Export the audit log to a SIEM
Three paths, in order of how much engineering you want to do.
1 — One-shot CSV / JSON download
For a manual audit or compliance review.
bash
curl -H "Authorization: Bearer $KILASEC_TOKEN" \
"https://kilasec.com/api/audit/export?format=csv&window=2592000" \
-o audit-30d.csvwindow is seconds back from now. format is csv or json. No row cap on this endpoint (unlike the live /audit?limit=N).
2 — Periodic pull into your SIEM
A small cron job that grabs the last 5 minutes of audit and forwards to Splunk / Datadog / etc.:
bash
*/5 * * * * curl -fsS -H "Authorization: Bearer $TOKEN" \
"https://kilasec.com/api/audit/export?format=json&window=300" \
| hec-forwarderWatermark on event.id (unique) to dedupe across overlapping windows.
3 — Live stream via SSE
For real-time SIEM correlation. The same SSE feed the SPA uses:
bash
curl -N -H "Authorization: Bearer $TOKEN" \
https://kilasec.com/api/events \
| jq -c . # each `data:` line is one decision JSONCaddy doesn't buffer the SSE stream (flush_interval -1), so the lag from event-occurred → SIEM-receives is sub-second.
→ See API reference and Audit & stats endpoints for the full event shape.