Integrations
Provides configuration of OpenSearch connection details through environment variables stored in a .env file.
Allows running the server directly from GitHub using npx without cloning the repository, with options to specify branches or commits.
Serves as the runtime environment for the MCP server, requiring version 16 or higher.
OpenSearch MCP Server
A Model Context Protocol (MCP) server for querying and analyzing Wazuh security logs stored in OpenSearch.
Features
- Search for security alerts with advanced filtering
- Get detailed information about specific alerts
- Generate statistics on security events
- Visualize alert trends over time
- Progress reporting for long-running operations
- Structured error handling
Prerequisites
- Node.js v16 or higher
- Access to an OpenSearch instance containing Wazuh security logs
Installation
Option 1: Use with npx directly from GitHub (recommended)
You can run this tool directly using npx without cloning the repository:
Option 2: Local Installation
- Clone this repository:
- Install dependencies:
- Configure your environment variables:
- Edit the
.env
file with your OpenSearch connection details:
Running the Server
Start the server:
This will start the server in stdio mode.
Enable debug logging:
Test with MCP CLI:
This runs the server with the FastMCP CLI tool for interactive testing.
Test with MCP Inspector:
This starts the server and connects it to the MCP Inspector for visual debugging.
Server Tools
The server provides the following tools:
1. Search Alerts
Search for security alerts in Wazuh data.
Parameters:
query
: The search query texttimeRange
: Time range (e.g., 1h, 24h, 7d)maxResults
: Maximum number of results to returnindex
: Index pattern to search
2. Get Alert Details
Get detailed information about a specific alert by ID.
Parameters:
id
: The alert IDindex
: Index pattern
3. Alert Statistics
Get statistics about security alerts.
Parameters:
timeRange
: Time range (e.g., 1h, 24h, 7d)field
: Field to aggregate by (e.g., rule.level, agent.name)index
: Index pattern
4. Visualize Alert Trend
Visualize alert trends over time.
Parameters:
timeRange
: Time range (e.g., 1h, 24h, 7d)interval
: Time interval for grouping (e.g., 1h, 1d)query
: Query to filter alertsindex
: Index pattern
Example Usage
Using the MCP CLI tool:
Using with a Client
To use this MCP server with a client implementation:
License
MIT
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
A Model Context Protocol server that enables querying and analyzing Wazuh security logs stored in OpenSearch, with features for searching alerts, getting detailed information, generating statistics, and visualizing trends.
Related MCP Servers
- AsecurityAlicenseAqualityA Model Context Protocol server that provides DuckDuckGo search functionality for Claude, enabling web search capabilities through a clean tool interface with rate limiting support.Last updated -16015TypeScriptMIT License
- -securityAlicense-quality"primitive" RAG-like web search model context protocol server that runs locally. ✨ no APIs ✨Last updated -24PythonMIT License
- -securityAlicense-qualitySecurely integrates Wazuh security data with LLMs (such as Claude Desktop) by retrieving alerts from Elasticsearch indices and transforming them into MCP-compliant format, enabling real-time security context in LLM applications.Last updated -5PythonMIT License
- -securityFlicense-qualityA Model Context Protocol server that integrates with Brave Search API to provide real-time search capabilities through Server-Sent Events (SSE).Last updated -TypeScript