.create
New user added.
users.update
User edit (name, email, role assignment).
users.delete
User deleted.
role.assign
Citadel role assigned to a user.
role.revoke
Citadel role removed from a user.
role.permissions.update
Role's permission set changed via Settings → Users & Roles.
File browser
Code
Trigger
file.read
File opened in the editor (read).
file.edit
Standard file edit (configs, JSON, etc.).
file.edit-script
Edit of a .bat / .cmd / .ps1 / .sh file. Distinct so script writes are greppable in audit. Requires files.edit-scripts permission and the destination must resolve under <installDir>/lifecycle_hooks/.
file.write-blocked
Write rejected — extension not allowed for the user's permissions, or path resolved outside the allowed directory (e.g. attempted script write outside lifecycle_hooks/).
file.delete
File deleted from the browser.
Server lifecycle
Code
Trigger
server.create
New server entry registered in Citadel.
server.delete
Server entry removed (must be stopped).
server.update
Server settings changed.
server.start
/start invoked.
server.stop
/stop invoked (graceful).
server.restart
/restart invoked.
server.crashed
DayZ process exited with a non-zero code that wasn't a graceful stop.
lifecycle.hook.start
A lifecycle hook script began executing.
lifecycle.hook.complete
Hook finished (exit 0).
lifecycle.hook.error
Hook failed (non-zero exit, timeout, or pre-start abort).
Player operations
Code
Trigger
player.kick
Player kicked.
player.ban
Player banned.
player.unban
Ban removed.
player.message
Direct in-game message sent.
player.action
One of the in-house mod actions (heal, kill, teleport, spawn, …).
Discord bot
Code
Trigger
discord.action
A Discord-driven action ran successfully.
discord.denied
Action denied because the discord-bot Citadel role doesn't grant the required permission.
discord.sig-rejected
HMAC signature on the call was missing or wrong.
discord.user-role.set
Per-Discord-user role mapping created or updated.
discord.user-role.remove
Per-Discord-user role mapping deleted.
Webhooks (Paddle / external)
Code
Trigger
webhook.received
Webhook delivered and signature-verified.
webhook.duplicate
Idempotency hit — already processed.
webhook.error
Processing failed; Paddle will retry.
webhook.replayed
Admin replayed a stored webhook payload.
Sidecar / mod bridge
Code
Trigger
sidecar.command.issued
Backend pushed a command into the sidecar queue.
sidecar.command.timeout
Mod did not return a response within the timeout window.
sidecar.auth.fail
Sidecar rejected a call (bad/missing Authorization: Bearer).
Setup wizard
Code
Trigger
setup.completed
Wizard finished, data/.first-run-completed flag set.
setup.attempt-after-lock
A /api/setup/* endpoint was called after the lock was set; refused with 403.
If you find an event in the audit log that isn't on this page, please open an issue — the doc is meant to be exhaustive.