CLI Reference
Complete reference for all Tracemill CLI commands, flags, and environment variables.
Commands
tracemill run
Run a scenario or job and stream generated events.
tracemill run <content-id-or-path>The run command accepts either a file path or a content ID (see Content ID Resolution below). It inspects the type: field in the YAML to determine whether the file is a scenario or a job.
Use the scenario or job subcommand to explicitly validate the content type:
tracemill run scenario <content-id-or-path>
tracemill run job <content-id-or-path>Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--dry-run | bool | false | Simulate execution without sending events; prints a summary instead |
--no-stats | bool | false | Disable the live statistics overlay |
--target-type | string | Target SIEM type for format adjustments (e.g. splunk, sentinel); auto-inferred from HEC when not set |
Destination flags (mutually exclusive — specify at most one group):
| Flag | Type | Description |
|---|---|---|
--hec-url | string | Splunk HEC endpoint URL |
--hec-token | string | Splunk HEC authentication token (required with --hec-url) |
--hec-index | string | Splunk index to route events to |
--hec-source | string | Splunk source field to set on events |
--hec-sourcetype | string | Splunk sourcetype field to set on events |
--hec-ack | bool | Enable HEC indexer acknowledgment |
--hec-ack-poll-interval | duration | Interval between ack poll requests (default 2s) |
--hec-ack-timeout | duration | Max time to wait for ack confirmation (default 30s) |
--hec-insecure | bool | Skip TLS certificate verification for the HEC endpoint (use only for self-signed dev certs) |
--s3-bucket | string | S3 bucket name |
--s3-region | string | AWS region for the S3 bucket |
--s3-prefix | string | S3 object key prefix |
--s3-format | string | S3 output format: jsonl (default) or cloudtrail |
--s3-org-id | string | AWS Organization ID for CloudTrail org-trail path layout |
--tcp-host | string | TCP destination host |
--tcp-port | int | TCP destination port (required with --tcp-host) |
--http-url | string | HTTP destination URL |
--http-method | string | HTTP method: POST (default) or PUT |
--http-insecure | bool | Skip TLS certificate verification for the HTTP endpoint (use only for self-signed dev certs) |
When no destination flags are set, events are written to stdout as JSONL (the default).
Event types are auto-discovered from event-types/ directories in the content hierarchy (project > user > library). An emit step referencing an unknown event type is a hard error.
--dry-run uses a manual clock and summary sink — no events are emitted. The summary includes event counts, type breakdown, and estimated duration.
--no-stats suppresses the live statistics overlay. The overlay is shown on stderr when using a remote destination (HEC, S3, TCP, HTTP), or when stdout is redirected to a file/pipe. It is never shown when events go to stdout in a terminal (mixing overlay with event output would be unreadable).
--target-type applies target-specific formatting adjustments. For example, Splunk's Universal Forwarder abbreviates the <System> XML element to <s> in WinEventLog events — --target-type splunk applies this alias so generated events match what Splunk indexes. When --hec-url is set and --target-type is not explicitly provided, the target type is auto-inferred as splunk. Pass --target-type "" to disable inference.
Examples:
# Send events to Splunk via HEC (auto-infers --target-type splunk)
tracemill run job.yaml --hec-url https://splunk:8088 --hec-token my-token
# Send events to a generic HTTP endpoint with explicit Splunk formatting
tracemill run job.yaml --http-url https://proxy:9090 --target-type splunk
# Send events to S3 in CloudTrail format
tracemill run job.yaml --s3-bucket ct-ingest --s3-region us-east-1 --s3-format cloudtrail
# Default: stdout
tracemill run job.yamltracemill validate
Parse and validate YAML content files without executing them. Checks for schema errors, undefined references, and unreachable pool configurations.
# Validate a single file
tracemill validate --scenario <path>
tracemill validate --job <path>
tracemill validate --event-type <path>
# Validate all content in a directory recursively
tracemill validate --dir <path>Exactly one flag is required; they are mutually exclusive.
Flags:
| Flag | Description |
|---|---|
--scenario <path> | Validate a scenario YAML file. Prints "OK" on success. |
--job <path> | Validate a job YAML file, including all referenced pools and scenarios. Prints "OK" on success. |
--event-type <path> | Validate an event-type YAML file. Prints "OK" on success. |
--dir <path> | Recursively validate all content files in a directory. Dispatches each YAML file by its type: field (scenario, job, event-type, pool). Non-YAML files and files with unknown types are skipped. Prints per-file results and a summary. |
--dir is useful for validating an entire content library in one command:
tracemill validate --dir ./scenarios/
tracemill validate --dir ./event-types/tracemill list
List available resources.
list generators
List all built-in generators.
tracemill list generators
tracemill list generators --jsonlist event-types
List all event types discovered from the content hierarchy.
tracemill list event-types
tracemill list event-types --jsonEvent types are auto-discovered from event-types/ directories in each content layer (project > user > library). The output includes a SOURCE column showing which layer provided each type.
list pools
List all pools defined in a job file.
tracemill list pools --job <path>
tracemill list pools --job <path> --jsonThe --job flag is required.
All list subcommands accept --json to emit JSON instead of a table.
tracemill schema
Inspect the JSON schemas embedded in the binary.
schema list
Print the names of all available schemas.
tracemill schema listschema show
Print a schema to stdout.
tracemill schema show <name>
tracemill schema show --alltracemill version
Print version, commit hash, build date, and Go version.
tracemill versionGlobal Flags
These flags are available on all commands:
| Flag | Type | Default | Env Variable | Description |
|---|---|---|---|---|
--verbose | bool | false | TRACEMILL_VERBOSE | Enable debug logging |
--library <path> | string | ~/.tracemill/library | TRACEMILL_LIBRARY | Override the library content directory |
Content ID Resolution
The run command resolves its argument using a three-layer content search. This lets you reference scenarios and jobs by short identifiers instead of full file paths.
Search layers (checked in priority order):
| Priority | Layer | Location |
|---|---|---|
| 1 | Project | Current working directory |
| 2 | User | ~/.tracemill/content/ |
| 3 | Library | ~/.tracemill/library/ (or TRACEMILL_LIBRARY) |
The first layer containing <content-id>.yaml wins. Project-local content shadows library content with the same ID, so you can pin or override a scenario without modifying the shared library.
Examples:
# Content ID — searched across project → user → library
tracemill run aws/scenarios/cloudtrail/brute-force
# File path — used directly, no search
tracemill run ./examples/aws-brute-force.yaml
tracemill run /absolute/path/scenario.yaml
tracemill run ~/scenarios/test.yamlFile path detection: arguments starting with ./, ../, /, or ~ are treated as literal file paths and bypass the content resolver. Arguments ending in .yaml are also treated as file paths, unless they contain . or .. path segments (e.g. aws/../../etc/passwd.yaml), which are rejected as invalid content IDs instead.
Environment Variables
| Variable | Flag | Description |
|---|---|---|
TRACEMILL_VERBOSE | --verbose | Enable debug logging |
TRACEMILL_LIBRARY | --library | Override the default library directory |
Environment variables use the TRACEMILL_ prefix. They can be set instead of passing flags:
export TRACEMILL_LIBRARY=/path/to/custom/library
tracemill run my-scenario