Wazuh MCP Server

An MCP server for the Wazuh SIEM/XDR platform.

monitoringsiemxdrsecuritywazuh
README.md

wazuh-mcp

A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.

Features

  • 25 MCP Tools - Agents, alerts, rules, decoders, SCA, syscollector, FIM, rootcheck, groups, and manager
  • 3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
  • 3 MCP Prompts - Alert investigation, agent health checks, and security overviews
  • JWT Authentication - Automatic token management with refresh on expiry
  • Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
  • Pagination - All list endpoints support limit/offset pagination
  • Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

  • Node.js 20+
  • A running Wazuh manager with API access (default port 55000)
  • Wazuh API credentials (username/password)
  • (Optional) Wazuh Indexer (OpenSearch) access for alert queries

Installation

git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build

Configuration

Set the following environment variables:

Variable Required Default Description
WAZUH_URL Yes - Wazuh API URL (e.g., https://10.0.0.2:55000)
WAZUH_USERNAME Yes - API username
WAZUH_PASSWORD Yes - API password
WAZUH_VERIFY_SSL No false Set to true to verify SSL certificates

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Wazuh Indexer (OpenSearch) - Required for Alerts

Wazuh 4.x stores alerts in the Wazuh Indexer (OpenSearch), not the REST API. To enable alert tools (get_alerts, get_alert, search_alerts) and the wazuh://alerts/recent resource, configure the indexer connection:

Variable Required Default Description
WAZUH_INDEXER_URL No - Wazuh Indexer URL (e.g., https://10.0.0.2:9200)
WAZUH_INDEXER_USERNAME No admin Indexer username
WAZUH_INDEXER_PASSWORD No - Indexer password
WAZUH_INDEXER_VERIFY_SSL No false Set to true to verify SSL certificates

If WAZUH_INDEXER_URL is not set, alert tools will return a helpful configuration message. All other tools (agents, rules, decoders, version) work without the indexer.

Usage

Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "wazuh": {
      "command": "node",
      "args": ["/path/to/wazuh-mcp/dist/index.js"],
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
      }
    }
  }
}

OpenClaw

Add to your openclaw.json:

{
  "mcp": {
    "servers": {
      "wazuh": {
        "type": "stdio",
        "command": "node",
        "args": ["/path/to/wazuh-mcp/dist/index.js"],
        "env": {
          "WAZUH_URL": "https://your-wazuh-manager:55000",
          "WAZUH_USERNAME": "wazuh-wui",
          "WAZUH_PASSWORD": "your-password",
          "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
          "WAZUH_INDEXER_USERNAME": "admin",
          "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
        }
      }
    }
  }
}

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start

Development

npm run dev    # Watch mode with tsx
npm run lint   # Type checking
npm test       # Run tests

MCP Tools

Agent Tools

Tool Description
list_agents List all agents with optional status filtering (active, disconnected, never_connected, pending)
get_agent Get detailed info for a specific agent by ID
get_agent_stats Get CPU, memory, and disk statistics for an agent

Alert Tools

Tool Description
get_alerts Retrieve recent alerts with filtering by level, agent, rule, and text search
get_alert Retrieve a single alert by ID
search_alerts Full-text search across all alerts

Rule Tools

Tool Description
list_rules Li

Tools 7

list_agentsList all agents with optional status filtering.
get_agentGet detailed info for a specific agent by ID.
get_agent_statsGet CPU, memory, and disk statistics for an agent.
get_alertsRetrieve recent alerts with filtering by level, agent, rule, and text search.
get_alertRetrieve a single alert by ID.
search_alertsFull-text search across all alerts.
list_rulesList detection rules.

Environment Variables

WAZUH_URLrequiredWazuh API URL
WAZUH_USERNAMErequiredAPI username
WAZUH_PASSWORDrequiredAPI password
WAZUH_VERIFY_SSLSet to true to verify SSL certificates
WAZUH_INDEXER_URLWazuh Indexer URL
WAZUH_INDEXER_USERNAMEIndexer username
WAZUH_INDEXER_PASSWORDIndexer password
WAZUH_INDEXER_VERIFY_SSLSet to true to verify SSL certificates

Try it

List all disconnected agents and provide a summary of their health status.
Search for recent security alerts related to failed login attempts.
Investigate the latest critical alerts and provide a summary of the affected agents.
Generate a security overview of the current environment based on recent alerts.

Frequently Asked Questions

What are the key features of Wazuh?

Provides 25 MCP tools for managing agents, alerts, rules, and decoders.. Supports full-text alert searching via Wazuh Indexer integration.. Includes pre-built MCP resources for agents, recent alerts, and rule summaries.. Features automatic JWT authentication with token refresh.. Provides compliance mapping for PCI-DSS, GDPR, HIPAA, and MITRE ATT&CK..

What can I use Wazuh for?

Security analysts investigating active threats by querying real-time alerts.. System administrators performing health checks on monitored agents.. Compliance officers generating reports mapped to frameworks like HIPAA or GDPR.. Security engineers auditing detection rules and decoders within the SIEM..

How do I install Wazuh?

Install Wazuh by running: git clone https://github.com/solomonneas/wazuh-mcp.git && cd wazuh-mcp && npm install && npm run build

What MCP clients work with Wazuh?

Wazuh works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Wazuh docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Open Conare

Related MCP Servers

Skylos
Find dead code, secrets, and exploitable flows in Python, TypeScript, and Go.
monitoring344 stars
Linux MCP Server
Read-only Linux system administration and diagnostics on RHEL-based systems.
monitoring189 stars
Charles MCP Server
Integrates Charles Proxy with MCP clients for real-time network traffic analysis
monitoring118 stars
Android Proxy MCP
Capture and analyze HTTP/HTTPS traffic from Android devices with AI.
monitoring118 stars
Langfuse MCP
MCP server for Langfuse observability and LLM application management.
monitoring66 stars
HomeButler
All-in-one homelab management MCP server.
monitoring64 stars