docs and tooling: firewall syslog test, dedup command, README updates

- Add scripts/test-firewall-syslog.py: sends FortiGate-style syslog UDP to
  Wazuh port 514 with 10 scenarios; supports --via-docker to preserve
  source IP through Docker NAT
- run-combined-stack.sh: add dedup command (fix missing elif branch so it
  no longer falls through to run_all); add recreate command
- wazuh_manager.conf: add 7 firewall allowed-ips, enable logall/logall_json
- scripts/README.md: document test-firewall-syslog.py, seed-kpi-test-data.py,
  new dashboard NDJSON files
- README.md: full rewrite covering all commands, KPI dashboard, current
  endpoint list, macOS bind-mount note

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -2,11 +2,12 @@
 
 This repository runs a combined SOC lab with:
 
-- `wazuh-docker` (single-node)
-- `iris-web`
-- `Shuffle`
-- `pagerduty-stub`
-- `soc-integrator` (FastAPI)
+- `wazuh-docker` (single-node) — SIEM, log ingestion, rule engine
+- `iris-web` — case and alert management (DFIR-IRIS)
+- `Shuffle` — SOAR workflow automation
+- `pagerduty-stub` — mock PagerDuty escalation endpoint
+- `soc-integrator` (FastAPI) — KPI enrichment, IOC analysis, orchestration
+- `flask-openapi-shuffle` — OpenAPI demo for Shuffle integration
 
 All services are connected through a shared Docker network (`soc_shared`).
 
@@ -14,7 +15,7 @@ All services are connected through a shared Docker network (`soc_shared`).
 
 - Docker + Docker Compose plugin
 - Bash
-- `nc` (for test event script)
+- Python 3 (for test/seed scripts)
 
