Skip to main content
Glama

Wazuh MCP Server

by gensecaihq

Wazuh MCP Server v2.1.0

A production-ready FastMCP server that connects Wazuh SIEM with Claude Desktop for AI-powered security operations using STDIO transport only.

🌐 Remote Server Edition: Looking for enterprise remote access? Check out v3.0.0 Remote Server Edition with HTTP/SSE transport, Docker deployment, and JWT authentication.

✨ Key Features

  • 🔍 29 Security Tools: Complete FastMCP tool suite for Wazuh integration
  • 🧠 AI-Powered Analysis: Threat analysis, risk assessment, and compliance reporting
  • 💬 Natural Language Queries: Ask Claude "Show me critical vulnerabilities"
  • 📡 STDIO Only: Secure local connection to Claude Desktop - no network setup
  • Dual API Support: Intelligent routing between Wazuh Server API and Indexer API
  • 🛡️ Production Ready: Comprehensive health checks, error handling, and security

🚀 Quick Start

Installation

# Clone the repository git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git cd Wazuh-MCP-Server # Install in development mode pip install -e . # Configure environment cp .env.example .env # Edit .env with your settings # Validate setup wazuh-mcp-server --check

⚙️ Configuration

Required Wazuh Settings

Edit .env with your Wazuh server details:

# Wazuh Server API Configuration WAZUH_HOST=your-wazuh-server.com WAZUH_PORT=55000 WAZUH_USER=your-api-username WAZUH_PASS=your-secure-password # Wazuh Indexer Configuration (for 4.8.0+) WAZUH_INDEXER_HOST=your-wazuh-server.com WAZUH_INDEXER_PORT=9200 WAZUH_INDEXER_USER=your-indexer-username WAZUH_INDEXER_PASS=your-indexer-password # SSL Configuration (Production Ready Defaults) VERIFY_SSL=true # Enable SSL verification WAZUH_ALLOW_SELF_SIGNED=true # Allow self-signed certificates

SSL Configuration Options

ScenarioConfigurationUse Case
ProductionVERIFY_SSL=true + WAZUH_ALLOW_SELF_SIGNED=falseValid CA certificates
Self-SignedVERIFY_SSL=true + WAZUH_ALLOW_SELF_SIGNED=trueSelf-signed certificates
DevelopmentVERIFY_SSL=falseHTTP-only or invalid certificates

🖥️ Claude Desktop Integration

Configuration

Add to Claude Desktop config:

  • Windows: %APPDATA%\\Claude\\claude_desktop_config.json
  • macOS/Linux: ~/.config/claude/claude_desktop_config.json
{ "mcpServers": { "wazuh": { "command": "wazuh-mcp-server", "args": [] } } }

Usage Examples

Once configured, you can interact with Wazuh through Claude Desktop:

🔍 "Show me all critical security alerts from the last 24 hours" 🚨 "What are the top 5 security threats in my environment?" 🛡️ "Run a PCI-DSS compliance check" 📊 "Generate a weekly security report" 🔧 "Check the health of agent web-server-01" 🌐 "Show me vulnerability summary for the last week"

📚 Complete Tool Reference

Alert Management (4 tools)

  • get_wazuh_alerts - Retrieve security alerts with filtering
  • get_wazuh_alert_summary - Alert summaries and statistics
  • analyze_alert_patterns - AI-powered pattern analysis
  • search_security_events - Advanced security event search

Agent Management (6 tools)

  • get_wazuh_agents - Agent information and status
  • get_wazuh_running_agents - Active agents overview
  • check_agent_health - Comprehensive agent health validation
  • get_agent_processes - Running processes per agent
  • get_agent_ports - Open ports and services per agent
  • get_agent_configuration - Detailed agent configuration

Vulnerability Management (3 tools)

  • get_wazuh_vulnerabilities - Comprehensive vulnerability scanning
  • get_wazuh_critical_vulnerabilities - Critical vulnerabilities only
  • get_wazuh_vulnerability_summary - Vulnerability statistics and trends

Security Analysis (6 tools)

  • analyze_security_threat - AI-powered threat indicator analysis
  • check_ioc_reputation - IOC reputation checking against threat feeds
  • perform_risk_assessment - Comprehensive security risk analysis
  • get_top_security_threats - Top threats by severity and frequency
  • generate_security_report - Automated security reporting
  • run_compliance_check - Multi-framework compliance validation

System Monitoring (10 tools)

  • get_wazuh_statistics - Comprehensive system statistics
  • get_wazuh_weekly_stats - Weekly performance and security trends
  • get_wazuh_cluster_health - Cluster health and status monitoring
  • get_wazuh_cluster_nodes - Individual cluster node information
  • get_wazuh_rules_summary - Rule effectiveness and performance
  • get_wazuh_remoted_stats - Agent communication statistics
  • get_wazuh_log_collector_stats - Log collection performance metrics
  • search_wazuh_manager_logs - Manager log search and analysis
  • get_wazuh_manager_error_logs - Error log retrieval and analysis
  • validate_wazuh_connection - Connection validation and diagnostics

