> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abliteration.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connectors

> Stream Policy Gateway events to your SIEM, log pipeline, or data lake. Thirteen destinations available.

Stream Policy Gateway events to your SIEM, log pipeline, or data lake. Configure connectors per project in the [console](https://abliteration.ai/console).

## Available destinations

Thirteen connectors across three categories. Every Policy Gateway plan gets all of them.

### SIEM & observability

<CardGroup cols={2}>
  <Card title="Splunk HEC" href="/policy-gateway/policy-logs/splunk-hec">
    HTTP Event Collector with token auth
  </Card>

  <Card title="Datadog Logs" href="/policy-gateway/policy-logs/datadog">
    Datadog Logs intake API
  </Card>

  <Card title="Elastic" href="/policy-gateway/policy-logs/elastic">
    Elasticsearch / Elastic Cloud index
  </Card>

  <Card title="Azure Monitor" href="/policy-gateway/policy-logs/azure-monitor">
    Log Analytics workspace (Data Collector API)
  </Card>
</CardGroup>

### Cloud storage

<CardGroup cols={2}>
  <Card title="Amazon S3" href="/policy-gateway/policy-logs/s3">
    Bucket archive
  </Card>

  <Card title="Azure Blob Storage" href="/policy-gateway/policy-logs/azure-blob">
    Container archive
  </Card>

  <Card title="Google Cloud Storage" href="/policy-gateway/policy-logs/gcs">
    Bucket archive via S3-compatible HMAC keys
  </Card>

  <Card title="Backblaze B2" href="/policy-gateway/policy-logs/backblaze-b2">
    Bucket archive via S3-compatible API
  </Card>

  <Card title="Cloudflare R2" href="/policy-gateway/policy-logs/cloudflare-r2">
    Zero-egress bucket archive
  </Card>
</CardGroup>

### Generic

<CardGroup cols={2}>
  <Card title="HTTP Webhook" href="/policy-gateway/policy-logs/http">
    POST to any endpoint (Slack, PagerDuty, internal)
  </Card>

  <Card title="S3-Compatible" href="/policy-gateway/policy-logs/s3-compatible">
    MinIO, Wasabi, DigitalOcean Spaces, etc.
  </Card>

  <Card title="OpenTelemetry" href="/policy-gateway/policy-logs/otel">
    OTLP over HTTP or gRPC
  </Card>
</CardGroup>

## Event shape

Every decision emits one event. All three event classes (`enforcement`, `simulation`, `revision`) share a base schema:

```json theme={"system"}
{
  "event_id": "3d14a2b8-...",
  "event_type": "enforcement",
  "source": "policy_gateway",
  "created_at": "2026-04-20T18:30:00Z",
  "user_id": "user_...",
  "org_id": null,
  "policy_id": "support-bot",
  "policy_name": "Support bot policy",
  "data_classification": "internal",
  "history_id": null,

  "decision": "refuse",
  "effective_decision": "allow",
  "enforced": false,
  "rollout_mode": "shadow",
  "reason_code": "REFUSE",
  "triggered_categories": [],
  "allowlist_hits": [],
  "denylist_hits": ["competitor-x"],
  "policy_target": "chat.completions",
  "policy_user": "user_42",
  "quota_subject": "user_42",
  "project_id": "proj_support_bot",
  "project_label": "Support Bot",
  "model": "abliterated-model"
}
```

### Decision fields

| Field                              | Meaning                                                                                                                                              |
| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| `decision`                         | Raw rule outcome — one of `allow`, `rewrite`, `summary`, `escalate`, `refuse`                                                                        |
| `effective_decision`               | What was actually applied. In shadow/non-enforced canary, this equals `allow` even when `decision != allow`                                          |
| `enforced`                         | Boolean — was the decision acted on (`true`) or only logged (`false`)                                                                                |
| `rollout_mode`                     | `shadow`, `canary`, `enforced`, or `rollback`                                                                                                        |
| `reason_code`                      | Uppercase code mirroring the decision: `ALLOW`, `REWRITE`, `SUMMARY`, `ESCALATE`, `REFUSE`. Policies can override with a custom `reason_codes` list. |
| `triggered_categories`             | Moderation categories that matched                                                                                                                   |
| `allowlist_hits` / `denylist_hits` | Which terms matched                                                                                                                                  |
| `policy_target`                    | `chat.completions`, `messages`, `responses`, `mcp_tool`                                                                                              |
| `policy_user`                      | Subject from `X-Policy-User` header (if sent)                                                                                                        |
| `quota_subject`                    | Effective per-user subject (`policy_user`, or falls back to `user_id`)                                                                               |

### Event variants

`event_type: "enforcement"` fires on every governed request and uses the base schema above.

`event_type: "simulation"` fires when the console's policy simulator is used. Adds:

```ts theme={"system"}
scenario_categories: string[]   // categories forced into the simulated scenario
```

`event_type: "revision"` fires on policy create/update/delete. Adds:

```ts theme={"system"}
edit_type:        "create" | "update" | "delete"
config_snapshot:  <full policy config at time of change>
```

## Delivery

At-least-once delivery — expect duplicates and dedupe on `event_id`. Connector health surfaces in the console.