 ## Quick Start
 
@@ -42,42 +43,117 @@ Status overview:
 ./run-combined-stack.sh status
 ```
 
+## Stack Management
+
+```bash
+./run-combined-stack.sh <command> [target] [options]
+```
+
+| Command | Description |
+|---|---|
+| `up [target] [-d]` | Start services (default: all, detached) |
+| `down <target>` | Stop services (target required) |
+| `recreate [target]` | Force-recreate containers (picks up bind-mount changes) |
+| `logs [target] [-f]` | View logs |
+| `status` | Show container and endpoint status |
+| `dedup` | Remove duplicate OpenSearch index patterns in Wazuh dashboard |
+| `cleanup [--with-volumes]` | Prune stopped containers, unused images, builder cache |
+| `help` | Show full usage |
+
+Targets: `all` / `--all`, `wazuh`, `iris`, `shuffle`, `pagerduty`, `integrator`, `flask-openapi-shuffle`
+
+Examples:
+
+```bash
+./run-combined-stack.sh up iris -d
+./run-combined-stack.sh recreate wazuh
+./run-combined-stack.sh recreate --all
+./run-combined-stack.sh down shuffle
+./run-combined-stack.sh logs integrator -f
+./run-combined-stack.sh dedup
+./run-combined-stack.sh cleanup --with-volumes
+```
+
+> **macOS bind mount note**: After editing config files on the host, run `recreate` to ensure the
+> container picks up the new inode. The `Edit`/`Write` tools create new inodes on macOS which Docker
+> does not automatically detect.
+
 ## Service URLs
 
-- Wazuh Dashboard: `https://localhost`
-- Wazuh API: `https://localhost:55000`
-- IRIS-web: `https://localhost:8443`
-- Shuffle UI: `http://localhost:3001`
-- PagerDuty Stub: `http://localhost:18080`
-- SOC Integrator API: `http://localhost:8088`
-- SOC Integrator Swagger: `http://localhost:8088/docs`
+| Service | URL |
+|---|---|
+| Wazuh Dashboard | `https://localhost` |
+| Wazuh API | `https://localhost:55000` |
+| IRIS-web | `https://localhost:8443` |
+| IRIS KPI Dashboard | `https://localhost:8443/kpi-dashboard` |
+| Shuffle UI | `http://localhost:3001` |
+| PagerDuty Stub | `http://localhost:18080` |
+| SOC Integrator API | `http://localhost:8088` |
+| SOC Integrator Swagger | `http://localhost:8088/docs` |
 
 ## SOC Integrator
 
-Key env file:
+Key env file: `soc-integrator/.env`
+
+### IRIS KPI endpoints
 
-- `soc-integrator/.env`
+These endpoints fetch IRIS data and enrich each record with live SLA/KPI metrics:
+
+```
+GET  /iris/alerts                 List alerts with KPI
+GET  /iris/alerts/{id}            Single alert with KPI
+POST /iris/alerts/{id}/assign     Assign alert
+GET  /iris/alerts/export-csv      Export alerts as CSV
+GET  /iris/cases                  List cases with KPI
+GET  /iris/cases/{id}             Single case with KPI
+GET  /iris/cases/export-csv       Export cases as CSV
+```
 
-Main sections:
+KPI is computed per alert/case:
 
