# Test Event Scripts ## SOC Integrator UI (`Run Sim Logs`) target mapping `/ui -> Systems -> Run Sim Logs` now supports **multi-select Target** values based on selected `Script`. The UI starts one simulator run per selected target (except `all`, which runs a single `all` run). - `fortigate`: `all`, `501E`, `80F`, `60F`, `40F` - `endpoint`: `all`, `windows`, `mac`, `linux` - `cisco`: `all`, `asa_acl_deny`, `asa_vpn_auth_fail`, `ios_login_fail`, `ios_config_change` - `proposal_required`: `all`, `a1`, `a2`, `a3`, `a4` - `proposal_appendix_b`: `all`, `b1`, `b2`, `b3` - `proposal_appendix_c`: `all`, `c1`, `c2`, `c3` - `wazuh_test`: `all`, `ioc_dns`, `ioc_ips`, `vpn_outside_th`, `windows_auth_fail` ## Send Wazuh test events Use this to inject synthetic SOC events via syslog UDP into Wazuh manager. ```bash scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Scenarios: - `ioc_dns` - `ioc_ips` - `vpn_outside_th` - `windows_auth_fail` - `all` Examples: ```bash scripts/send-wazuh-test-events.sh all scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2 WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips scripts/send-wazuh-test-events.sh all 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `WAZUH_TEST_SRC_IP` - `WAZUH_TEST_DOMAIN` - `WAZUH_TEST_USER` Transport notes: - Uses `nc` if available. - Falls back to Bash UDP redirection (`/dev/udp/host/port`) when `nc` is unavailable. ## Send Cisco device test events Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager. ```bash scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Scenarios: - `asa_acl_deny` - `asa_vpn_auth_fail` - `ios_login_fail` - `ios_config_change` - `all` Examples: ```bash scripts/send-wazuh-cisco-test-events.sh all scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2 CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail scripts/send-wazuh-cisco-test-events.sh all 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `CISCO_DEVICE_HOST` - `CISCO_SRC_IP` - `CISCO_DST_IP` - `CISCO_VPN_USER` - `CISCO_ADMIN_USER` ## Send FortiGate firewall test events Use this to inject FortiGate-style syslog events (models `501E`, `80F`, `60F`, `40F`) into Wazuh manager. ```bash scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Models: - `501E` - `80F` - `60F` - `40F` - `all` Examples: ```bash scripts/send-wazuh-fortigate-test-events.sh all scripts/send-wazuh-fortigate-test-events.sh 80F 5 0.2 WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-fortigate-test-events.sh 60F scripts/send-wazuh-fortigate-test-events.sh all 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `FGT_SRC_IP` - `FGT_DST_IP` - `FGT_DOMAIN` - `FGT_USER` ## Run continuous FortiGate simulation Use this to generate ongoing FortiGate-like traffic and security events for Wazuh testing. ```bash scripts/send-wazuh-fortigate-continuous.sh [profile] [models] [base_delay_seconds] ``` Profiles: - `normal` (mostly allowed traffic, occasional admin/vpn/webfilter) - `incident` (higher IPS/webfilter/vpn anomalies) - `mixed` (balanced baseline + anomalies) Models: - `501E` - `80F` - `60F` - `40F` - `all` Examples: ```bash scripts/send-wazuh-fortigate-continuous.sh mixed all 0.8 scripts/send-wazuh-fortigate-continuous.sh incident 80F 0.3 SIM_MAX_EVENTS=200 scripts/send-wazuh-fortigate-continuous.sh normal 501E 1.0 ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `SIM_MAX_EVENTS` (default `0`, which means run forever) - `SIM_SRC_PREFIX` (default `10.10.20`) - `SIM_VPN_USER` - `SIM_ADMIN_USER` ## Simulate all required logs from proposal Use this to generate synthetic logs for all use cases listed in: `Security Detection & Threat Intelligence Enhancement Proposal-2.md` Appendix A (A1-A4). ```bash scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Selectors: - `all` (all Appendix A use cases) - `a1`, `a2`, `a3`, `a4` (by section) - specific use case id, e.g. `A2-01`, `A3-05`, `A4-24` Examples: ```bash scripts/send-wazuh-proposal-required-events.sh all 1 scripts/send-wazuh-proposal-required-events.sh a3 3 0.5 scripts/send-wazuh-proposal-required-events.sh A3-05 1 DRY_RUN=1 scripts/send-wazuh-proposal-required-events.sh all 1 scripts/send-wazuh-proposal-required-events.sh a2 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `EVENT_DELAY` (default `0.05`) - `DRY_RUN` (default `0`, set `1` to print only) - `FGT_DEVNAME`, `FGT_DEVID` - `WIN_HOST`, `DNS_HOST` - `SIM_VPN_USER` ## Simulate Appendix B logs (revise proposal) Use this to generate synthetic logs for Appendix B (B1-B3) in: `Security Detection & Threat Intelligence Enhancement Proposal-revise.md`. ```bash scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Selectors: - `all` (all Appendix B use cases) - `b1`, `b2`, `b3` (by section) - specific use case id, e.g. `B1-01`, `B2-01`, `B3-06` Examples: ```bash scripts/send-wazuh-proposal-appendix-b-events.sh all 1 scripts/send-wazuh-proposal-appendix-b-events.sh b3 2 0.5 scripts/send-wazuh-proposal-appendix-b-events.sh B3-06 1 DRY_RUN=1 scripts/send-wazuh-proposal-appendix-b-events.sh all 1 scripts/send-wazuh-proposal-appendix-b-events.sh b1 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `EVENT_DELAY` (default `0.05`) - `DRY_RUN` (default `0`, set `1` to print only) - `VCENTER_HOST`, `ESXI_HOST`, `LOGMON_HOST`, `WIN_SYSMON_HOST` - `SIM_USER` ## Simulate Appendix C logs (future enhancement MVP) Use this to generate synthetic logs for Appendix C (C1-C3) in: `Security Detection & Threat Intelligence Enhancement Proposal-revise.md`. ```bash scripts/send-wazuh-proposal-appendix-c-events.sh [selector] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Selectors: - `all` (all Appendix C use cases) - `c1`, `c2`, `c3` (by section) - specific use case id, e.g. `C1-01`, `C2-03`, `C3-04` Examples: ```bash scripts/send-wazuh-proposal-appendix-c-events.sh all 1 scripts/send-wazuh-proposal-appendix-c-events.sh c1 1 0.5 scripts/send-wazuh-proposal-appendix-c-events.sh C3-04 1 DRY_RUN=1 scripts/send-wazuh-proposal-appendix-c-events.sh all 1 scripts/send-wazuh-proposal-appendix-c-events.sh c2 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `EVENT_DELAY` (default `0.05`) - `DRY_RUN` (default `0`, set `1` to print only) - `VPN_HOST`, `WIN_HOST` - `SIM_USER`, `SIM_SERVICE_USER`, `SIM_SRC_IP` ## Simulate endpoint client-agent logs (Windows / macOS / Linux) Use this to inject realistic endpoint telemetry for client agents into Wazuh. ```bash scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Platforms: - `windows` - `mac` - `linux` - `all` Scenarios: - `auth` - `process` - `persistence` - `privilege` - `malware` - `all` Examples: ```bash scripts/send-wazuh-endpoint-agent-test-events.sh all all 1 0.2 scripts/send-wazuh-endpoint-agent-test-events.sh windows process 10 0.1 DRY_RUN=1 scripts/send-wazuh-endpoint-agent-test-events.sh linux all 1 0 scripts/send-wazuh-endpoint-agent-test-events.sh all auth 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `DRY_RUN` (default `0`) - `WIN_HOST`, `MAC_HOST`, `LINUX_HOST` - `SIM_USER` ## Shuffle sample workflow helpers Sample playbook design for Shuffle: - `shuffle-workflows/sample-ioc-playbook.md` Sample execution payload: - `scripts/events/shuffle-sample-execution.json` Trigger an existing Shuffle workflow from CLI: ```bash scripts/trigger-shuffle-workflow.sh [ioc_type] [ioc_value] ``` Create MVP workflows in Shuffle (from proposal mapping): ```bash SHUFFLE_API_KEY= scripts/create-shuffle-mvp-workflows.sh ``` This creates: - `MVP - IOC Enrichment and Case Routing` - `MVP - VPN Geo Anomaly Triage` ## Import Wazuh Dashboard (FortiGate Simulation) Prebuilt saved objects file: - `scripts/events/wazuh-fortigate-sim-dashboard.ndjson` Import helper: ```bash scripts/import-wazuh-dashboard.sh ``` Optional overrides: ```bash WAZUH_DASHBOARD_URL=https://localhost \ WAZUH_DASHBOARD_USER=admin \ WAZUH_DASHBOARD_PASS=SecretPassword \ scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson ``` After import, open dashboard: - `SOC FortiGate Simulation Overview` ## Wazuh dashboard files (detailed) Dashboard saved objects are stored in `scripts/events/*.ndjson`. - `scripts/events/wazuh-fortigate-sim-dashboard.ndjson` - Title: `SOC FortiGate Simulation Overview` - Purpose: FortiGate simulation visibility (events over time, top devices, top event types, severity). - Typical data source: `scripts/send-wazuh-fortigate-test-events.sh` - `scripts/events/wazuh-client-agents-dashboard.ndjson` - Title: `SOC Client Agent Simulation Overview` - Purpose: Endpoint simulation visibility for Windows/macOS/Linux agent logs. - Typical data source: `scripts/send-wazuh-endpoint-agent-test-events.sh` - `scripts/events/wazuh-proposal-required-dashboard.ndjson` - Title: `SOC Proposal Required Logs Overview` - Purpose: Appendix A required-scope logs (A1-A4). - Typical data source: `scripts/send-wazuh-proposal-required-events.sh` - `scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson` - Title: `SOC Proposal Appendix A+B Overview` - Purpose: Combined Appendix A and B overview, including use-case table. - Typical data sources: - `scripts/send-wazuh-proposal-required-events.sh` - `scripts/send-wazuh-proposal-appendix-b-events.sh` - `scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson` - Title: `SOC Proposal Appendix C Overview` - Purpose: Appendix C MVP scope visibility (currently C1-C3 coverage). - Typical data source: `scripts/send-wazuh-proposal-appendix-c-events.sh` - `scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson` - Title: `SOC Proposal Custom Rules Overview` - Purpose: Monitor custom proposal rules (e.g., 1003xx/1004xx families), severity, and top descriptions. - Typical data source: Any simulation script that triggers proposal custom rules. ### Import any dashboard file ```bash scripts/import-wazuh-dashboard.sh scripts/events/.ndjson ``` Examples: ```bash scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson ``` Optional overrides: ```bash WAZUH_DASHBOARD_URL=https://localhost \ WAZUH_DASHBOARD_USER=admin \ WAZUH_DASHBOARD_PASS=SecretPassword \ OVERWRITE=true \ scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson ``` ### Quick troubleshooting - Verify index pattern has data in Discover: `wazuh-alerts-*`. - Set time range wide enough (for example `Last 24 hours`). - If charts are empty but raw logs exist, re-import the latest NDJSON and refresh index fields.