Generate realistic test logs from 12 real source formats — then inject detectable anomalies a SOC should catch. Seeded and deterministic: the same settings always produce the same bytes.
source & shape
inject anomalies
patterns a SOC should catch — hover a name for the signaturePro
free raises the line cap to 100,000summary
generated log
The 5 detectable patterns
Each anomaly is a documented, detectable signature — the kind of thing your SIEM rules should fire on. Seed them into otherwise-clean logs to build test data that proves your detections actually work.
| pattern | what it looks like |
|---|---|
| SSH brute-force | A burst of failed logins from one source IP, then a success — the classic credential-stuffing signature. |
| HTTP 5xx spike | A run of 5xx responses from one client/path — an outage or an app under attack a SOC should page on. |
| Port scan | One source IP hitting many sequential destination ports — reconnaissance sweeping for open services. |
| Impossible travel | The same user seen from two far-apart IPs within minutes — a session that could not physically happen. |
| Oversized transfer | A response/transfer orders of magnitude too large — a possible exfiltration or data-dump event. |
12 source formats
Every source emits its real on-the-wire shape — lifted from the LogForge catalogue — so the output round-trips straight back through a parser.
| source | family |
|---|---|
| Nginx access (combined) | CLF |
| Apache access (combined) | CLF |
| OpenSSH / sshd auth | syslog |
| Syslog (RFC 3164 / BSD) | syslog |
| Syslog (RFC 5424) | syslog |
| FortiGate firewall (traffic) | key=value |
| Cisco ASA firewall | syslog |
| Windows Security Event | key=value |
| JSON application | JSON |
| Docker container (logfmt) | key=value |
| Kubernetes (klog) | key=value |
| AWS VPC Flow (v2) | CSV |
Deterministic by design. Output flows from a seeded PRNG
and a clock walked from a fixed start — no Date.now(), no
Math.random(). Commit a seed to a fixture and regenerate the exact same log
anywhere, forever.
Stream it into your own SIEM
Generation is client-side, so to feed a live collector you
download the output and pipe it from your own machine —
nothing touches this server and you control the destination and the rate. Generate, hit
download (.log or
.jsonl), then use one of these:
Paced UDP syslog (logger) — ~10 lines/sec
while IFS= read -r line; do
logger -n SIEM_HOST -P 514 -d -- "$line"
sleep 0.1 # ~10 EPS — lower it to go faster
done < anvil.log Paced UDP syslog (netcat)
while IFS= read -r line; do
printf '%s\n' "$line" | nc -u -w0 SIEM_HOST 514
sleep 0.1
done < anvil.log Bulk TCP (netcat) — as fast as the socket allows
nc SIEM_HOST 514 < anvil.log HTTP collector (JSONL export) — one POST per line
while IFS= read -r line; do
curl -sS -X POST -H 'content-type: application/json' \
-d "$line" https://your-collector.example/ingest
done < anvil.jsonl
Replace SIEM_HOST with your collector. Tune
sleep for your target EPS.
Test responsibly — only send to systems you own or are
explicitly authorized to test.
Generate by source
A dedicated page for each source, with a live-generated deterministic sample and an anomaly-injection showcase.
FAQ
What is a synthetic log generator for?
It produces realistic, fake log lines so you can test a pipeline without shipping real production data. Use it to smoke-test a parser or decoder, seed a SIEM demo, load-test an ingest path, or build a detection lab — with data that looks exactly like nginx, sshd, FortiGate, Windows or a dozen other sources, but contains no real users, IPs, or secrets.
Is the output deterministic?
Yes. Generation is fully seeded: the same source, line count, seed, EPS, format and anomaly settings always produce byte-identical output. That means you can commit a seed to a test fixture and regenerate the exact same log file on any machine, in CI, or a year later — no snapshot files to store.
What anomalies can it inject, and why?
Five documented, detectable patterns a SOC should catch: an SSH brute-force burst (failed logins then a success from one IP), an HTTP 5xx spike, a port scan (one source hitting many sequential ports), impossible travel (one user from two far-apart IPs within minutes), and an oversized transfer (a response orders of magnitude too large). Each slider sets how much of the output that anomaly perturbs, so you can build test data that your rules SHOULD alert on — and prove they do.
Does anything get uploaded?
No. Generation runs 100% in your browser — no log data is ever sent anywhere. The only network call the tool ever makes is an optional license check when you activate a Pro key, and that sends just the key. Free tier never calls any API.
What is the line-count limit?
The free tier generates up to 1,000 lines per run, which is plenty for parser smoke-tests and demos. A Bokamba Pro license raises the cap to 100,000 lines for load-testing and larger fixtures. Either way it is all client-side and instant.
Can I feed the output straight into a parser?
Yes — that is the point. Copy or download the log, or hit “Parse this with LogForge →” to hand the generated lines directly to LogForge and get a working regex / Grok / Wazuh decoder for that shape. LogAnvil is LogForge in reverse: it emits the exact on-the-wire format each source produces.
Got a log and need to parse it instead? → Build a parser with LogForge — paste any log line and get a working regex, Grok, Wazuh decoder or rsyslog template.