-- Legacy integration APIs (`/wazuh/*`, `/shuffle/*`, `/action/*`)
-- MVP orchestration APIs (`/mvp/*`)
-- Wazuh-to-MVP sync API (`/wazuh/sync-to-mvp`)
-- Wazuh auto-sync status API (`/wazuh/auto-sync/status`)
+```
+elapsed_pct = (now − created_at) / sla_seconds × 100
+kpi_pct     = 100 − elapsed_pct  (clamped 0–100)
 
-### MVP endpoints
+SLA by severity:   High → 4 h   Medium → 8 h   Low → 24 h
 
-- `POST /mvp/incidents/ingest`
-- `POST /mvp/ioc/evaluate`
-- `POST /mvp/vpn/evaluate`
-- `GET /mvp/config/policies`
-- `PUT /mvp/config/policies`
-- `GET /mvp/health/dependencies`
+Status thresholds: On Track ≥ 80 | Watch ≥ 60 | Warning ≥ 40 | Urgent ≥ 20 | Critical > 0 | Breached
+Resolved alerts:   elapsed frozen at resolution time, status = "Resolved"
+```
 
-Protected endpoints require:
+### MVP orchestration endpoints
 
-- Header: `X-Internal-API-Key`
-- Key from: `SOC_INTEGRATOR_INTERNAL_KEY` in `soc-integrator/.env`
+```
+POST /mvp/incidents/ingest
+POST /mvp/ioc/evaluate
+POST /mvp/vpn/evaluate
+GET  /mvp/config/policies
+PUT  /mvp/config/policies
+GET  /mvp/health/dependencies
+```
+
+Protected endpoints require header: `X-Internal-API-Key`
+Key from: `SOC_INTEGRATOR_INTERNAL_KEY` in `soc-integrator/.env`
+
+### Other endpoints
+
+```
+GET  /health
+GET  /wazuh/alerts
+GET  /wazuh/agents
+POST /wazuh/sync-to-mvp
+GET  /wazuh/auto-sync/status
+POST /ingest/wazuh-alert
+GET  /ioc/enrich
+POST /ioc/evaluate
+GET  /geoip/{ip}
+POST /action/create-incident
+POST /action/create-iris-case
+POST /action/trigger-shuffle
+GET/POST /shuffle/workflows
+GET  /sim/logs/runs
+POST /sim/logs/start
+```
 
 ### Example: MVP ingest
 
@@ -102,25 +178,34 @@ curl -X POST http://localhost:8088/mvp/incidents/ingest \
   }'
 ```
 
-## Test Events to Wazuh
+## Sending Test Events to Wazuh
 
-Send synthetic events via syslog UDP 514:
+### Appendix A/B/C simulation logs
+
+Replay production-style sample logs via syslog UDP 514:
 
 ```bash
-scripts/send-wazuh-test-events.sh all
+scripts/send-wazuh-sim-logs.sh all 1 0.2
+scripts/send-wazuh-sim-logs.sh a2 1 0
+scripts/send-wazuh-sim-logs.sh B3-06 1 0
+scripts/send-wazuh-sim-logs.sh all 1 0 --dry-run
 ```
 
-Scenarios:
+See `scripts/README.md` for full selector/flag reference.
+
+### FortiGate firewall syslog test
+
+Send FortiGate-style syslog messages directly to Wazuh port 514/UDP:
 
-- `ioc_dns`
-- `ioc_ips`
-- `vpn_outside_th`
-- `windows_auth_fail`
-- `all`
+```bash
+python3 scripts/test-firewall-syslog.py --via-docker
+python3 scripts/test-firewall-syslog.py --scenario rdp --via-docker
+```
 
-See `scripts/README.md` for details.
+The `--via-docker` flag sends from inside the container to preserve the firewall source IP
+through Docker NAT. Source IP must be in the `allowed-ips` list in `wazuh_manager.conf`.
 
