S4 LogForge - Realistic SIEM Test Log Generator (13 formats)

S4 LogForge generates security logs that are field-faithful to real devices and SIEM schemas - for when you need production-like data for a SIEM project but cannot use production logs.

WHAT YOU GET

• 13 output formats, each verified end-to-end against real parsers (Elasticsearch ingest pipelines, Elastic integration pipelines, Logstash grok / kv / xml / CEF codec): RFC 3164 and RFC 5424 syslog; CEF (ArcSight-style); LEEF 2.0 (QRadar-style); PAN-OS 10.2 CSV (TRAFFIC/THREAT/SYSTEM); Elastic Common Schema (ECS) 8.11 JSON; XDR telemetry JSON; Windows Event Log XML (Security/Sysmon) and Winlogbeat-shaped JSON; AWS CloudTrail and VPC Flow Logs; Zeek; and Suricata EVE.

• Correlated attack scenarios - brute force to lateral movement, malware beaconing, port scans, insider data exfil, and cloud credential abuse - every event tagged with MITRE ATT&CK technique IDs. Inject them into baseline noise at known times to measure detection and false-positive rates with known ground truth.

• Custom scenarios: author your own correlated attack sequences in a simple TOML DSL - phases, timing, entity bindings, and ATT&CK tags - and inject them like the built-ins.

• Entity consistency: hosts keep their IPs and hostnames, users log in from their usual workstations, GeoIP and cloud identities stay coherent across the entire stream.

• Realistic shape: business-hours diurnal rate curves, log-normal session sizes, benign auth-failure noise, IDS false positives, DNS lookups and C2 beaconing.

• Deterministic: same seed and config produce byte-identical output, so any test is exactly reproducible.

• Throughput: single-core generation sustains 188k to 1.6M events/sec depending on format; a 30-day PoC backfill generates in minutes.

• Outputs: stdout, rotating files, syslog forward (UDP / TCP / TLS), Elasticsearch and OpenSearch bulk, and Splunk HEC (with native event-time so backfill lands at the right time).

• Capacity estimator answers "N hosts at X EPS = how many GB/day per format?" before you size a cluster. Prometheus metrics endpoint for long-running streams.

WHY NOT THE ALTERNATIVES

Generic fake-log tools emit Apache-style noise with no security-product fields. Template-driven event generators ship empty - the content is your problem. Static datasets cannot be re-rated, re-dated, or re-formatted. S4 LogForge ships the content: field mappings modeled on real devices and schemas, kept current.

TYPICAL USES

• SIEM PoC: 30-day backfill of 200 hosts in minutes, then realtime drip
• Detection engineering: generate exactly the log sequence a rule should fire on, tagged with ATT&CK techniques
• Dashboards and capacity sizing with realistic volume and shape
• Ingest load testing at controlled EPS

A free Community edition (separate listing) covers syslog and CEF at a capped rate.