When you use an event replay file with the Test Alert connector, you often wind up with very repetitive field values in the events. I needed a way to create a greater range of unique values for IP addresses, ports, and device fields. My solution was to create a shell script that mimics Fortigate firewall traffic events. Just execute the script using the IP address and port of a Syslog Daemon SmartConnector host and it will produce events with highly randomized field values at about 100-300 EPS.
If you need higher EPS, just adjust the sleep command value or execute the script several times in parallel.
#perftestsyslog.sh <ip address> <port>
echo "<165>date=$(date +"%Y-%m-%d") time=$(date +"%T") devname=FGT20C3X1200$((RANDOM%9999)) device_id=FGT20C3X1200$((RANDOM%9999)) log_id=0038000005 type=traffic subtype=other pri=notice status=accept vd="root" dir_disp=org tran_disp=noop src=$((RANDOM%255)).$((RANDOM%255)).$((RANDOM%255)).$((RANDOM%255)) srcname="TESTSOURCE" src_port=$((RANDOM%65534)) dst=$((RANDOM%255)).$((RANDOM%255)).$((RANDOM%255)).$((RANDOM%255)) dstname="TESTDEST" dst_country="Reserved" dst_port=$((RANDOM%65534)) tran_ip=N/A tran_port=0 tran_sip=N/A tran_sport=0 service=3/3/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" sent_pkt=0 rcvd_pkt=0 vpn="N/A" vpn_type=UNKNOWN(65535) vpn_tunnel="N/A" src_int="root" dst_int="lan" SN=439492$((RANDOM%9999)) app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A" profilegroup="N/A""
done | nc $1 -u $2
NOTE: Since this is a testing tool, I assume no one is going to use it on production systems, and I hold no responsibility for how the reader of this blog chooses to use it. That said, I'd like everyone to be aware that your SmartConnector may become unstable or crash after receiving events from the script for an extended period of time.