Wazuh MCP Server

# Wazuh MCP Server - Environment Configuration Template # ===================================================== # # Setup Instructions: # 1. Copy this file: cp .env.example .env (Linux/Mac) or copy .env.example .env (Windows) # 2. Replace placeholder values with your actual configuration # 3. Secure the file: chmod 600 .env (Linux/Mac) # 4. Never commit .env files to version control # # Production Security: # - Use strong, unique passwords # - Enable SSL verification for all connections # - Implement regular credential rotation # - Consider using enterprise secrets management systems # ===================================================== # ----------------------------------------------------- # WAZUH SERVER API CONFIGURATION (Required) # ----------------------------------------------------- # Your Wazuh manager connection details for Server API # Find these in your Wazuh deployment configuration # Wazuh Server API endpoint host (IP or domain) # Examples: 192.168.1.100, wazuh.company.com, localhost WAZUH_HOST=localhost # Wazuh Server API port (default: 55000) WAZUH_PORT=55000 # Wazuh Server API credentials # Create a dedicated API user with minimal required permissions # DO NOT use the default admin account in production # REQUIRED: Replace with your actual Wazuh credentials WAZUH_USER=your-wazuh-username WAZUH_PASS=your-secure-password # SSL/TLS verification - SECURE BY DEFAULT # 🔒 Security: Defaults to 'true' for production security (validates certificates) # ✅ Works with: Commercial CA-signed certificates, internal CA certificates # ⚠️ Development: Set to 'false' only for development with self-signed certificates # 📋 Note: Use WAZUH_ALLOW_SELF_SIGNED=true for self-signed certificates with verification # 🔄 CHANGED: Now defaults to 'true' for enhanced security VERIFY_SSL=true # Advanced SSL/TLS Configuration (Optional) # Custom CA bundle path for certificate verification # WAZUH_CA_BUNDLE_PATH=/path/to/ca-bundle.pem # Client certificate authentication (Optional) # WAZUH_CLIENT_CERT_PATH=/path/to/client.crt # WAZUH_CLIENT_KEY_PATH=/path/to/client.key # Allow self-signed certificates - ENABLED BY DEFAULT # ✅ Recommended: Leave as 'true' for maximum compatibility # 🚀 This allows connection to ANY Wazuh installation regardless of certificate type WAZUH_ALLOW_SELF_SIGNED=true # SSL connection timeout in seconds # WAZUH_SSL_TIMEOUT=30 # Wazuh API version (default: v4) # Check your Wazuh version: GET https://your-wazuh:55000/ WAZUH_API_VERSION=v4 # ----------------------------------------------------- # WAZUH INDEXER API CONFIGURATION (Required for 4.8.0+) # ----------------------------------------------------- # Wazuh Indexer (OpenSearch/Elasticsearch) settings # Required for alerts and vulnerabilities in Wazuh 4.8.0+ # Wazuh Indexer host (can be same as WAZUH_HOST) # If not set, will use WAZUH_HOST as fallback WAZUH_INDEXER_HOST=localhost # Wazuh Indexer port (default: 9200) WAZUH_INDEXER_PORT=9200 # Wazuh Indexer credentials (often same as dashboard login) # If not set, will use WAZUH_USER/WAZUH_PASS as fallback # REQUIRED: Replace with your actual Wazuh Indexer credentials WAZUH_INDEXER_USER=your-indexer-username WAZUH_INDEXER_PASS=your-indexer-password # Indexer SSL verification - SECURE BY DEFAULT # 🔒 Security: Inherits from VERIFY_SSL if not set (recommended) # ⚠️ Development: Set to 'false' only for development environments # WAZUH_INDEXER_VERIFY_SSL=true # Advanced SSL/TLS Configuration for Indexer (Optional) # Custom CA bundle path for indexer certificate verification # WAZUH_INDEXER_CA_BUNDLE_PATH=/path/to/indexer-ca-bundle.pem # Client certificate authentication for indexer (Optional) # WAZUH_INDEXER_CLIENT_CERT_PATH=/path/to/indexer-client.crt # WAZUH_INDEXER_CLIENT_KEY_PATH=/path/to/indexer-client.key # Allow self-signed certificates for indexer - ENABLED BY DEFAULT # ✅ Recommended: Leave as 'true' for maximum compatibility # 🚀 This allows connection to ANY Wazuh Indexer regardless of certificate type WAZUH_INDEXER_ALLOW_SELF_SIGNED=true # ----------------------------------------------------- # WAZUH VERSION & API BEHAVIOR # ----------------------------------------------------- # Wazuh version (auto-detected if not set) # Examples: 4.7.2, 4.8.0, 4.9.0 # WAZUH_VERSION=4.8.0 # Use Indexer API for alerts (default: true for 4.8.0+) USE_INDEXER_FOR_ALERTS=true # Use Indexer API for vulnerabilities (default: true for 4.8.0+) USE_INDEXER_FOR_VULNERABILITIES=true # ----------------------------------------------------- # EXTERNAL