Retrieves security alerts from Elasticsearch indices containing Wazuh data, transforming them into standardized MCP messages.
Uses Flask to expose an HTTP endpoint for serving transformed security event data to clients.
Wazuh MCP Server v2.1.0
A production-ready FastMCP server that connects Wazuh SIEM with Claude Desktop for AI-powered security operations using STDIO transport only.
🌐 Remote Server Edition: Looking for enterprise remote access? Check out v3.0.0 Remote Server Edition with HTTP/SSE transport, Docker deployment, and JWT authentication.
✨ Key Features
- 🔍 29 Security Tools: Complete FastMCP tool suite for Wazuh integration
- 🧠 AI-Powered Analysis: Threat analysis, risk assessment, and compliance reporting
- 💬 Natural Language Queries: Ask Claude "Show me critical vulnerabilities"
- 📡 STDIO Only: Secure local connection to Claude Desktop - no network setup
- ⚡ Dual API Support: Intelligent routing between Wazuh Server API and Indexer API
- 🛡️ Production Ready: Comprehensive health checks, error handling, and security
🚀 Quick Start
Installation
⚙️ Configuration
Required Wazuh Settings
Edit .env
with your Wazuh server details:
SSL Configuration Options
Scenario | Configuration | Use Case |
---|---|---|
Production | VERIFY_SSL=true + WAZUH_ALLOW_SELF_SIGNED=false | Valid CA certificates |
Self-Signed | VERIFY_SSL=true + WAZUH_ALLOW_SELF_SIGNED=true | Self-signed certificates |
Development | VERIFY_SSL=false | HTTP-only or invalid certificates |
🖥️ Claude Desktop Integration
Configuration
Add to Claude Desktop config:
- Windows:
%APPDATA%\\Claude\\claude_desktop_config.json
- macOS/Linux:
~/.config/claude/claude_desktop_config.json
Usage Examples
Once configured, you can interact with Wazuh through Claude Desktop:
📚 Complete Tool Reference
Alert Management (4 tools)
get_wazuh_alerts
- Retrieve security alerts with filteringget_wazuh_alert_summary
- Alert summaries and statisticsanalyze_alert_patterns
- AI-powered pattern analysissearch_security_events
- Advanced security event search
Agent Management (6 tools)
get_wazuh_agents
- Agent information and statusget_wazuh_running_agents
- Active agents overviewcheck_agent_health
- Comprehensive agent health validationget_agent_processes
- Running processes per agentget_agent_ports
- Open ports and services per agentget_agent_configuration
- Detailed agent configuration
Vulnerability Management (3 tools)
get_wazuh_vulnerabilities
- Comprehensive vulnerability scanningget_wazuh_critical_vulnerabilities
- Critical vulnerabilities onlyget_wazuh_vulnerability_summary
- Vulnerability statistics and trends
Security Analysis (6 tools)
analyze_security_threat
- AI-powered threat indicator analysischeck_ioc_reputation
- IOC reputation checking against threat feedsperform_risk_assessment
- Comprehensive security risk analysisget_top_security_threats
- Top threats by severity and frequencygenerate_security_report
- Automated security reportingrun_compliance_check
- Multi-framework compliance validation
System Monitoring (10 tools)
get_wazuh_statistics
- Comprehensive system statisticsget_wazuh_weekly_stats
- Weekly performance and security trendsget_wazuh_cluster_health
- Cluster health and status monitoringget_wazuh_cluster_nodes
- Individual cluster node informationget_wazuh_rules_summary
- Rule effectiveness and performanceget_wazuh_remoted_stats
- Agent communication statisticsget_wazuh_log_collector_stats
- Log collection performance metricssearch_wazuh_manager_logs
- Manager log search and analysisget_wazuh_manager_error_logs
- Error log retrieval and analysisvalidate_wazuh_connection
- Connection validation and diagnostics
📖 Documentation
Complete API Documentation
- Alert Management API - Comprehensive alert management tools
- Agent Management API - Agent monitoring and health tools
- Vulnerability Management API - Vulnerability assessment tools
- Security Analysis API - AI-powered security analysis tools
- System Monitoring API - Infrastructure monitoring tools
