We Recovered Unreal Insights OTLP Export Through a Corporate HTTPS Proxy During Q4 Diligence Week - 2026 Case Study
Monday on home Wi-Fi: Unreal Insights captures a clean frame timeline; OTLP spans land in the collector. Tuesday on corporate VPN: the same packaged build opens fine, but OTLP export times out and diligence dashboards stay empty. Wednesday partner call: "Where is your trace receipt?"
This is a synthesized case study—a field pattern across Q4 2026 micro-studios shipping Unreal Engine 5.6 fest demos who enabled Insights / Trace for diligence but hit MITM HTTPS proxies on laptops used during partner week. It is not a named studio turnaround. There are no invented funding outcomes, no fake Slack quotes, and no made-up span counts.
What follows is the failure signature, the proxy policy decision (pin CA vs offline batch), gates O1–O6, artifact unreal_otlp_diligence_receipt_v1.json, and how the pattern maps to your project if traces work locally but egress dies behind VPN.
Pair with Q4 telemetry diligence analysis, Unity UGS OTLP preflight (cousin engine lane), Lesson 260 UGS OTLP BUILD_RECEIPT, planned Guide #36 Unreal OTLP preflight, and Lesson 274 forward BUILD_RECEIPT milestone.
Non-repetition note: Lesson 260 owns Unity UGS privacy URL + ugs_otlp_diligence_receipt_v1. Q4 diligence blog owns 07-observability/ annex strategy. This URL owns Unreal Insights OTLP egress behind corporate proxy—recovery narrative, not another ninety-second preflight checklist.
Why this matters now (Q4 diligence week / December 2026)
- Partners ask for traces — After Q3 evidence packets, Q4 diligence expects
07-observability/rows—not "we use Insights" in a slide. - Local trace ≠ export proof — Insights UI on a dev machine does not archive in partner zips.
- Corporate VPN week — Founders demo from accelerator space or publisher offices; MITM proxies break default TLS trust.
- Unity cousins already filed — Teams with Unity SKUs ship UGS OTLP receipts; Unreal SKUs need parallel
unreal_otlp_diligence_receipt_v1. - Fest hotfix cadence — BUILD_RECEIPT
build_labelbumps without re-exporting traces reads as observability theater.
Direct answer: Recovery required documenting proxy policy (CA pin or offline batch), exporting at least one redacted trace sample to 07-observability/offline_traces/, filing unreal_otlp_diligence_receipt_v1.json with gates O1–O6, and wiring unreal_otlp_diligence_ok on BUILD_RECEIPT before the partner zip ships.
Who this case study is for
| Audience | You will… |
|---|---|
| Beginner | Decide offline batch vs CA pin without reading RFC 2818 |
| Unreal engineer | Configure OTLP exporter env vars behind VPN |
| Producer | Block diligence send until O6 receipt exists |
| Multi-engine studio | Mirror Unity Lesson 260 lane for UE SKU |
Engines: Unreal 5.4+ with Insights / Trace and OTLP-compatible collector (internal or vendor).
Time: ~90 minutes first recovery sprint; ~15 minutes when proxy policy template exists.
Beginner quick start — offline batch vs pin CA
You do not need to become a network engineer. Pick one path:
| Situation | Choose | Why |
|---|---|---|
| Partner call in 48 hours; IT will not answer | Offline batch | Export .utrace or OTLP JSON to disk; README explains live export resumes after diligence |
| IT provides corp root PEM same day | CA pin | Set SSL_CERT_FILE (or Windows cert store import); live OTLP works on VPN |
| Air-gapped diligence room | Offline batch | Only option; document path in receipt |
| Home-only team, no VPN | Live OTLP | Default trust; still file receipt proving endpoint |
Success check: A producer can open 07-observability/README.md, find offline_traces/sample_YYYYMMDD.json or otlp_live_probe.log, and see unreal_otlp_diligence_ok: true without asking engineering to "open Insights."
Fail-closed: Do not claim live dashboards in partner email if only offline batch passed O5—README must say mode: offline_batch.