-Sync Wazuh alerts from indexer into MVP pipeline:
+### Sync Wazuh alerts into MVP pipeline
 
 ```bash
 curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&q=*" \
@@ -129,16 +214,15 @@ curl -X POST "http://localhost:8088/wazuh/sync-to-mvp?limit=50&minutes=120&q=*"
 
 Notes:
 
-- This sync reads from `wazuh-alerts-*` in Wazuh indexer.
-- Re-running sync is safe; dedupe is applied by `source + event_id`.
-- Your `send-wazuh-test-events.sh` traffic appears only after Wazuh rules generate alerts.
+- Reads from `wazuh-alerts-*` in Wazuh indexer.
+- Re-running is safe — dedupe applied by `source + event_id`.
+- Wazuh must fire rules before alerts appear (check `archives.log` first).
 
-Enable automatic sync worker:
+### Enable automatic sync worker
 
 ```bash
 sed -i 's/^WAZUH_AUTO_SYNC_ENABLED=.*/WAZUH_AUTO_SYNC_ENABLED=true/' soc-integrator/.env
 ./run-combined-stack.sh up integrator --build -d
-./run-combined-stack.sh logs integrator -f
 ```
 
 Auto-sync settings in `soc-integrator/.env`:
@@ -149,6 +233,21 @@ Auto-sync settings in `soc-integrator/.env`:
 - `WAZUH_AUTO_SYNC_LIMIT` (default `50`)
 - `WAZUH_AUTO_SYNC_MINUTES` (default `120`)
 
+## KPI Dashboard
+
+The KPI dashboard is embedded inside IRIS at `/kpi-dashboard`.
+
+It shows alerts and cases with live SLA progress (colour-coded gauge), status, owner, and severity.
+The page auto-refreshes every 60 seconds.
+
+To seed test data covering every KPI state:
+
+```bash
+IRIS_API_KEY=<key> python3 scripts/seed-kpi-test-data.py
+```
+
+Find your API key in IRIS → My Profile.
+
 ## Logs
 
 All logs (non-follow):
@@ -167,4 +266,8 @@ Follow one stack:
 ## Notes
 
 - MVP escalation is wired to `pagerduty-stub` (not real PagerDuty).
-- IRIS-web is used as case management backend (replacing DFIRTrack).
+- IRIS-web is used as case management backend.
+- After `recreate wazuh`, run `./run-combined-stack.sh dedup` to remove duplicate index patterns
+  created by the Wazuh dashboard post-init script.
+- Wazuh archive logging requires `<logall>yes</logall>` in `wazuh_manager.conf`
+  (already enabled); archives appear in `/var/ossec/logs/archives/archives.log`.

run-combined-stack.sh

@@ -26,6 +26,8 @@ Usage:
 
 Commands:
   up           Start services (default: up -d when no args)
+  recreate     Force-recreate containers (picks up bind-mount inode changes)
+  dedup        Remove duplicate OpenSearch index patterns in Wazuh dashboard
   down         Stop services (requires explicit target)
   logs         View logs
   status       Show container and endpoint status
@@ -46,6 +48,9 @@ Examples:
   ./run-combined-stack.sh up --all -d
   ./run-combined-stack.sh up iris -d
   ./run-combined-stack.sh up flask-openapi-shuffle -d
+  ./run-combined-stack.sh recreate wazuh
+  ./run-combined-stack.sh recreate --all
+  ./run-combined-stack.sh dedup
   ./run-combined-stack.sh down shuffle
   ./run-combined-stack.sh down --all
   ./run-combined-stack.sh logs integrator -f
@@ -67,6 +72,75 @@ if [[ "${COMMAND}" == "status" ]]; then
   exec "${ROOT_DIR}/soc-status.sh"
 fi
 
+dedup_index_patterns() {
+  local dashboard_url="https://localhost:443"
+  local user="kibanaserver"
+  local pass="kibanaserver"
+  local max_wait=60
+  local waited=0
+
+  echo "Waiting for Wazuh dashboard to be ready..."
+  until curl -sk -u "${user}:${pass}" "${dashboard_url}/api/status" -o /dev/null 2>&1; do
+    sleep 3
+    waited=$((waited + 3))
+    if [[ ${waited} -ge ${max_wait} ]]; then
+      echo "Dashboard not ready after ${max_wait}s — skipping dedup."
+      return 1
+    fi
+  done
+
+  echo "Scanning for duplicate index patterns..."
+  python3 - <<PYEOF
+import json, sys, urllib.request, urllib.error, ssl
+
+BASE = "${dashboard_url}"
+AUTH = ("${user}", "${pass}")
+ctx  = ssl.create_default_context(); ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE
+
+def req(method, path, data=None):
+    import base64
+    token = base64.b64encode(f"{AUTH[0]}:{AUTH[1]}".encode()).decode()
+    headers = {"osd-xsrf": "true", "Authorization": f"Basic {token}"}
+    if data:
+        headers["Content-Type"] = "application/json"
+    r = urllib.request.Request(BASE + path, data=data, headers=headers, method=method)
+    with urllib.request.urlopen(r, context=ctx, timeout=15) as resp:
