Home

must: a more useful syslog testing tool

Using templated message formats with customisable placeholders, must allows more intelligent testing of syslog receivers with realistic data, as well as longer soak testing and stress testing.

must was created to fill a gap found when trying to stress test Splunk as real, indexable and meaningful data was needed.

must will (eventually) be provided as a standalone tool that uses XML configs (for quick use and consultancy etc) and as a web-based tool (for more permanent/pretty deployment (with historical reporting and live stats). Currently it just works as a standalone command line script.

Already, you can simulate an entire estate of devices at a rate as slow or as fast as you require, generating any type of log from firewalls, workstations, servers or applications. By using the flexible placeholder system and/or multiple messages, must can be used for load/soak testing or to test log collection tools (such as Splunk, Greylog, Logger etc) or SIEM tools (HP Arcsight, NetIQ Novell Sentinel, or McAfee Nitro).

Features:

• Configure any combination of log messages to send as UDP syslog to a target defined on execution
• Write each log message with any number of placeholders which will contain generated data when sent
• Configure sequences of logs, with selective inheritance of data between steps
• Choose from free text, numbers, times and IP addresses
• Define placeholders as one-of selection groups or ranges (for numbers and IP addresses)
• Configure script level maximum rates, maximum run times and maximum messages to send
• Configure individual weightings for each type of message to vary how many of each are sent
• Every message can have a secondary message configured, with either its own placeholders or reuse data from the parent log, allowing an associated message (such as a web server access log following a firewall log) after a random short delay.
• Define a source IP for each message to simulate multiple devices
• Define the syslog facility and severity for each message
• Currently limited by the speed of a single core on the host machine, which runs at a peak 10,000 messages per second on a 2011 MacBook Pro (x64 2.4Ghz cores) (multi-threading will be including in future versions) (but you can limit the rate to lower in the config!)
• Under GPL so its free to use, however this is a hobby for me and I will provide support as and when I can.

Screenshot of Splunk showing captured data

---

Click here to download must

Note that must should be run using sudo or as root on linux in order to access raw sockets.

Click here for the
[installation guide]
[basic usage]
[guide to creating templates]
[FAQ]