Introduction
What Tracemill is and why it exists.
Tracemill is a stateful, high-fidelity telemetry generation engine. It produces realistic, correlated event streams from declarative YAML configurations — purpose-built for detection validation and stress-testing observability and security systems.
Why Tracemill?
Security and observability teams need realistic telemetry to validate detection rules, stress-test SIEM pipelines, and verify alert logic. Tracemill generates events that mirror real-world patterns — including stateful sequences, correlated identifiers, and realistic field values — without requiring access to production environments.
How It Works
At its core, Tracemill follows a Pool → Scenario → Runner → Sink data flow:
- Pools provide reusable data — IP ranges, user lists, CSV datasets
- Scenarios define step-by-step event sequences with stateful variables and expressions
- Runners execute scenarios, resolving state and generating events
- Sinks deliver events to their destination — stdout, TCP, or HTTP endpoints
For multi-workload generation, a Job orchestrates multiple scenarios with shared pools and bindings.
Next Steps
- Installation — download and install the CLI
- Quick Start — generate your first events in under 5 minutes
- Scenarios — learn the core building block