Concepts

Sinks

Where generated events are delivered.

Sinks are the output destinations for generated events. Every run writes its events through a single destination sink, specified via CLI flags at invocation time.

Available Sinks

stdout (default)

Writes JSONL to standard output. Active when no destination flags are provided:

tracemill run scenario.yaml

HEC

Posts events to a Splunk HTTP Event Collector endpoint with the HEC envelope format.

tracemill run job.yaml --hec-url https://splunk:8088 --hec-token my-token
FlagRequiredDescription
--hec-urlYesSplunk HEC endpoint URL
--hec-tokenYesHEC authentication token
--hec-insecureNoSkip TLS certificate verification (self-signed dev certs only)

S3

Batches events and uploads them as objects to an S3 bucket. Supports JSONL (default) and CloudTrail formats.

tracemill run job.yaml --s3-bucket ct-ingest --s3-region us-east-1 --s3-format cloudtrail
FlagRequiredDescription
--s3-bucketYesS3 bucket name
--s3-regionNoAWS region for the bucket
--s3-prefixNoObject key prefix
--s3-formatNoOutput format: jsonl (default) or cloudtrail
--s3-org-idNoAWS Organization ID for CloudTrail org-trail path layout

TCP

Sends events over a TCP connection (e.g., to a syslog collector or SIEM).

tracemill run job.yaml --tcp-host syslog.example.com --tcp-port 514
FlagRequiredDescription
--tcp-hostYesDestination host
--tcp-portYesDestination port

HTTP

Posts events to an HTTP endpoint (e.g., a webhook or Elasticsearch bulk API).

tracemill run job.yaml --http-url https://ingest.example.com/events
FlagRequiredDescription
--http-urlYesDestination URL
--http-methodNoHTTP method: POST (default) or PUT
--http-insecureNoSkip TLS certificate verification (self-signed dev certs only)

Destination Rules

  • Destination flag groups are mutually exclusive — specify only one per invocation.
  • Jobs define what to generate (state, pools, workloads); the destination is external to the job.
  • See the CLI reference for the complete flag list.

Event Type Affinity

Some destination formats restrict which event types they accept. For example, the S3 CloudTrail format (--s3-format cloudtrail) only accepts aws.cloudtrail events. If a job produces incompatible event types, the CLI reports an error before execution starts.

JSONL Envelope

Every event emitted by Tracemill includes envelope fields:

FieldDescription
tracemill_typeEvent type identifier (id@version)
tracemill_timestampRFC 3339 with nanoseconds
tracemill_seqMonotonically increasing sequence number

These fields are always present alongside the event's own payload fields.

Scenarios

Defining step-by-step event generation sequences.

CLI Reference

Complete reference for all Tracemill CLI commands, flags, and environment variables.

On this page

Available Sinksstdout (default)HECS3TCPHTTPDestination RulesEvent Type AffinityJSONL Envelope