+        return json.loads(resp.read())
+
+# Fetch all index-pattern saved objects
+result = req("GET", "/api/saved_objects/_find?type=index-pattern&per_page=100")
+patterns = result.get("saved_objects", [])
+
+# Group by title
+from collections import defaultdict
+by_title = defaultdict(list)
+for p in patterns:
+    by_title[p["attributes"]["title"]].append(p)
+
+deleted = 0
+for title, objs in by_title.items():
+    if len(objs) <= 1:
+        continue
+    # Keep the one whose ID matches the title (canonical), or the oldest updated_at
+    canonical = next((o for o in objs if o["id"] == title), None)
+    if not canonical:
+        canonical = sorted(objs, key=lambda o: o.get("updated_at", ""))[0]
+    to_delete = [o for o in objs if o["id"] != canonical["id"]]
+    for obj in to_delete:
+        try:
+            req("DELETE", f"/api/saved_objects/index-pattern/{obj['id']}")
+            print(f"  deleted  [{obj['id']}]  title='{title}'")
+            deleted += 1
+        except urllib.error.HTTPError as e:
+            print(f"  error deleting [{obj['id']}]: {e}")
+
+if deleted == 0:
+    print("  no duplicates found.")
+else:
+    print(f"  removed {deleted} duplicate(s).")
+PYEOF
+}
+
 run_cleanup() {
   local with_volumes="${1:-false}"
 
@@ -314,6 +388,19 @@ elif [[ "${COMMAND}" == "up" ]]; then
       run_all "up"
       ;;
   esac
+elif [[ "${COMMAND}" == "recreate" ]]; then
+  TARGET="${1:-all}"
+  COMMAND="up"
+  case "${TARGET}" in
+    wazuh|iris|shuffle|pagerduty|integrator|flask-openapi-shuffle)
+      ARGS=("--force-recreate" "-d")
+      run_target "${TARGET}"
+      ;;
+    all|--all|*)
+      ARGS=("--force-recreate" "-d")
+      run_all "up"
+      ;;
+  esac
 elif [[ "${COMMAND}" == "cleanup" ]]; then
   WITH_VOLUMES="false"
   for arg in ${ARGS[@]+"${ARGS[@]}"}; do
@@ -326,6 +413,8 @@ elif [[ "${COMMAND}" == "cleanup" ]]; then
     esac
   done
   run_cleanup "${WITH_VOLUMES}"
+elif [[ "${COMMAND}" == "dedup" ]]; then
+  dedup_index_patterns
 else
   run_all "up"
 fi

scripts/README.md

@@ -37,6 +37,43 @@ Sample sources:
 - `samples/appendix-b-production-samples.log`
 - `samples/appendix-c-production-samples.log`
 
+## Firewall syslog test
+
+Send FortiGate-style syslog messages to Wazuh manager port 514/UDP to test firewall log ingestion.
+
+```bash
+python3 scripts/test-firewall-syslog.py [--host HOST] [--port PORT] [--src-ip IP] [--scenario SCENARIO]
+python3 scripts/test-firewall-syslog.py --via-docker   # send from inside container (avoids NAT)
+```
+
+Examples:
+
+```bash
+python3 scripts/test-firewall-syslog.py                         # send all scenarios from localhost
+python3 scripts/test-firewall-syslog.py --via-docker            # recommended: avoids Docker NAT source-IP rewrite
+python3 scripts/test-firewall-syslog.py --scenario rdp
+python3 scripts/test-firewall-syslog.py --scenario all --delay 0.5 --repeat 3
+python3 scripts/test-firewall-syslog.py --host 192.168.1.10 --src-ip 172.16.22.253
+```
+
+Available scenarios: `rdp`, `password_change`, `create_admin`, `disable_alert`, `download_config`,
+`ips_critical`, `port_scan`, `ioc_ip`, `traffic_allow`, `traffic_deny`, `all`
+
+Arguments:
+
+- `--host` — Wazuh manager host (default `127.0.0.1`)
+- `--port` — Syslog UDP port (default `514`)
+- `--src-ip` — Simulated firewall source IP, must be in `allowed-ips` list (default `172.16.22.253`)
+- `--delay` — Delay between messages in seconds (default `0.2`)
+- `--repeat` — Number of times to repeat each scenario (default `1`)
+- `--via-docker` — Execute inside the Wazuh container to preserve source IP through Docker NAT
+
+Verify receipt:
+
+```bash
+docker exec wazuh-single-wazuh.manager-1 tail -f /var/ossec/logs/archives/archives.log | grep 172.16.22.253
+```
+
 ## Dashboard import
 
 Import Wazuh dashboards (NDJSON):
@@ -52,8 +89,23 @@ scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboa
 scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson
 scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson
 scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson
+```
+
+## KPI test data seeder
+
+Create IRIS alerts and cases covering every KPI state for UI testing.
+
+```bash
+python3 scripts/seed-kpi-test-data.py [--alerts-only] [--cases-only] [--dry-run]
 ```
 