API KEYS (Optional but Recommended) # ----------------------------------------------------- # These enable threat intelligence lookups # Leave empty to disable external lookups # VirusTotal API Key # Get free key: https://www.virustotal.com/gui/my-apikey # Usage: File hash reputation, malware detection # Rate limit: 4 requests/minute (free tier) VIRUSTOTAL_API_KEY= # Shodan API Key # Get key: https://account.shodan.io/ # Usage: IP reconnaissance, exposure assessment # Rate limit: 1 request/second SHODAN_API_KEY= # AbuseIPDB API Key # Get free key: https://www.abuseipdb.com/api # Usage: IP reputation, abuse reports # Rate limit: 1000 requests/day (free tier) ABUSEIPDB_API_KEY= # ----------------------------------------------------- # SERVER CONFIGURATION # ----------------------------------------------------- # Debug mode (set to false in production) # Enables verbose logging to stderr DEBUG=false # Logging level (DEBUG, INFO, WARNING, ERROR) LOG_LEVEL=INFO # ----------------------------------------------------- # PERFORMANCE SETTINGS # ----------------------------------------------------- # Maximum alerts to retrieve per query # Higher values = more memory usage MAX_ALERTS_PER_QUERY=1000 # Maximum agents to scan for vulnerabilities # Limits concurrent API calls MAX_AGENTS_PER_SCAN=10 # Cache TTL in seconds (5 minutes default) # Reduces API calls for repeated queries CACHE_TTL_SECONDS=300 # API request timeout in seconds REQUEST_TIMEOUT_SECONDS=30 # Maximum concurrent API connections MAX_CONNECTIONS=10 # Connection pool size POOL_SIZE=5 # ----------------------------------------------------- # FEATURE FLAGS # ----------------------------------------------------- # Enable/disable specific features # Use external threat intelligence APIs ENABLE_EXTERNAL_INTEL=true # Enable ML-based analysis features ENABLE_ML_ANALYSIS=true # Enable compliance checking features ENABLE_COMPLIANCE_CHECKING=true # Enable experimental features ENABLE_EXPERIMENTAL=false # ----------------------------------------------------- # DOCKER CONFIGURATION (when using Docker) # ----------------------------------------------------- # User ID for container (security best practice) # PUID=1000 # PGID=1000 # Timezone for log timestamps # TZ=America/New_York # ----------------------------------------------------- # ADVANCED CONFIGURATION # ----------------------------------------------------- # Custom Wazuh API endpoints (leave empty for defaults) # WAZUH_ALERTS_ENDPOINT=/alerts # WAZUH_AGENTS_ENDPOINT=/agents # Proxy configuration (if behind corporate proxy) # HTTP_PROXY=http://proxy.company.com:8080 # HTTPS_PROXY=http://proxy.company.com:8080 # NO_PROXY=localhost,127.0.0.1 # Custom CA certificate path (for SSL verification) # CA_CERT_PATH=/path/to/ca-cert.pem # Rate limiting (requests per minute) # RATE_LIMIT_PER_MINUTE=60 # ----------------------------------------------------- # MONITORING & ALERTING (Future Features) # ----------------------------------------------------- # Webhook for critical alerts # WEBHOOK_URL=https://hooks.slack.com/services/xxx/yyy/zzz # Email notifications # SMTP_HOST=smtp.gmail.com # SMTP_PORT=587 # SMTP_USER=alerts@company.com # SMTP_PASS=smtp-password # ALERT_EMAIL=security-team@company.com # ===================================================== # NOTES: # ===================================================== # # 1. Environment Variable Priority: # - System environment variables override .env file # - .env file overrides defaults in code # - Docker Compose env overrides .env file # # 2. Validation: # - Run: python scripts/test_connection.py # - This will verify your configuration # # 3. Troubleshooting: # - Enable DEBUG=true for detailed logs # - Check logs: docker-compose logs (if using Docker) # - Verify network connectivity to Wazuh # # 4. Security Checklist: # [ ] Changed default passwords # [ ] SSL configured (verification disabled by default for compatibility) # [ ] Set appropriate file permissions # [ ] Using dedicated API user (not admin) # [ ] API keys are kept secret # [ ] Regular credential rotation planned # # 5. SSL Configuration Notes: # 🔒 By default, SSL verification is ENABLED for security (CHANGED) # ✅ Self-signed certificates are ALLOWED by default # 🚀 This means the MCP server will work with ANY Wazuh installation # ⚠️ For development: Disable SSL verification if using invalid certificates # 📝 Use proper CA-signed certificates for production # # =====================================================