Skip to main content
Stream Policy Gateway events to your SIEM, log pipeline, or data lake. Configure connectors per project in the console.

Available destinations

Thirteen connectors across three categories. Every Policy Gateway plan gets all of them.

SIEM & observability

Splunk HEC

HTTP Event Collector with token auth

Datadog Logs

Datadog Logs intake API

Elastic

Elasticsearch / Elastic Cloud index

Azure Monitor

Log Analytics workspace (Data Collector API)

Cloud storage

Amazon S3

Bucket archive

Azure Blob Storage

Container archive

Google Cloud Storage

Bucket archive via S3-compatible HMAC keys

Backblaze B2

Bucket archive via S3-compatible API

Cloudflare R2

Zero-egress bucket archive

Generic

HTTP Webhook

POST to any endpoint (Slack, PagerDuty, internal)

S3-Compatible

MinIO, Wasabi, DigitalOcean Spaces, etc.

OpenTelemetry

OTLP over HTTP or gRPC

Event shape

Every decision emits one event. All three event classes (enforcement, simulation, revision) share a base schema: 
{
  "event_id": "3d14a2b8-...",
  "event_type": "enforcement",
  "source": "policy_gateway",
  "created_at": "2026-04-20T18:30:00Z",
  "user_id": "user_...",
  "org_id": null,
  "policy_id": "support-bot",
  "policy_name": "Support bot policy",
  "data_classification": "internal",
  "history_id": null,

  "decision": "refuse",
  "effective_decision": "allow",
  "enforced": false,
  "rollout_mode": "shadow",
  "reason_code": "REFUSE",
  "triggered_categories": [],
  "allowlist_hits": [],
  "denylist_hits": ["competitor-x"],
  "policy_target": "chat.completions",
  "policy_user": "user_42",
  "quota_subject": "user_42",
  "project_id": "proj_support_bot",
  "project_label": "Support Bot",
  "model": "abliterated-model"
}
event_type: "simulation" adds scenario_categories. event_type: "revision" adds edit_type and config_snapshot. See backend guide for field semantics.

Delivery

  • At-least-once delivery. Expect duplicates; dedupe on event_id.
  • Emitted fire-and-forget from a background thread. If the initial Pub/Sub publish fails, the event is dropped. Connectors downstream of Pub/Sub retry with exponential backoff per destination.
  • Batched by destination (typically every 5 seconds or 500 events).
  • Connector health surfaces in the console.