The diligence-facing failure (typical signals)
| Channel | Typical wording |
|---|---|
| Partner email | "Trace folder empty—401 on privacy URL cousin?" |
| Internal Slack | "Insights works on my machine" |
| BUILD_RECEIPT row | diligence_telemetry_ok: true but no child OTLP receipt |
| CI log | certificate verify failed on OTLP POST |
| Founder laptop | Timeout after 30s on 4318 |
Internal language before fix: "Tracing is enabled in DefaultEngine.ini" — configuration without egress proof.
Starting state (what was wrong)
| Layer | Symptom |
|---|---|
| Insights UI | Local capture sessions visible |
| OTLP exporter | OTEL_EXPORTER_OTLP_ENDPOINT set in .bat launcher |
| Corporate VPN | MITM proxy re-signs TLS with org CA |
| Trust store | Default Mozilla/OS bundle only |
| Diligence zip | 07-observability/ has crash receipt, no trace sample |
| README | Claims "full observability" |
| Cousin Unity SKU | ugs_otlp_diligence_receipt_v1 GREEN; UE lane missing |
Gameplay and crash symbolication were fine. Trace export credibility was not.
Root cause pattern (synthesized)
Three recurring mechanics—often combined:
| Mechanic | What broke |
|---|---|
| MITM proxy | Corporate gateway intercepts https://otel-collector.internal:4318 |
| Trust mismatch | Exporter trusts public CAs; proxy presents org-signed cert |
| Local-only assumption | Engineers validated Insights UI, not OTLP POST from VPN laptop |
| Schema gap | Filed diligence_telemetry_receipt_v1 without Unreal child row |
None require malice—only missing proxy policy in 07-observability/README.md.
Timeline (five working days — pattern timing)
| Day | Focus | Output |
|---|---|---|
| D1 | Repro OTLP fail on VPN laptop | otlp_probe_fail.log |
| D2 | IT policy + CA PEM or offline decision | proxy_policy_table.md |
| D3 | Pin CA or export offline trace batch | offline_traces/batch_YYYYMMDD.json |
| D4 | Redact PII; crosswalk build_label |
Sample trace + README row |
| D5 | Receipt + BUILD_RECEIPT column | unreal_otlp_diligence_receipt_v1.json |
Teams with existing Unity UGS preflight template recovered in two days; greenfield Unreal-only teams took five.
Hour-by-hour D1 (reproduction discipline)
| Step | Action |
|---|---|
| 1 | Connect corporate VPN (or accelerator guest Wi-Fi with proxy) |
| 2 | Launch packaged fest build with visible build label |
| 3 | Start Insights trace; play 60s golden path |
| 4 | Run OTLP export script or curl probe to collector |
| 5 | Log TLS error verbatim (certificate verify failed, connection reset) |
| 6 | Disconnect VPN; repeat—confirm home path GREEN |
If home GREEN and VPN RED—you are in this case study.
D2 — Corporate proxy policy table
File 07-observability/proxy_policy_table.md (or embed rows in README):
| Policy field | Example value | Partner reads |
|---|---|---|
proxy_required |
true on publisher-office VLAN |
Honest egress story |
mitm_inspection |
HTTPS on *.internal |
Why CA pin needed |
corp_ca_path |
/etc/ssl/corp-root.pem or Windows thumbprint |
Reproducible fix |
otlp_endpoint |
https://otel-collector.internal:4318/v1/traces |
Documented target |
offline_batch_allowed |
true |
Acceptable when live blocked |
offline_batch_path |
07-observability/offline_traces/ |
Zip includes sample |
live_resume_date |
2026-12-02 post-diligence |
Not silent drop |
Pass: Every row has an owner initials column in internal copy; public zip redacts employee names.
