JimmyZghendy/wazuh-log-generator

# Wazuh Log Generator A Python toolkit for producing realistic, attack-laden log samples to validate [Wazuh](https://wazuh.com/) detection rules across six common log sources. Each generator embeds documented attack scenarios — calibrated to trigger single-event rules, frequency rules, and correlation chains in the default Wazuh ruleset. ## Why this exists SIEM detection engineering is hard to validate without realistic data. Production logs are sensitive, sanitized samples rarely contain attack patterns, and synthetic data often doesn't match the format real decoders expect. This generator solves that by: - Producing logs in the **exact format** Wazuh's built-in decoders consume - Embedding **specific attack scenarios** mapped to specific rule IDs - Generating realistic **timing patterns** (bursts, frequency thresholds) so correlation rules actually fire ## Supported log sources | Source | Output file | Wazuh decoder | Default rules triggered | | ------------------------ | ---------------------- | -------------------------- | --------------------------------- | | Windows Active Directory | `active_directory.xml` | `windows_eventchannel` | 60103, 60112, 60122, 60123 | | Linux authentication | `auth.log` | `sshd`, `sudo`, `pam_unix` | 5402, 5503, 5710, 5712, 5715 | | MSSQL Server | `mssql_audit.log` | `mssql_log` | 85004, 85005, 85006 | | MySQL | `mysql.log` | `mysql_log` | 50106, 50108, 50120 | | Palo Alto Networks | `paloalto.csv` | `paloalto` | 64500–64517 | | Web application | `web_access.log` | `web-accesslog` | 31101, 31103, 31104, 31106, 31151 | ## Quick start ### Requirements - Python 3.8+ - No external dependencies (standard library only) ### Installation git clone https://github.com/JimmyZghendy/wazuh-log-generator.git cd wazuh-log-generator ### Usage # Generate all sources with default volume (~40 events each) python3 generate_logs.py --all # One source, custom volume python3 generate_logs.py --source paloalto --count 100 # Available sources python3 generate_logs.py --help Output files are written to `./output/` and ready for ingestion. ## Attack scenarios Each generator embeds attack patterns calibrated to fire specific Wazuh rule chains. Selected highlights: ### Active Directory (`active_directory.xml`) | Scenario | MITRE | Rule chain | | ------------------------------------------ | ---------------------- | ----------------- | | Failed-logon burst from external IP | T1110 — Brute Force | 60122 → frequency | | Account lockout | T1110 — Brute Force | 60123 | | New user created → added to Administrators | T1136 — Create Account | 60103 + 60112 | | AS-REP roast attempt (PreAuth=0, RC4) | T1558.004 | custom / 92651 | | Kerberoasting (RC4 ticket on SPN) | T1558.003 | custom / 92652 | ### Linux authentication (`auth.log`) | Scenario | MITRE | Rule chain | | ----------------------------------------------- | ---------------------- | ----------- | | SSH brute force (20× failures from one IP) | T1110 — Brute Force | 5710 → 5712 | | Compromise after brute force (successful login) | T1078 — Valid Accounts | 5715 | | Root login refused | T1078.003 | 5404 | | Sudo command execution | T1548.003 | 5402 | | User added post-compromise | T1136 — Create Account | 5902 | ### MSSQL (`mssql_audit.log`) | Scenario | MITRE | Rule trigger | | ------------------------------------------ | ----------------------------------------- | -------------------- | | Brute force on `sa` account (15× failures) | T1110 | mssql_log decoder | | `xp_cmdshell` invocation | T1059 — Command and Scripting Interpreter | privilege escalation | | Server role membership grant (`sysadmin`) | T1078 — Valid Accounts | privilege escalation | | SQL injection against `sys.sql_logins` | T1190 — Exploit Public-Facing App | SQLi indicator | ### MySQL (`mysql.log`) | Scenario | MITRE | Rule family | | ------------------------------------------------------- | ---------------------------- | --------------------------- | | Access-denied burst on `root` (12×) | T1110 | mysql brute-force chain | | `GRANT ALL ... WITH GRANT OPTION` | T1098 — Account Manipulation | privilege escalation | | `CREATE USER backdoor_*` | T1136 | suspicious account creation | | `DROP DATABASE production` | T1485 — Data Destruction | destructive DDL | | SQL injection patterns (UNION SELECT, SLEEP, LOAD_FILE) | T1190 | SQLi indicators | ### Palo Alto Networks (`paloalto.csv`) | Scenario | Subtype | Severity | Rule | | --------------------------------------------------- | -------------- | -------- | ----------------- | | Port scan from one IP, 25× varied destination ports | TRAFFIC `deny` | — | 64504 (frequency) | | Log4Shell exploit attempt | THREAT | critical | 64513 | | Cobalt Strike beacon | THREAT | critical | 64513 | | ZeroLogon (CVE-2020-1472) | THREAT | critical | 64513 | | Mimikatz signature | THREAT | critical | 64513 | | Malicious URL block (C2 / phishing / malware) | URL | high | 64509 | ### Web application (`web_access.log`) | Scenario | MITRE | Pattern | Rule | | ---------------------------------- | ------------------------------------ | ------------------------------------------- | ------------- | | SQL injection | T1190 | `' OR '1'='1`, `UNION SELECT`, `SLEEP(5)` | 31103, 31106 | | Cross-site scripting | T1059.007 | `