mcp-server-wazuh

Overview

The Wazuh MCP Server bridges the gap between Wazuh SIEM systems and AI assistants like Claude, providing real-time security context through natural language interactions. It transforms complex Wazuh API responses into MCP-compatible format, enabling access to security alerts, agent management, vulnerability assessment, compliance monitoring, and log analysis data.

Try asking AI

After installing, here are 5 things you can ask your AI assistant:

• get_wazuh_alert_summary

  Retrieve summary of recent security alerts for threat detection and incident response

  Try:Show me recent security alertsTry:Get a summary of high-priority alerts
• get_wazuh_vulnerability_summary

  Get overview of vulnerability assessment data across agents

  Try:Show me all vulnerabilities on our agentsTry:Get a vulnerability summary for server agents
• get_wazuh_critical_vulnerabilities

  Identify critical vulnerabilities requiring immediate patching

  Try:Show me critical vulnerabilitiesTry:List vulnerabilities with CVSS score above 9
• get_wazuh_agent_processes

  Monitor running processes on specific agents

  Try:What processes are running on agent 001?Try:Show processes on the database server
• get_wazuh_agent_ports

  Check open ports and network services on agents

  Try:Show open ports on web server agentsTry:Check for unusual network connections
• get_wazuh_running_agents

  Monitor agent status and connectivity

  Try:Which agents are currently online?Try:Show health status of all agents
• get_wazuh_rules_summary

  Review security detection rules and their effectiveness

  Try:Show me all active security rulesTry:Check rules that triggered alerts today
• get_wazuh_weekly_stats

  Retrieve weekly system performance and statistics

  Try:Show me weekly system statisticsTry:Get performance metrics for the last week
• get_wazuh_cluster_health

  Monitor Wazuh cluster status and node health

  Try:Check cluster health statusTry:Show node status in the Wazuh cluster
• search_wazuh_manager_logs

  Search and analyze manager logs for incident investigation

  Try:Search for authentication failures in logsTry:Find error messages from last night
• get_wazuh_manager_error_logs

  Retrieve error logs from the Wazuh Manager

  Try:Show me recent manager error logsTry:Check for critical errors in the system
• get_wazuh_remoted_stats

  Get statistics for the Wazuh remote collector service

  Try:Show remoted service statisticsTry:Check performance of the collector service

Comparable tools

Installation

docker pull ghcr.io/gbrigandi/mcp-server-wazuh:latest

git clone https://github.com/gbrigandi/mcp-server-wazuh.git
cd mcp-server-wazuh
cargo build --release

{
  "mcpServers": {
    "wazuh": {
      "command": "/path/to/mcp-server-wazuh",
      "args": [],
      "env": {
        "WAZUH_API_HOST": "your_wazuh_manager_api_host",
        "WAZUH_API_PORT": "55000",
        "WAZUH_API_USERNAME": "your_wazuh_api_user",
        "WAZUH_API_PASSWORD": "your_wazuh_api_password",
        "WAZUH_INDEXER_HOST": "your_wazuh_indexer_host",
        "WAZUH_INDEXER_PORT": "9200",
        "WAZUH_INDEXER_USERNAME": "your_wazuh_indexer_user",
        "WAZUH_INDEXER_PASSWORD": "your_wazuh_indexer_password",
        "WAZUH_VERIFY_SSL": "false",
        "WAZUH_TEST_PROTOCOL": "https",
        "RUST_LOG": "info"
      }
    }
  }
}

FAQ

What Wazuh version is required?

Wazuh v4.12 is recommended with the API enabled and accessible.

Can I use this with other MCP-compatible clients besides Claude?

Yes, this server works with any MCP-compatible LLM client, though configuration examples are provided for Claude Desktop.

Compare mcp-server-wazuh with