# Scripts ## Combined Wazuh simulator Use one script for all Appendix A/B/C simulation log replay. ```bash scripts/send-wazuh-sim-logs.sh [selector] [count] [delay_seconds] [--forever] [--dry-run] ``` Examples: ```bash scripts/send-wazuh-sim-logs.sh all 1 0.2 scripts/send-wazuh-sim-logs.sh a2 1 0 scripts/send-wazuh-sim-logs.sh B3-06 1 0 scripts/send-wazuh-sim-logs.sh c1 1 2 --forever scripts/send-wazuh-sim-logs.sh all 1 0 --dry-run ``` Environment variables: - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`) - `WAZUH_SYSLOG_PORT` (default `514`) - `DRY_RUN=1` (alternative to `--dry-run`) Selector support: - Global: `all` - Appendix: `a`, `b`, `c`, `appendix-a`, `appendix-b`, `appendix-c` - Section: `a1`, `a2`, `a3`, `a4`, `b1`, `b2`, `b3`, `c1`, `c2`, `c3` - Use-case ID: `A1-01` ... `C3-04` Sample sources: - `samples/appendix-a-production-samples.log` - `samples/appendix-b-production-samples.log` - `samples/appendix-c-production-samples.log` ## Firewall syslog test Send FortiGate-style syslog messages to Wazuh manager port 514/UDP to test firewall log ingestion. ```bash python3 scripts/test-firewall-syslog.py [--host HOST] [--port PORT] [--src-ip IP] [--scenario SCENARIO] python3 scripts/test-firewall-syslog.py --via-docker # send from inside container (avoids NAT) ``` Examples: ```bash python3 scripts/test-firewall-syslog.py # send all scenarios from localhost python3 scripts/test-firewall-syslog.py --via-docker # recommended: avoids Docker NAT source-IP rewrite python3 scripts/test-firewall-syslog.py --scenario rdp python3 scripts/test-firewall-syslog.py --scenario all --delay 0.5 --repeat 3 python3 scripts/test-firewall-syslog.py --host 192.168.1.10 --src-ip 172.16.22.253 ``` Available scenarios: `rdp`, `password_change`, `create_admin`, `disable_alert`, `download_config`, `ips_critical`, `port_scan`, `ioc_ip`, `traffic_allow`, `traffic_deny`, `all` Arguments: - `--host` — Wazuh manager host (default `127.0.0.1`) - `--port` — Syslog UDP port (default `514`) - `--src-ip` — Simulated firewall source IP, must be in `allowed-ips` list (default `172.16.22.253`) - `--delay` — Delay between messages in seconds (default `0.2`) - `--repeat` — Number of times to repeat each scenario (default `1`) - `--via-docker` — Execute inside the Wazuh container to preserve source IP through Docker NAT Verify receipt: ```bash docker exec wazuh-single-wazuh.manager-1 tail -f /var/ossec/logs/archives/archives.log | grep 172.16.22.253 ``` ## Dashboard import Import Wazuh dashboards (NDJSON): ```bash scripts/import-wazuh-dashboard.sh ``` Examples: ```bash scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson ``` ## Wazuh → soc-integrator → IRIS end-to-end test End-to-end pipeline test: sends a test event to Wazuh, waits for indexing, triggers the sync, and verifies that an IRIS Alert was created with `source=wazuh`. ```bash python3 scripts/test-wazuh-iris-sync.py python3 scripts/test-wazuh-iris-sync.py --no-send --minutes 60 # sync only, no new events python3 scripts/test-wazuh-iris-sync.py --min-severity critical # test filter behaviour python3 scripts/test-wazuh-iris-sync.py --scenario ips_critical # use a specific scenario ``` Arguments: - `--no-send` — skip sending test events (useful to verify an already-running pipeline) - `--scenario` — firewall scenario to send (default `rdp`); same options as `test-firewall-syslog.py` - `--wait` — seconds to wait for Wazuh indexer (default `20`) - `--minutes` — sync lookback window in minutes (default `5`) - `--limit` — max alerts to sync per run (default `20`) - `--min-severity` — override `min_severity` for this run without changing the policy Steps run: | Step | Check | |---|---| | 0 | soc-integrator health | | 1 | Read current sync policy (`min_severity`) | | 2 | Send test syslog event to Wazuh | | 3 | Wait for Wazuh indexer | | 4 | Snapshot latest IRIS alert ID | | 5 | Run sync, show all counters | | 6 | Verify new IRIS Alerts with `source=wazuh` | | 7 | Show auto-sync worker state | ## KPI test data seeder Create IRIS alerts and cases covering every KPI state for UI testing. ```bash python3 scripts/seed-kpi-test-data.py [--alerts-only] [--cases-only] [--dry-run] ``` Environment variables: - `IRIS_BASE_URL` — default `https://localhost:8443` - `IRIS_API_KEY` — required (find in IRIS → My Profile → API key) ## Other helpers - `seed-iris-demo-data.sh`: seed IRIS demo cases/tasks via API. - `create-shuffle-mvp-workflows.sh`: create Shuffle MVP workflows from templates. - `trigger-shuffle-workflow.sh`: trigger a Shuffle workflow by ID. - `update-shuffle-workflow-from-template.sh`: update existing Shuffle workflow JSON from template. ## Notes - Legacy `send-wazuh-*` simulator scripts were removed and replaced by `send-wazuh-sim-logs.sh`. - If you add new sample events, keep comments tagged with use-case IDs (for example `# A2-01 ...`) so selector filtering keeps working. - Wazuh must have `yes` set in `wazuh_manager.conf` for archives.log to be populated.