Stream signed audit, auth, safety, and action events to your SIEM

Turtini can forward a continuous, cryptographically-signed stream of platform events to your own SIEM or observability stack — Splunk Cloud HEC, an OTLP collector, Datadog Logs, Sumo Logic, Elasticsearch, or Grafana Cloud. This is the same audit/auth/safety/action stream Turtini uses internally, exported in real time so your SOC, compliance team, or platform-engineering team can hold the system of record outside Turtini.

Where to find it:
Settings → Observability (visible to org owners and admins only).

Five event classes — pick which ones go where, per destination:
• Audit (signed) — append-only audit events (data changes, admin actions). Each event carries an ed25519 signature so you can verify origin and detect tampering on your side.
• Auth — sign-ins, sign-outs, MFA challenges, OAuth grants, session events.
• Safety — content-moderation outcomes, safety-signal escalations, abuse triggers.
• Action — Wally tool calls, system action traces (the same activity that shows on the User Action Trail).
• Metric — periodic counters (usage, error rates, queue depths).

How to add a destination:
1. Settings → Observability → "+ Add destination"
2. Pick your vendor (Splunk HEC / OTLP / Datadog / Sumo / Elastic / Grafana Cloud)
3. Paste the endpoint URL and credentials — auth method depends on vendor:
• Splunk HEC → `hec-token`
• OTLP → `bearer` or `mtls`
• Datadog → `bearer` (DD-API-KEY in header)
• Sumo Logic → `bearer` (collector URL embedded)
• Elastic / Grafana Cloud → `basic` or `bearer`
4. Pick which event classes to forward
5. Set the PII policy (see below)
6. Save → Turtini sends a smoke-test event; if it lands, status flips to Healthy.

Credentials never round-trip through Firestore. The auth token goes straight from your browser to the Cloud Function which writes it to Google Secret Manager. You can edit the destination's vendor / endpoint / class list from the UI, but to rotate the token, you must save a fresh value.

Per-destination PII redaction:
Each destination gets its own redaction policy:
• IP — `full` / `masked` (last octet zeroed) / `drop`
• User-Agent — `full` / `drop`
• Actor UID — `full` / `hashed` (HMAC, deterministic across the destination) / `drop`
• Emails — `full` / `masked` (`j**n@d**ain.com`) / `drop`
• Phones — `full` / `masked` (`***-***-1234`) / `drop`

Defaults are conservative (IP masked, emails/phones masked) so a Splunk Cloud index can't accidentally collect a clean PII dataset. Pick `full` only when your SIEM is hardened and your retention policy can accept the obligation.

Audit signing:
A per-org ed25519 key signs every Audit-class event. The public key is visible on the same page (export to your SIEM and verify on ingest). To rotate: click "Rotate signing key" — the old key is retired (still verifies prior events) and new events are signed with the new key. Two-key rolling window keeps verification continuous.

Health + failure handling:
Each destination shows:
• Status — Healthy / Degraded / Failing / Never delivered
• Last delivery timestamp + last failure reason
• Consecutive failures counter

After 5 consecutive failures, the destination is automatically paused (no more retry attempts) and the integration shows a Failing badge. Fix the credential / endpoint / network reachability, then click "Resume" to re-arm delivery. The events queued during the failure window are buffered for up to 1 hour — anything older is dropped to protect Turtini's egress queues. Persistent failures generate a notification to the org admin so it never silently degrades.

Chargeback:
Observability egress costs are metered through the platform's standard +15% chargeback. The per-month figure appears on your usage report alongside other metered infrastructure costs.

Why we built this:
SIEM-forwarding is non-negotiable for SOC 2, CMMC, FedRAMP, and most enterprise security postures. Rather than asking customers to scrape audit logs through a downstream poll, every audit/auth/safety/action event is signed, classified, and forwarded as it happens. The fact that the signing happens server-side per-org means your team can prove to an auditor that the chain of custody from Turtini to your SIEM is intact end-to-end.