# Scripts ## Combined Wazuh simulator Use one script for all Appendix A/B/C simulation log replay. ```bash scripts/send-wazuh-sim-logs.sh [selector] [count] [delay_seconds] [--forever] [--dry-run] ``` Examples: ```bash scripts/send-wazuh-sim-logs.sh all 1 0.2 scripts/send-wazuh-sim-logs.sh a2 1 0 scripts/send-wazuh-sim-logs.sh B3-06 1 0 scripts/send-wazuh-sim-logs.sh c1 1 2 --forever scripts/send-wazuh-sim-logs.sh all 1 0 --dry-run ``` Environment variables: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `DRY_RUN=1` (alternative to `--dry-run`) Selector support: - Global: `all` - Appendix: `a`, `b`, `c`, `appendix-a`, `appendix-b`, `appendix-c` - Section: `a1`, `a2`, `a3`, `a4`, `b1`, `b2`, `b3`, `c1`, `c2`, `c3` - Use-case ID: `A1-01` ... `C3-04` Sample sources: - `samples/appendix-a-production-samples.log` - `samples/appendix-b-production-samples.log` - `samples/appendix-c-production-samples.log` ## Firewall syslog test Send FortiGate-style syslog messages to Wazuh manager port 514/UDP to test firewall log ingestion. ```bash python3 scripts/test-firewall-syslog.py [--host HOST] [--port PORT] [--src-ip IP] [--scenario SCENARIO] python3 scripts/test-firewall-syslog.py --via-docker # send from inside container (avoids NAT) ``` Examples: ```bash python3 scripts/test-firewall-syslog.py # send all scenarios from localhost python3 scripts/test-firewall-syslog.py --via-docker # recommended: avoids Docker NAT source-IP rewrite python3 scripts/test-firewall-syslog.py --scenario rdp python3 scripts/test-firewall-syslog.py --scenario all --delay 0.5 --repeat 3 python3 scripts/test-firewall-syslog.py --host 192.168.1.10 --src-ip 172.16.22.253 ``` Available scenarios: `rdp`, `password_change`, `create_admin`, `disable_alert`, `download_config`, `ips_critical`, `port_scan`, `ioc_ip`, `traffic_allow`, `traffic_deny`, `all` Arguments: - `--host` — Wazuh manager host (default `127.0.0.1`) - `--port` — Syslog UDP port (default `514`) - `--src-ip` — Simulated firewall source IP, must be in `allowed-ips` list (default `172.16.22.253`) - `--delay` — Delay between messages in seconds (default `0.2`) - `--repeat` — Number of times to repeat each scenario (default `1`) - `--via-docker` — Execute inside the Wazuh container to preserve source IP through Docker NAT Verify receipt: ```bash docker exec wazuh-single-wazuh.manager-1 tail -f /var/ossec/logs/archives/archives.log | grep 172.16.22.253 ``` ## Dashboard import Import Wazuh dashboards (NDJSON): ```bash scripts/import-wazuh-dashboard.sh ``` Examples: ```bash scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson ``` ## KPI test data seeder Create IRIS alerts and cases covering every KPI state for UI testing. ```bash python3 scripts/seed-kpi-test-data.py [--alerts-only] [--cases-only] [--dry-run] ``` Environment variables: - `IRIS_BASE_URL` — default `https://localhost:8443` - `IRIS_API_KEY` — required (find in IRIS → My Profile → API key) ## Other helpers - `seed-iris-demo-data.sh`: seed IRIS demo cases/tasks via API. - `create-shuffle-mvp-workflows.sh`: create Shuffle MVP workflows from templates. - `trigger-shuffle-workflow.sh`: trigger a Shuffle workflow by ID. - `update-shuffle-workflow-from-template.sh`: update existing Shuffle workflow JSON from template. ## Notes - Legacy `send-wazuh-*` simulator scripts were removed and replaced by `send-wazuh-sim-logs.sh`. - If you add new sample events, keep comments tagged with use-case IDs (for example `# A2-01 ...`) so selector filtering keeps working. - Wazuh must have `yes` set in `wazuh_manager.conf` for archives.log to be populated.