+Environment variables:
+
+- `IRIS_BASE_URL` — default `https://localhost:8443`
+- `IRIS_API_KEY` — required (find in IRIS → My Profile → API key)
+
 ## Other helpers
 
 - `seed-iris-demo-data.sh`: seed IRIS demo cases/tasks via API.
@@ -65,3 +117,4 @@ scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.n
 
 - Legacy `send-wazuh-*` simulator scripts were removed and replaced by `send-wazuh-sim-logs.sh`.
 - If you add new sample events, keep comments tagged with use-case IDs (for example `# A2-01 ...`) so selector filtering keeps working.
+- Wazuh must have `<logall>yes</logall>` set in `wazuh_manager.conf` for archives.log to be populated.

scripts/test-firewall-syslog.py

@@ -0,0 +1,244 @@
+#!/usr/bin/env python3
+"""
+test-firewall-syslog.py — Send FortiGate-style syslog test messages to Wazuh manager port 514/UDP.
+
+Usage:
+  python3 scripts/test-firewall-syslog.py [--host HOST] [--port PORT] [--src-ip IP] [--scenario SCENARIO]
+  python3 scripts/test-firewall-syslog.py --via-docker          # send from inside container (avoids NAT)
+
+Examples:
+  python3 scripts/test-firewall-syslog.py
+  python3 scripts/test-firewall-syslog.py --via-docker
+  python3 scripts/test-firewall-syslog.py --host 192.168.1.10 --src-ip 172.16.22.253
+  python3 scripts/test-firewall-syslog.py --scenario rdp
+  python3 scripts/test-firewall-syslog.py --scenario all --delay 0.5
+"""
+
+import argparse
+import socket
+import subprocess
+import time
+import datetime
+
+# ── Default target ────────────────────────────────────────────────────────────
+DEFAULT_HOST = "127.0.0.1"
+DEFAULT_PORT = 514
+DEFAULT_SRC_IP = "172.16.22.253"   # must be in allowed-ips list
+WAZUH_CONTAINER = "wazuh-single-wazuh.manager-1"
+
+# ── FortiGate syslog scenarios ────────────────────────────────────────────────
+def _ts():
+    now = datetime.datetime.now(datetime.timezone.utc)
+    return now.strftime("%Y-%m-%d"), now.strftime("%H:%M:%S")
+
+def make_fortigate_log(src_ip, **fields):
+    """Build a FortiGate v6 syslog line (key=value pairs)."""
+    date, time_ = _ts()
+    base = {
+        "date": date,
+        "time": time_,
+        "devname": "FG-TEST-FW",
+        "devid": "FGT60E0000000001",
+        "logid": "0000000013",
+        "type": "traffic",
+        "subtype": "forward",
+        "level": "notice",
+        "vd": "root",
+        "srcip": src_ip,
+        "srcport": "54321",
+        "srcintf": "port1",
+        "dstip": "10.0.0.1",
+        "dstport": "80",
+        "dstintf": "port2",
+        "policyid": "1",
+        "proto": "6",
+        "action": "accept",
+        "service": "HTTP",
+        "duration": "1",
+        "sentbyte": "1024",
+        "rcvdbyte": "2048",
+    }
+    base.update(fields)
+    parts = []
+    for k, v in base.items():
+        if " " in str(v) or "=" in str(v):
+            parts.append(f'{k}="{v}"')
+        else:
+            parts.append(f"{k}={v}")
+    return " ".join(parts)
+
+SCENARIOS = {
+    # A2-01: RDP traffic allowed
+    "rdp": {
+        "description": "A2-01 — RDP (3389) traffic allowed",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0000000013", type="traffic", subtype="forward",
+            dstport="3389", action="accept", service="RDP",
+        ),
+    },
+    # A2-02: Admin password change
+    "password_change": {
+        "description": "A2-02 — Admin password changed",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0100032001", type="event", subtype="system",
+            level="information", action="password-change",
+            user="admin", msg="Change admin password",
+        ),
+    },
+    # A2-03: New admin account created
+    "create_admin": {
+        "description": "A2-03 — New admin account created",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0100032002", type="event", subtype="system",
+            level="information", action="create-admin",
+            user="newadmin", msg="Create admin account",
+        ),
+    },
+    # A2-04: Alerting disabled via config change
+    "disable_alert": {
+        "description": "A2-04 — Alerting disabled (config-change)",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0100032003", type="event", subtype="system",
+            level="warning", action="config-change",
+            config_value="disable", msg="Email alerting disabled",
+        ),
+    },
+    # A2-05: Config file downloaded
+    "download_config": {
+        "description": "A2-05 — Firewall config downloaded",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0100032004", type="event", subtype="system",
+            level="warning", action="download-config",
+            user="admin", msg="Configuration backup downloaded",
+        ),
+    },
+    # A2-06: Multiple critical IPS signatures
+    "ips_critical": {
+        "description": "A2-06 — Multiple critical IPS signatures",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0419016384", type="utm", subtype="ips",
+            level="critical", action="dropped",
+            attack="Multiple.Critical.Signatures", severity="critical",
+            srcip="203.0.113.42", dstip="172.16.1.10",
+        ),
+    },
+    # A2-07: TCP port scan
+    "port_scan": {
+        "description": "A2-07 — TCP port scan detected",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0419016385", type="utm", subtype="anomaly",
+            level="critical", action="dropped",
+            attack="TCP.Port.Scan", severity="critical",
