#!/usr/bin/env bash set -euo pipefail SCENARIO="${1:-all}" COUNT="${2:-1}" DELAY="${3:-0.3}" FOREVER="false" for arg in "${@:4}"; do case "${arg}" in --forever) FOREVER="true" ;; *) echo "error: unexpected argument '${arg}'" echo "usage: scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds] [--forever]" exit 1 ;; esac done WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}" WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}" CISCO_DEVICE_HOST="${CISCO_DEVICE_HOST:-cisco-asa-01}" CISCO_SRC_IP="${CISCO_SRC_IP:-198.51.100.25}" CISCO_DST_IP="${CISCO_DST_IP:-10.10.10.20}" CISCO_VPN_USER="${CISCO_VPN_USER:-vpn.user}" CISCO_ADMIN_USER="${CISCO_ADMIN_USER:-admin}" if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then echo "error: count must be a positive integer" exit 1 fi if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then echo "error: delay must be numeric (example: 0.5)" exit 1 fi emit_syslog() { local msg="$1" local sent="false" if command -v nc >/dev/null 2>&1; then if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then sent="true" fi fi if [[ "${sent}" != "true" ]]; then if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then sent="true" fi fi if [[ "${sent}" != "true" ]]; then echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp" echo "hint: install netcat or run with bash UDP support (/dev/udp)" return 1 fi echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}" } random_id() { printf "%s" "cisco-evt-$(date +%s)-$RANDOM-$RANDOM" } send_asa_acl_deny() { local eid eid="$(random_id)" emit_syslog "<166>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %ASA-4-106023: Deny tcp src outside:${CISCO_SRC_IP}/51515 dst inside:${CISCO_DST_IP}/445 by access-group \"outside_access_in\" [0x0, 0x0] soc_mvp_test=true vendor=cisco product=asa event_id=${eid} event_type=cisco_asa_acl_deny severity=high" } send_asa_vpn_auth_fail() { local eid eid="$(random_id)" emit_syslog "<166>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %ASA-4-113019: Group = RA-VPN, Username = ${CISCO_VPN_USER}, IP = ${CISCO_SRC_IP}, Session disconnected. Session Type: SSL, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested. soc_mvp_test=true vendor=cisco product=asa event_id=${eid} event_type=cisco_vpn_auth_fail severity=medium" } send_ios_login_fail() { local eid eid="$(random_id)" emit_syslog "<165>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ${CISCO_ADMIN_USER}] [Source: ${CISCO_SRC_IP}] [localport: 22] [Reason: Login Authentication Failed] at 19:30:00 UTC Tue Feb 17 2026 soc_mvp_test=true vendor=cisco product=ios event_id=${eid} event_type=cisco_ios_login_fail severity=medium" } send_ios_config_change() { local eid eid="$(random_id)" emit_syslog "<165>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %SYS-5-CONFIG_I: Configured from console by ${CISCO_ADMIN_USER} on vty0 ( ${CISCO_SRC_IP} ) soc_mvp_test=true vendor=cisco product=ios event_id=${eid} event_type=cisco_config_change severity=low" } send_once() { case "${SCENARIO}" in asa_acl_deny) send_asa_acl_deny ;; asa_vpn_auth_fail) send_asa_vpn_auth_fail ;; ios_login_fail) send_ios_login_fail ;; ios_config_change) send_ios_config_change ;; all) send_asa_acl_deny send_asa_vpn_auth_fail send_ios_login_fail send_ios_config_change ;; *) echo "error: unknown scenario '${SCENARIO}'" echo "valid: asa_acl_deny | asa_vpn_auth_fail | ios_login_fail | ios_config_change | all" exit 1 ;; esac } if [[ "${FOREVER}" == "true" ]]; then echo "running forever with interval ${DELAY}s (Ctrl+C to stop)" trap 'echo; echo "stopped"; exit 0' INT TERM while true; do send_once sleep "${DELAY}" done else for ((i=1; i<=COUNT; i++)); do send_once if [[ "${i}" -lt "${COUNT}" ]]; then sleep "${DELAY}" fi done fi