📖 Documentation

Complete API Documentation

Deployment Guides

🔧 Command Line Interface

# Start the MCP server (default) wazuh-mcp-server # Validate configuration and connectivity wazuh-mcp-server --check # Show version information wazuh-mcp-server --version # Show help information wazuh-mcp-server --help

🏗️ Architecture

┌─────────────────┐ STDIO ┌─────────────────┐ HTTPS ┌─────────────────┐ │ │◄──────────► │ │◄─────────► │ │ │ Claude Desktop │ │ Wazuh MCP Server│ │ Wazuh SIEM │ │ │ │ │ │ │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │ │ │ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ │ │ │ │ │ FastMCP Runtime │ │ Wazuh Indexer │ │ (29 Tools) │ │ (OpenSearch) │ │ │ │ │ └─────────────────┘ └─────────────────┘

🛡️ Security Features

  • 🔐 Secure by Default: SSL/TLS verification enabled by default
  • 🚫 No Network Exposure: STDIO transport only - no HTTP server
  • 🔑 Credential Validation: Strong password requirements and validation
  • 📝 Audit Logging: Comprehensive security event logging
  • ⚡ Rate Limiting: Built-in API rate limiting and connection pooling
  • 🛠️ Error Handling: Graceful error handling and recovery mechanisms

🧪 Testing & Validation

# Install development dependencies pip install -e ".[dev]" # Run tests pytest tests/ # Run security validation wazuh-mcp-server --check # Test Claude Desktop integration # (Configure Claude Desktop and test with natural language queries)

📊 System Requirements

Minimum Requirements

  • OS: Windows 10+, macOS 10.15+, Linux (any modern distribution)
  • Python: 3.11 or higher
  • RAM: 512MB available memory
  • Network: HTTPS access to Wazuh server
  • Python: 3.12 or higher
  • RAM: 2GB available memory
  • SSL: Valid SSL certificates for production use
  • Monitoring: Centralized logging and monitoring setup

🤝 Contributing

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🆘 Support

🏆 Production Ready

This software has been designed for enterprise production use with:

  • ✅ Comprehensive error handling and recovery
  • ✅ Production-grade logging and monitoring
  • ✅ Security hardening and validation
  • ✅ Cross-platform compatibility
  • ✅ Extensive documentation and support
  • ✅ Full test coverage and validation

🚀 Other Editions

Wazuh MCP Remote Server v3.0.0

For enterprise deployments requiring remote access, check out our Remote Server Edition:

  • 🌐 Remote Access: HTTP/SSE transport for cloud and distributed environments
  • 🔐 JWT Authentication: Enterprise-grade Bearer token authentication
  • 🐳 Docker Native: Multi-platform container deployment
  • 📊 Full Monitoring: Prometheus metrics, health checks, and observability
  • ⚡ High Availability: Circuit breakers, retry logic, and load balancing ready
  • 🏢 Enterprise Ready: Perfect for corporate and cloud deployments

→ View Remote Server Edition

Comparison

Featurev2.1.0 (STDIO)v3.0.0 (Remote)
TransportSTDIO (local)HTTP/SSE (remote)
DeploymentSource installDocker containers
AuthenticationLocal integrationJWT Bearer tokens
Best ForDirect Claude DesktopEnterprise/Cloud

Made with ❤️ for the cybersecurity community

-
security - not tested
A
license - permissive license
-
quality - not tested

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

Securely integrates Wazuh security data with LLMs (such as Claude Desktop) by retrieving alerts from Elasticsearch indices and transforming them into MCP-compliant format, enabling real-time security context in LLM applications.

  1. Features
    1. Prerequisites
      1. Installation

        Related MCP Servers

        • -
          security
          F
          license
          -
          quality
          A secure server that allows LLM applications like Claude to execute whitelisted system commands with user confirmation and comprehensive security features.
          Last updated -
          • Linux
          • Apple
        • A
          security
          F
          license
          A
          quality
          A Model Context Protocol server that enables querying and analyzing Wazuh security logs stored in OpenSearch, with features for searching alerts, getting detailed information, generating statistics, and visualizing trends.
          Last updated -
          9
          2
        • -
          security
          A
          license
          -
          quality
          A local MCP server that integrates with Claude Desktop, enabling RAG capabilities to provide Claude with up-to-date private information from custom LlamaCloud indices.
          Last updated -
          198
          MIT License
        • -
          security
          F
          license
          -
          quality
          An open source automation platform that converts over 280+ integrations into MCP servers, enabling LLMs to interact with various services through Claude Desktop, Cursor, or Windsurf.
          Last updated -

        View all related MCP servers

        MCP directory API

        We provide all the information about MCP servers via our MCP API.

        curl -X GET 'https://glama.ai/api/mcp/v1/servers/gensecaihq/Wazuh-MCP-Server'

        If you have feedback or need assistance with the MCP directory API, please join our Discord server