Sinks
Where generated events are delivered.
Sinks are the output destinations for generated events. Every run writes its events through a single destination sink, specified via CLI flags at invocation time.
CLI vs Cloud. With the CLI you select a sink per run via flags (see Running locally). In Cloud, delivery is configured per target as saved pipelines.
Available Sinks
stdout (default)
Writes JSONL to standard output. Active when no destination flags are provided:
tracemill run scenario.yamlHEC
Posts events to a Splunk HTTP Event Collector endpoint with the HEC envelope format.
tracemill run job.yaml --hec-url https://splunk:8088 --hec-token my-token| Flag | Required | Description |
|---|---|---|
--hec-url | Yes | Splunk HEC endpoint URL |
--hec-token | Yes | HEC authentication token |
--hec-insecure | No | Skip TLS certificate verification (self-signed dev certs only) |
S3
Batches events and uploads them as objects to an S3 bucket. Supports JSONL (default) and CloudTrail formats.
tracemill run job.yaml --s3-bucket ct-ingest --s3-region us-east-1 --s3-format cloudtrail| Flag | Required | Description |
|---|---|---|
--s3-bucket | Yes | S3 bucket name |
--s3-region | No | AWS region for the bucket |
--s3-prefix | No | Object key prefix |
--s3-format | No | Output format: jsonl (default) or cloudtrail |
--s3-org-id | No | AWS Organization ID for CloudTrail org-trail path layout |
TCP
Sends events over a TCP connection (e.g., to a syslog collector or SIEM).
tracemill run job.yaml --tcp-host syslog.example.com --tcp-port 514| Flag | Required | Description |
|---|---|---|
--tcp-host | Yes | Destination host |
--tcp-port | Yes | Destination port |
HTTP
Posts events to an HTTP endpoint (e.g., a webhook or Elasticsearch bulk API).
tracemill run job.yaml --http-url https://ingest.example.com/events| Flag | Required | Description |
|---|---|---|
--http-url | Yes | Destination URL |
--http-method | No | HTTP method: POST (default) or PUT |
--http-insecure | No | Skip TLS certificate verification (self-signed dev certs only) |
Destination Rules
- Destination flag groups are mutually exclusive — specify only one per invocation.
- Jobs define what to generate (state, pools, workloads); the destination is external to the job.
- See the CLI reference for the complete flag list.
Event Type Affinity
Some destination formats restrict which event types they accept. For example, the S3 CloudTrail format (--s3-format cloudtrail) only accepts aws.cloudtrail events. If a job produces incompatible event types, the CLI reports an error before execution starts.
JSONL Envelope
Every event emitted by Tracemill includes envelope fields:
| Field | Description |
|---|---|
tracemill_type | Event type identifier (id@version) |
tracemill_timestamp | RFC 3339 with nanoseconds |
tracemill_seq | Monotonically increasing sequence number |
These fields are always present alongside the event's own payload fields.
In Tracemill Cloud
In the CLI a sink is chosen per invocation with flags. In Tracemill Cloud, the same delivery destinations are saved as named pipelines on a target and reused across runs. Tracemill Cloud supports the HEC and S3 destinations described above; S3 additionally uses a cross-account IAM role so Tracemill can write to your bucket without shared credentials. See Pipelines for the console setup.