- Compliance & Reporting API - Compliance and reporting tools
- Log Management API - Advanced log search and analysis
Deployment Guides
- Installation Guide - Comprehensive installation instructions
- Configuration Guide - Detailed configuration options
- Troubleshooting Guide - Common issues and solutions
- Security Guide - Security best practices and hardening
🔧 Command Line Interface
🏗️ Architecture
🛡️ Security Features
- 🔐 Secure by Default: SSL/TLS verification enabled by default
- 🚫 No Network Exposure: STDIO transport only - no HTTP server
- 🔑 Credential Validation: Strong password requirements and validation
- 📝 Audit Logging: Comprehensive security event logging
- ⚡ Rate Limiting: Built-in API rate limiting and connection pooling
- 🛠️ Error Handling: Graceful error handling and recovery mechanisms
🧪 Testing & Validation
📊 System Requirements
Minimum Requirements
- OS: Windows 10+, macOS 10.15+, Linux (any modern distribution)
- Python: 3.11 or higher
- RAM: 512MB available memory
- Network: HTTPS access to Wazuh server
Recommended Requirements
- Python: 3.12 or higher
- RAM: 2GB available memory
- SSL: Valid SSL certificates for production use
- Monitoring: Centralized logging and monitoring setup
🤝 Contributing
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature
) - Commit your changes (
git commit -m 'Add amazing feature'
) - Push to the branch (
git push origin feature/amazing-feature
) - Open a Pull Request
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
🆘 Support
- Documentation: Complete documentation
- Issues: GitHub Issues
- Discussions: GitHub Discussions
🏆 Production Ready
This software has been designed for enterprise production use with:
- ✅ Comprehensive error handling and recovery
- ✅ Production-grade logging and monitoring
- ✅ Security hardening and validation
- ✅ Cross-platform compatibility
- ✅ Extensive documentation and support
- ✅ Full test coverage and validation
🚀 Other Editions
Wazuh MCP Remote Server v3.0.0
For enterprise deployments requiring remote access, check out our Remote Server Edition:
- 🌐 Remote Access: HTTP/SSE transport for cloud and distributed environments
- 🔐 JWT Authentication: Enterprise-grade Bearer token authentication
- 🐳 Docker Native: Multi-platform container deployment
- 📊 Full Monitoring: Prometheus metrics, health checks, and observability
- ⚡ High Availability: Circuit breakers, retry logic, and load balancing ready
- 🏢 Enterprise Ready: Perfect for corporate and cloud deployments
Comparison
Feature | v2.1.0 (STDIO) | v3.0.0 (Remote) |
---|---|---|
Transport | STDIO (local) | HTTP/SSE (remote) |
Deployment | Source install | Docker containers |
Authentication | Local integration | JWT Bearer tokens |
Best For | Direct Claude Desktop | Enterprise/Cloud |
Made with ❤️ for the cybersecurity community
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Securely integrates Wazuh security data with LLMs (such as Claude Desktop) by retrieving alerts from Elasticsearch indices and transforming them into MCP-compliant format, enabling real-time security context in LLM applications.
Related MCP Servers
- -securityFlicense-qualityA secure server that allows LLM applications like Claude to execute whitelisted system commands with user confirmation and comprehensive security features.Last updated -
- AsecurityFlicenseAqualityA Model Context Protocol server that enables querying and analyzing Wazuh security logs stored in OpenSearch, with features for searching alerts, getting detailed information, generating statistics, and visualizing trends.Last updated -92
- -securityAlicense-qualityA local MCP server that integrates with Claude Desktop, enabling RAG capabilities to provide Claude with up-to-date private information from custom LlamaCloud indices.Last updated -198MIT License
- -securityFlicense-qualityAn open source automation platform that converts over 280+ integrations into MCP servers, enabling LLMs to interact with various services through Claude Desktop, Cursor, or Windsurf.Last updated -