GitHub - expanso-io/log-simulators: Realistic log generators for testing data pipelines at volume - web, IoT, syslog, Windows, Cisco ASA, CEF/LEEF, JSON app, cloud audit, Kubernetes, PostgreSQL. Requires only uv. · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
expanso-io
log-simulators
Public
Notifications<br>You must be signed in to change notification settings
Fork
Star
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>1 Commit<br>1 Commit
.github/workflows
.github/workflows
src/log_simulators
src/log_simulators
standalone
standalone
tests
tests
.gitignore
.gitignore
LICENSE
LICENSE
README.md
README.md
pyproject.toml
pyproject.toml
uv.lock
uv.lock
View all files
Repository files navigation
log-simulators
Realistic log generators for testing data pipelines at volume. Ten simulators<br>covering the device types that matter for SIEM and observability pipelines —<br>each one a single command that needs only uv .
uvx --from git+https://github.com/expanso-io/log-simulators logsim-web --rate 100
No clone, no install, no Docker. Pipe the output anywhere — a file, a TCP/UDP<br>collector, or straight into an Expanso Edge pipeline.
The simulators
Tool<br>Generates<br>Demo scenario
logsim-web<br>Apache/nginx access + error logs (NCSA combined/common/JSON), session-coherent visitors<br>error-storm — recurring 5xx spikes
logsim-iot<br>IoT sensor telemetry NDJSON: temperature, humidity, pressure, vibration, voltage with drift + diurnal cycles<br>sensor-fault — spikes, stuck values, dropouts
logsim-syslog<br>RFC 3164 and RFC 5424 syslog with realistic facility/severity mix<br>auth-burst — failed-login floods
logsim-windows<br>Windows Security Event XML (4624/4625/4688/4672)<br>brute-force — 4625 password-spray bursts
logsim-asa<br>Cisco ASA firewall syslog — paired build/teardown with consistent connection IDs, denies<br>port-scan — deny storms from one source
logsim-cef<br>CEF and LEEF security events (firewall/IPS style)<br>malware-burst — high-severity event waves
logsim-app<br>Structured JSON app logs with trace IDs and realistic embedded PII (for redaction demos)<br>error-storm, pii-leak
logsim-cloud<br>AWS CloudTrail JSON and VPC Flow Logs<br>suspicious-login — off-region console logins
logsim-k8s<br>Kubernetes CRI container logs — multi-pod node, klog + JSON apps, partial-line mechanics<br>crash-loop — restarting pod
logsim-postgres<br>PostgreSQL server logs incl. multiline ERROR/DETAIL/STATEMENT and slow queries<br>deadlock — lock-contention windows
Every tool shares the same CLI contract:
--rate N average events/sec (Poisson-paced, like real traffic)<br>--count N stop after N events (0 = run forever)<br>--duration 5m stop after a wall-clock duration<br>--backfill 24h synthesize 24h of history at full speed, then exit<br>--follow ...then keep streaming live<br>--start-time ISO anchor the backfill window (deterministic with --seed)<br>--seed N fully reproducible output<br>--diurnal overnight trough, midday peak<br>--output DEST '-' stdout (default) | file path | tcp://host:port | udp://host:port<br>--rotate-mb N rotate + gzip file output<br>--scenario NAME inject recurring anomaly windows (per-tool)
Quick start
# Stream Apache combined logs at 50/sec forever<br>uvx --from git+https://github.com/expanso-io/log-simulators logsim-web --rate 50
# 24 hours of historical IoT telemetry, then exit<br>uvx --from git+https://github.com/expanso-io/log-simulators logsim-iot --backfill 24h --output sensors.ndjson
# A brute-force attack inside normal Windows event noise, to a UDP collector<br>uvx --from git+https://github.com/expanso-io/log-simulators logsim-windows \<br>--scenario brute-force --rate 20 --output udp://localhost:5514
# Reproducible test fixture: same command, byte-identical output<br>uvx --from git+https://github.com/expanso-io/log-simulators logsim-asa \<br>--seed 42 --count 1000 --backfill 1h --start-time 2026-01-15T12:00:00+00:00
# Umbrella command works too<br>uvx --from git+https://github.com/expanso-io/log-simulators logsim k8s --rate 30
Single-file versions of the most-used tools live in standalone/ —<br>each is a self-contained PEP 723 script:
uv run...