soc/scripts

Scripts

Combined Wazuh simulator

Use one script for all Appendix A/B/C simulation log replay.

scripts/send-wazuh-sim-logs.sh [selector] [count] [delay_seconds] [--forever] [--dry-run]

Examples:

scripts/send-wazuh-sim-logs.sh all 1 0.2
scripts/send-wazuh-sim-logs.sh a2 1 0
scripts/send-wazuh-sim-logs.sh B3-06 1 0
scripts/send-wazuh-sim-logs.sh c1 1 2 --forever
scripts/send-wazuh-sim-logs.sh all 1 0 --dry-run

Environment variables:

• WAZUH_SYSLOG_HOST (default 127.0.0.1)
• WAZUH_SYSLOG_PORT (default 514)
• DRY_RUN=1 (alternative to --dry-run)

Selector support:

• Global: all
• Appendix: a, b, c, appendix-a, appendix-b, appendix-c
• Section: a1, a2, a3, a4, b1, b2, b3, c1, c2, c3
• Use-case ID: A1-01 ... C3-04

Sample sources:

• samples/appendix-a-production-samples.log
• samples/appendix-b-production-samples.log
• samples/appendix-c-production-samples.log

Firewall syslog test

Send FortiGate-style syslog messages to Wazuh manager port 514/UDP to test firewall log ingestion.

python3 scripts/test-firewall-syslog.py [--host HOST] [--port PORT] [--src-ip IP] [--scenario SCENARIO]
python3 scripts/test-firewall-syslog.py --via-docker   # send from inside container (avoids NAT)

Examples:

python3 scripts/test-firewall-syslog.py                         # send all scenarios from localhost
python3 scripts/test-firewall-syslog.py --via-docker            # recommended: avoids Docker NAT source-IP rewrite
python3 scripts/test-firewall-syslog.py --scenario rdp
python3 scripts/test-firewall-syslog.py --scenario all --delay 0.5 --repeat 3
python3 scripts/test-firewall-syslog.py --host 192.168.1.10 --src-ip 172.16.22.253

Available scenarios: rdp, password_change, create_admin, disable_alert, download_config, ips_critical, port_scan, ioc_ip, traffic_allow, traffic_deny, all

Arguments:

• --host — Wazuh manager host (default 127.0.0.1)
• --port — Syslog UDP port (default 514)
• --src-ip — Simulated firewall source IP, must be in allowed-ips list (default 172.16.22.253)
• --delay — Delay between messages in seconds (default 0.2)
• --repeat — Number of times to repeat each scenario (default 1)
• --via-docker — Execute inside the Wazuh container to preserve source IP through Docker NAT

Verify receipt:

docker exec wazuh-single-wazuh.manager-1 tail -f /var/ossec/logs/archives/archives.log | grep 172.16.22.253

Dashboard import

Import Wazuh dashboards (NDJSON):

scripts/import-wazuh-dashboard.sh <path-to-ndjson>

Examples:

scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson
scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson

KPI test data seeder

Create IRIS alerts and cases covering every KPI state for UI testing.

python3 scripts/seed-kpi-test-data.py [--alerts-only] [--cases-only] [--dry-run]

Environment variables:

• IRIS_BASE_URL — default https://localhost:8443
• IRIS_API_KEY — required (find in IRIS → My Profile → API key)

Other helpers

• seed-iris-demo-data.sh: seed IRIS demo cases/tasks via API.
• create-shuffle-mvp-workflows.sh: create Shuffle MVP workflows from templates.
• trigger-shuffle-workflow.sh: trigger a Shuffle workflow by ID.
• update-shuffle-workflow-from-template.sh: update existing Shuffle workflow JSON from template.

Notes

• Legacy send-wazuh-* simulator scripts were removed and replaced by send-wazuh-sim-logs.sh.
• If you add new sample events, keep comments tagged with use-case IDs (for example # A2-01 ...) so selector filtering keeps working.
• Wazuh must have <logall>yes</logall> set in wazuh_manager.conf for archives.log to be populated.