Beginner decision tree (pin vs batch)
IT gave corp-root.pem within 24h?
yes → Pin CA (D3 path A); live OTLP probe must pass on VPN
no → Offline batch (D3 path B); README states live export deferred
Partner demands live only?
escalate IT ticket with otlp_probe_fail.log attachment
do not fake live_ok in receipt
D3 path A — CA pin (working dev)
Linux / macOS launcher
export OTEL_EXPORTER_OTLP_ENDPOINT="https://otel-collector.internal:4318"
export OTEL_EXPORTER_OTLP_PROTOCOL="http/protobuf"
export SSL_CERT_FILE="/etc/ssl/corp-root.pem"
export SSL_CERT_DIR="/etc/ssl/certs"
Windows PowerShell (fest demo launcher)
$env:OTEL_EXPORTER_OTLP_ENDPOINT = "https://otel-collector.internal:4318"
$env:SSL_CERT_FILE = "C:\certs\corp-root.pem"
# Optional: import corp root to Local Machine\Trusted Root Certification Authorities
Probe before Insights export
curl -v --cacert /etc/ssl/corp-root.pem \
-X POST "https://otel-collector.internal:4318/v1/traces" \
-H "Content-Type: application/x-protobuf" \
--data-binary @empty_trace.pb 2>&1 | tee otlp_probe_pass.log
Pass: HTTP 200 or collector-specific 202—not TLS handshake failure.
Unreal Insights export hook
Document in receipt which path you used:
| Export surface | Notes |
|---|---|
| Insights GUI | Session → Export → OTLP target (engine version dependent) |
| UnrealTraceServer | CLI batch for CI |
| Custom GameInstance | Subsystem pushes spans at EndPlay |
Pin engine version in build_label README—UE 5.4 vs 5.6 exporter defaults differ.
D3 path B — offline trace batch (beginner-friendly)
When IT cannot ship CA before partner zip:
- Capture
.utraceon home machine (known-good path). - Convert or export OTLP JSON slice per OpenTelemetry trace JSON docs—redact user paths and machine names.
- Store under
07-observability/offline_traces/batch_YYYYMMDD.json. - README row: "Live OTLP blocked on corporate VPN 2026-11-18–2026-11-22; offline batch represents
fest-demo-2026-11-rc4golden path."
Pass: File exists; build_label in batch metadata matches player-visible label; no PII.
Honest limit: Offline batch proves you can produce trace artifacts—partners may still ask for live policy before term sheet. Do not mislabel mode in receipt.
Developer path — gates O1–O6
| Gate | Check | Pass when |
|---|---|---|
| O1 | Insights trace session configured for fest build_label |
DefaultEngine.ini or project setting logged |
| O2 | OTLP endpoint documented in receipt | URL + protocol |
| O3 | Proxy policy table filed | proxy_required explicit |
| O4 | CA pin or offline batch policy | Not both silent |
| O5 | Sample trace or probe log in diligence folder | Redacted file on disk |
| O6 | unreal_otlp_diligence_receipt_v1.json |
unreal_otlp_diligence_ok: true |
unreal_otlp_diligence_receipt_v1.json
Pin at release-evidence/telemetry/UNREAL_OTLP_DILIGENCE_RECEIPT.json and copy into 07-observability/:
{
"schema": "unreal_otlp_diligence_receipt_v1",
"build_label": "fest-demo-2026-11-rc4",
"engine_version": "5.6.0",
"insights_session_id": "trace-session-20261118-golden",
"otlp_endpoint": "https://otel-collector.internal:4318/v1/traces",
"otlp_mode": "offline_batch",
"corporate_proxy": {
"required": true,
"mitm_https": true,
"ssl_cert_file": null,
"offline_batch_path": "07-observability/offline_traces/batch_20261118.json",
"probe_fail_log": "07-observability/otlp_probe_fail.log"
},
"privacy_crosswalk": {
"store_about_privacy_url": "https://yourstudio.com/privacy",
"notes": "Unreal SKU—no UGS; privacy URL still required for store parity"
},
"cousin_receipts": {
"diligence_telemetry": "07-observability/diligence_telemetry_receipt_v1.json",
"crash_symbolicate": "07-observability/crash_symbolicate_receipt_v1.json",
"unity_ugs_otlp": "release-evidence/telemetry/UGS_OTLP_DILIGENCE_RECEIPT.json"
},
"gates": {
"O1_insights_configured": "pass",
"O2_otlp_documented": "pass",
"O3_proxy_policy": "pass",
"O4_ca_or_offline": "pass",
"O5_sample_on_disk": "pass",
"O6_receipt": "pass"
},
"unreal_otlp_diligence_ok": true,
"telemetry_promotion_allowed": true
}
Thursday row review — optional column unreal_otlp_diligence_ok.
