# Test Event Scripts ## Send Wazuh test events Use this to inject synthetic SOC events via syslog UDP into Wazuh manager. ```bash scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Scenarios: - `ioc_dns` - `ioc_ips` - `vpn_outside_th` - `windows_auth_fail` - `all` Examples: ```bash scripts/send-wazuh-test-events.sh all scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2 WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips scripts/send-wazuh-test-events.sh all 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `WAZUH_TEST_SRC_IP` - `WAZUH_TEST_DOMAIN` - `WAZUH_TEST_USER` Transport notes: - Uses `nc` if available. - Falls back to Bash UDP redirection (`/dev/udp/host/port`) when `nc` is unavailable. ## Send Cisco device test events Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager. ```bash scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Scenarios: - `asa_acl_deny` - `asa_vpn_auth_fail` - `ios_login_fail` - `ios_config_change` - `all` Examples: ```bash scripts/send-wazuh-cisco-test-events.sh all scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2 CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail scripts/send-wazuh-cisco-test-events.sh all 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `CISCO_DEVICE_HOST` - `CISCO_SRC_IP` - `CISCO_DST_IP` - `CISCO_VPN_USER` - `CISCO_ADMIN_USER` ## Send FortiGate firewall test events Use this to inject FortiGate-style syslog events (models `501E`, `80F`, `60F`, `40F`) into Wazuh manager. ```bash scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Models: - `501E` - `80F` - `60F` - `40F` - `all` Examples: ```bash scripts/send-wazuh-fortigate-test-events.sh all scripts/send-wazuh-fortigate-test-events.sh 80F 5 0.2 WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-fortigate-test-events.sh 60F scripts/send-wazuh-fortigate-test-events.sh all 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `FGT_SRC_IP` - `FGT_DST_IP` - `FGT_DOMAIN` - `FGT_USER` ## Run continuous FortiGate simulation Use this to generate ongoing FortiGate-like traffic and security events for Wazuh testing. ```bash scripts/send-wazuh-fortigate-continuous.sh [profile] [models] [base_delay_seconds] ``` Profiles: - `normal` (mostly allowed traffic, occasional admin/vpn/webfilter) - `incident` (higher IPS/webfilter/vpn anomalies) - `mixed` (balanced baseline + anomalies) Models: - `501E` - `80F` - `60F` - `40F` - `all` Examples: ```bash scripts/send-wazuh-fortigate-continuous.sh mixed all 0.8 scripts/send-wazuh-fortigate-continuous.sh incident 80F 0.3 SIM_MAX_EVENTS=200 scripts/send-wazuh-fortigate-continuous.sh normal 501E 1.0 ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `SIM_MAX_EVENTS` (default `0`, which means run forever) - `SIM_SRC_PREFIX` (default `10.10.20`) - `SIM_VPN_USER` - `SIM_ADMIN_USER` ## Simulate all required logs from proposal Use this to generate synthetic logs for all use cases listed in: `Security Detection & Threat Intelligence Enhancement Proposal-2.md` Appendix A (A1-A4). ```bash scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Selectors: - `all` (all Appendix A use cases) - `a1`, `a2`, `a3`, `a4` (by section) - specific use case id, e.g. `A2-01`, `A3-05`, `A4-24` Examples: ```bash scripts/send-wazuh-proposal-required-events.sh all 1 scripts/send-wazuh-proposal-required-events.sh a3 3 0.5 scripts/send-wazuh-proposal-required-events.sh A3-05 1 DRY_RUN=1 scripts/send-wazuh-proposal-required-events.sh all 1 scripts/send-wazuh-proposal-required-events.sh a2 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `EVENT_DELAY` (default `0.05`) - `DRY_RUN` (default `0`, set `1` to print only) - `FGT_DEVNAME`, `FGT_DEVID` - `WIN_HOST`, `DNS_HOST` - `SIM_VPN_USER` ## Simulate endpoint client-agent logs (Windows / macOS / Linux) Use this to inject realistic endpoint telemetry for client agents into Wazuh. ```bash scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds] ``` Optional flag: - `--forever` (ignore `count` and run continuously until Ctrl+C) Platforms: - `windows` - `mac` - `linux` - `all` Scenarios: - `auth` - `process` - `persistence` - `privilege` - `malware` - `all` Examples: ```bash scripts/send-wazuh-endpoint-agent-test-events.sh all all 1 0.2 scripts/send-wazuh-endpoint-agent-test-events.sh windows process 10 0.1 DRY_RUN=1 scripts/send-wazuh-endpoint-agent-test-events.sh linux all 1 0 scripts/send-wazuh-endpoint-agent-test-events.sh all auth 1 2 --forever ``` Environment overrides: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `DRY_RUN` (default `0`) - `WIN_HOST`, `MAC_HOST`, `LINUX_HOST` - `SIM_USER` ## Shuffle sample workflow helpers Sample playbook design for Shuffle: - `shuffle-workflows/sample-ioc-playbook.md` Sample execution payload: - `scripts/events/shuffle-sample-execution.json` Trigger an existing Shuffle workflow from CLI: ```bash scripts/trigger-shuffle-workflow.sh [ioc_type] [ioc_value] ``` Create MVP workflows in Shuffle (from proposal mapping): ```bash SHUFFLE_API_KEY= scripts/create-shuffle-mvp-workflows.sh ``` This creates: - `MVP - IOC Enrichment and Case Routing` - `MVP - VPN Geo Anomaly Triage`