+            srcip="203.0.113.99", dstip="172.16.0.0",
+        ),
+    },
+    # A2-08: IPS IOC-based IP indicator
+    "ioc_ip": {
+        "description": "A2-08 — IPS IOC-based IP indicator",
+        "log": lambda src: make_fortigate_log(src,
+            logid="0419016386", type="utm", subtype="ips",
+            level="critical", action="blocked",
+            ioc_type="ip", ioc_value="198.51.100.42",
+            srcip="198.51.100.42", dstip="172.16.1.5",
+        ),
+    },
+    # Generic traffic allow
+    "traffic_allow": {
+        "description": "Generic — Traffic allowed (HTTP)",
+        "log": lambda src: make_fortigate_log(src,
+            dstport="80", action="accept", service="HTTP",
+        ),
+    },
+    # Generic traffic deny
+    "traffic_deny": {
+        "description": "Generic — Traffic denied",
+        "log": lambda src: make_fortigate_log(src,
+            dstport="22", action="deny", service="SSH",
+        ),
+    },
+}
+
+
+def _build_syslog_packet(message, src_ip, facility=16, severity=6):
+    pri = (facility * 8) + severity
+    _, time_ = _ts()
+    month_day = datetime.datetime.now(datetime.timezone.utc).strftime("%b %d").replace(" 0", "  ")
+    return f"<{pri}>{month_day} {time_} {src_ip} {message}"
+
+
+def send_syslog_udp(host, port, message, src_ip):
+    """Send directly via UDP socket (source IP will appear as Docker bridge on local test)."""
+    packet = _build_syslog_packet(message, src_ip)
+    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    try:
+        sock.sendto(packet.encode("utf-8"), (host, port))
+        return True
+    except OSError:
+        return False
+    finally:
+        sock.close()
+
+
+def send_syslog_via_docker(message, src_ip, port):
+    """Send UDP from inside the Wazuh container using /dev/udp — source IP is container's own IP."""
+    packet = _build_syslog_packet(message, src_ip)
+    py_cmd = (
+        f"import socket; s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM); "
+        f"s.sendto({repr(packet.encode())}, ('127.0.0.1',{port})); s.close()"
+    )
+    result = subprocess.run(
+        ["docker", "exec", WAZUH_CONTAINER, "python3", "-c", py_cmd],
+        capture_output=True, timeout=5,
+    )
+    return result.returncode == 0
+
+
+def run_scenario(name, info, host, port, src_ip, via_docker):
+    log = info["log"](src_ip)
+    if via_docker:
+        ok = send_syslog_via_docker(log, src_ip, port)
+    else:
+        ok = send_syslog_udp(host, port, log, src_ip)
+    status = "✓" if ok else "✗"
+    print(f"  {status}  {name:20s}  {info['description']}")
+    return ok
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Send FortiGate syslog test messages to Wazuh")
+    parser.add_argument("--host",       default=DEFAULT_HOST, help=f"Wazuh manager host (default: {DEFAULT_HOST})")
+    parser.add_argument("--port",       default=DEFAULT_PORT, type=int, help=f"Syslog UDP port (default: {DEFAULT_PORT})")
+    parser.add_argument("--src-ip",     default=DEFAULT_SRC_IP, help=f"Simulated firewall source IP (default: {DEFAULT_SRC_IP})")
+    parser.add_argument("--scenario",   default="all",
+                        choices=list(SCENARIOS.keys()) + ["all"],
+                        help="Scenario to send (default: all)")
+    parser.add_argument("--delay",      default=0.2, type=float, help="Delay between messages in seconds (default: 0.2)")
+    parser.add_argument("--repeat",     default=1, type=int, help="Number of times to repeat each scenario (default: 1)")
+    parser.add_argument("--via-docker", action="store_true",
+                        help="Send from inside the Wazuh container (avoids Docker NAT source-IP rewrite)")
+    args = parser.parse_args()
+
+    mode = f"docker exec {WAZUH_CONTAINER}" if args.via_docker else f"{args.host}:{args.port}"
+    print(f"Wazuh syslog test — mode: {mode}  src-ip: {args.src_ip}")
+    print(f"{'─' * 65}")
+
+    to_run = list(SCENARIOS.items()) if args.scenario == "all" else [(args.scenario, SCENARIOS[args.scenario])]
+    total = ok_count = 0
+
+    for _ in range(args.repeat):
+        for name, info in to_run:
+            success = run_scenario(name, info, args.host, args.port, args.src_ip, args.via_docker)
+            total += 1
+            ok_count += int(success)
+            if args.delay:
+                time.sleep(args.delay)
+
+    print(f"{'─' * 65}")
+    print(f"Sent {ok_count}/{total} messages")
+    print()
+    print("Verify with:")
+    print(f"  docker exec {WAZUH_CONTAINER} tail -f /var/ossec/logs/archives/archives.log | grep {args.src_ip}")
+
+
+if __name__ == "__main__":
+    main()

wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf

@@ -2,8 +2,8 @@
   <global>
     <jsonout_output>yes</jsonout_output>
     <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
+    <logall>yes</logall>
+    <logall_json>yes</logall_json>
     <email_notification>no</email_notification>
     <smtp_server>smtp.example.wazuh.com</smtp_server>
     <email_from>wazuh@example.wazuh.com</email_from>
@@ -41,6 +41,8 @@
     <allowed-ips>172.16.162.1/24</allowed-ips>
     <allowed-ips>172.16.160.253/24</allowed-ips>
     <allowed-ips>172.16.165.254/24</allowed-ips>
+    <allowed-ips>172.19.0.0/16</allowed-ips>   <!-- Docker bridge — local test only -->
+    <allowed-ips>127.0.0.1/32</allowed-ips>   <!-- loopback — local test only -->
   </remote>
 
   <!-- Policy monitoring -->