Unity vs Unreal cousin lane (format ladder)
| Field | Unity Lesson 260 | Unreal (this case study) |
|---|---|---|
| Schema | ugs_otlp_diligence_receipt_v1 |
unreal_otlp_diligence_receipt_v1 |
| Privacy | UGS Data Privacy URL HEAD required | Store About URL crosswalk |
| Trace surface | UGS Analytics + OTLP spans | Insights / Trace sessions |
| Gates | Q1–Q6 | O1–O6 |
| Preflight | Unity UGS chapter | Guide #36 forward |
| BUILD_RECEIPT | ugs_otlp_diligence_ok |
unreal_otlp_diligence_ok |
Multi-SKU studios: File both receipts in 07-observability/; diligence_telemetry_receipt_v1 references cousin paths—do not merge schemas.
Proof table (synthesized recovery)
| Evidence | Proves | Fail signal |
|---|---|---|
otlp_probe_fail.log |
VPN repro | Missing → partner doubts story |
proxy_policy_table.md |
IT policy honesty | Verbal "VPN weird" |
offline_traces/batch_*.json |
Artifact exists | Empty folder |
build_label match |
Trace ↔ player build | Hash-only README |
unreal_otlp_diligence_receipt_v1.json |
Gates O1–O6 | Verbal Insights claim |
| BUILD_RECEIPT row | Promotion discipline | Promote before O6 |
Scenarios A–G (working dev)
| ID | Situation | Recovery |
|---|---|---|
| A | Home GREEN, VPN RED | Offline batch + proxy table |
| B | IT PEM in 4h | CA pin; otlp_mode: live |
| C | Multi-engine zip | Unity + Unreal cousin receipts |
| D | Partner wants live only | Escalate IT; do not fake receipt |
| E | Insights UI crash on VPN | Trace on home; export batch only |
| F | Wrong build_label in batch |
Re-export; bump receipt version |
| G | Crash receipt only in zip | Add child row to diligence_telemetry_receipt_v1 |
Diligence week operating calendar (OTLP lane)
| Day | OTLP action |
|---|---|
| Monday | Run VPN vs home probe matrix |
| Tuesday | File proxy policy table |
| Wednesday | Demo smoke — same build_label as trace |
| Thursday | Row review unreal_otlp_diligence_ok |
| Friday | Copy receipt into partner zip v2 |
| Partner call | Cold-open 07-observability/README.md — no live debugger |
Pair FMOD five-night challenge when audio + telemetry diligence share the same December week—orthogonal receipts, same build_label.
Privacy and redaction (non-negotiable)
| Include | Exclude from diligence zip |
|---|---|
| Aggregated span names | Raw player account IDs |
build_label + engine version |
Full %USERNAME% paths |
| Redacted machine hostname | Unredacted .utrace with PII |
| Probe status codes | Internal collector credentials |
Link Lesson 213 session schema for event-field hygiene—traces are a separate lane.
jq gate sketch (optional CI)
jq -e '.unreal_otlp_diligence_ok == true and .gates.O6_receipt == "pass"' \
release-evidence/telemetry/UNREAL_OTLP_DILIGENCE_RECEIPT.json
Exit 0 before fest branch promotion when TELEMETRY_STRICT=1 in CI—cousin to GitHub Actions concurrency patterns.
Counterarguments (honest limits)
"Insights is enough for partners."
UI sessions do not archive in zips—O5 sample on disk does.
"We will fix proxy after funding."
Q4 diligence is the funding conversation for many teams—offline batch is acceptable; missing folder is not.
"Same as Unity UGS receipt."
Cousin lane—different schema, different trace surface; see table above.
"OpenTelemetry vendor handles TLS."
Vendor SDK still uses OS trust store—corp MITM breaks default chain.
Pairing with site cluster (December 2026 spine)
| Site asset | OTLP case study role |
|---|---|
| Q4 diligence blog | Why 07-observability/ exists |
| Unity UGS preflight | Cousin ninety-second gate |
| Lesson 260 | Unity BUILD_RECEIPT milestone |
| Lesson 274 forward | Unreal BUILD_RECEIPT milestone |
| Guide #36 forward | One-step editor/CLI preflight |
| Help #22 forward | Fix OTLP proxy block during diligence week |
| Top-20 receipts hub | Telemetry spine context |
| Blender diligence evening | Same Q4 mirror week—art lane |
Two-team drill (OTLP edition)
- Partner role: open
07-observability/only; nameotlp_modeandbuild_label. - Founder role: answer from
unreal_otlp_diligence_receipt_v1.json—no screen share of Insights UI. - Swap: founder adds VPN probe log; partner verifies O3 proxy row exists.
Gaps in step 1 cost one evening; gaps on a live call cost term-sheet momentum.
Key takeaways
- Local Insights trace ≠ diligence proof—export sample or probe log to disk (O5).
- Corporate MITM breaks default TLS—pin corp CA or file offline batch honestly.
unreal_otlp_diligence_receipt_v1.jsonis distinct from Unityugs_otlp_diligence_receipt_v1.- Gates O1–O6 block promotion when OTLP story is verbal only.
proxy_policy_table.mdanswers partner questions before IT tickets close.otlp_modemust beliveoroffline_batch—never ambiguous in README.- Q4 diligence annex bundles child receipts via
cousin_receiptspaths. - Multi-SKU studios file Unity + Unreal cousin rows in same zip.
- Redact PII from
.utrace/ JSON batches before partner send. - Thursday row review optional column
unreal_otlp_diligence_ok. - Lesson 274 forward wires BUILD_RECEIPT after this narrative.
- Fail-closed: do not email "live dashboards" when only offline batch passed.
- VPN vs home probe matrix on D1 saves credibility on D5.
- Engine 5.6 pin in receipt—exporter defaults drift across minors.
- December BUILD_RECEIPT defer list when holiday freeze follows diligence week.
FAQ
Is this every Unreal team in Q4 2026?
No—synthesized from diligence-week proxy failures behind corporate VPNs; home-only teams still benefit from O6 receipt discipline.
Do we need a live OTLP collector for partners?
Not always—documented offline batch with sample file often satisfies indie asks; live-only demands require O4 CA pin success.
How is this different from Unity Lesson 260?
260 owns UGS privacy URL HEAD + ugs_otlp_diligence_receipt_v1; this case study owns Unreal Insights OTLP + unreal_otlp_diligence_receipt_v1.
What if we only use crash receipts?
File Unreal receipt with otlp_mode: not_applicable only if README honestly states no trace claims—do not claim Insights in partner deck.
Can we use the same corp CA as Unity SKU?
Yes—share ssl_cert_file path in both cousin receipts; schemas stay separate.
Does Epic provide OTLP export?
Insights / Trace tooling evolves—pin version in receipt; verify against Unreal Engine documentation for your generation.
What about Grafana Cloud?
Vendor-hosted collector still hits corp proxy—same O3–O4 policy.
Will this receipt guarantee funding?
No—it reduces perceived observability risk; outcomes vary.
Help #22 when shipped?
Will own fix OTLP proxy block steps—this case study is recovery narrative; help is procedure.
Where does PostHog fit?
PostHog evening blog is non-UGS wire-up—Unreal SKU may still file OTLP cousin if traces export.
Closing read (July 2026)
Q4 diligence taught micro-studios that crash receipts beat tool names. The follow-up ask is whether trace egress survives the same laptop your founder uses in the publisher office—not the machine on your desk at home.
Unreal teams that treat OTLP export as a receipted policy—CA pin or honest offline batch—enter partner calls with the same calm as teams who already filed Unity UGS OTLP cousins. Teams that conflate Insights UI with diligence proof learn the difference on a Wednesday call.
Start with otlp_probe_fail.log on VPN and proxy_policy_table.md—not with a collector RFP.
Email send template (OTLP annex row)
Subject: <Game> — observability v2 addendum (Unreal OTLP receipt)
Body:
We added
unreal_otlp_diligence_receipt_v1.jsonto 07-observability/ for our UE SKU. README notesotlp_mode: offline_batchduring corporate VPN week; sample trace matchesfest-demo-2026-11-rc4. Unity cousin receipt included for our second SKU.
Pointer-first. Respect partner time.
Found this useful? Share the proxy policy table with your IT contact before diligence week—not after the collector times out.