Which integrations are available for this server?

Allows searching logs using Lucene syntax and listing log fields within a Graylog instance. Enables querying time-series data using Flux syntax against allowed buckets in InfluxDB 2.x. Provides tools for executing instant and range PromQL queries and listing available metrics from a Prometheus monitoring server.

How do I use Overwatch MCP?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@Overwatch MCP show me any ERROR logs from the api service in the last 15 minutes" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

Overwatch MCP

Python 3.11+ License: MIT Docker

MCP server for querying Graylog, Prometheus, and InfluxDB 2.x from Claude Desktop.

Tools

Tool	What it does
`graylog_search`	Search logs (Lucene syntax)
`graylog_fields`	List log fields
`prometheus_query`	Instant PromQL query
`prometheus_query_range`	Range PromQL query
`prometheus_metrics`	List metrics
`influxdb_query`	Flux query (bucket allowlisted)

Quick Start

Docker

# Get the example config mkdir -p config curl -o config/config.yaml https://raw.githubusercontent.com/ftsgps/overwatch-mcp/main/config/config.example.yaml # Create .env cat > .env << 'EOF' GRAYLOG_URL=https://graylog.internal:9000/api GRAYLOG_TOKEN=your-token PROMETHEUS_URL=http://prometheus.internal:9090 INFLUXDB_URL=https://influxdb.internal:8086 INFLUXDB_TOKEN=your-token INFLUXDB_ORG=your-org EOF # Run docker run --rm -v "${PWD}/config:/app/config:ro" --env-file .env ghcr.io/ftsgps/overwatch-mcp:latest

Local Install

pip install -e . cp .env.example .env cp config/config.example.yaml config/config.yaml # Edit both files with your values python -m overwatch_mcp

Claude Desktop Config

Docker

~/.claude/config.json (Linux/Mac) or %APPDATA%\Claude\config.json (Windows):

{ "mcpServers": { "overwatch": { "command": "docker", "args": [ "run", "--rm", "-i", "-v", "/path/to/config:/app/config:ro", "--env-file", "/path/to/.env", "ghcr.io/ftsgps/overwatch-mcp:latest" ] } } }

Local Python

{ "mcpServers": { "overwatch": { "command": "python", "args": ["-m", "overwatch_mcp"], "env": { "GRAYLOG_URL": "https://graylog.internal:9000/api", "GRAYLOG_TOKEN": "your-token", "PROMETHEUS_URL": "http://prometheus.internal:9090", "INFLUXDB_URL": "https://influxdb.internal:8086", "INFLUXDB_TOKEN": "your-token", "INFLUXDB_ORG": "your-org" } } } }

Configuration

config.yaml

The config uses ${ENV_VAR} substitution - values come from environment at runtime.

server: log_level: "info" datasources: graylog: enabled: true url: "${GRAYLOG_URL}" token: "${GRAYLOG_TOKEN}" timeout_seconds: 30 max_time_range_hours: 24 max_results: 1000 prometheus: enabled: true url: "${PROMETHEUS_URL}" timeout_seconds: 30 max_range_hours: 168 influxdb: enabled: true url: "${INFLUXDB_URL}" token: "${INFLUXDB_TOKEN}" org: "${INFLUXDB_ORG}" timeout_seconds: 60 allowed_buckets: - "telegraf" - "app_metrics" cache: enabled: true default_ttl_seconds: 60

Disable a datasource by setting enabled: false. Server runs in degraded mode if some datasources fail health checks.

Tool Parameters

graylog_search

{ "query": "level:ERROR AND service:api", "from_time": "-2h", "to_time": "now", "limit": 100, "fields": ["timestamp", "message", "level"] }

Time formats: ISO8601 (2025-01-27T10:00:00Z), relative (-1h, -30m), now

graylog_fields

{ "pattern": "http_.*", "limit": 100 }

prometheus_query

{ "query": "rate(http_requests_total[5m])", "time": "-1h" }

prometheus_query_range

{ "query": "up", "start": "-6h", "end": "now", "step": "1m" }

Step auto-calculated if omitted.

prometheus_metrics

{ "pattern": "http_.*", "limit": 100 }

influxdb_query

{ "query": "from(bucket: \"telegraf\") |> range(start: -1h) |> filter(fn: (r) => r._measurement == \"cpu\")", "bucket": "telegraf" }

Bucket must be in allowed_buckets config.

Error Codes

Code	Meaning
`DATASOURCE_DISABLED`	Datasource disabled in config
`DATASOURCE_UNAVAILABLE`	Failed health check
`INVALID_QUERY`	Bad query syntax
`INVALID_PATTERN`	Bad regex
`TIME_RANGE_EXCEEDED`	Range exceeds max
`BUCKET_NOT_ALLOWED`	Bucket not in allowlist
`UPSTREAM_TIMEOUT`	Request timed out
`UPSTREAM_CLIENT_ERROR`	4xx from datasource
`UPSTREAM_SERVER_ERROR`	5xx from datasource

Development

# Install with dev deps pip install -e ".[dev]" # Tests pytest tests/ -v # Coverage pytest tests/ -v --cov=overwatch_mcp

Project Structure

src/overwatch_mcp/ ├── __main__.py # Entry point ├── server.py # MCP server ├── config.py # Config loader ├── cache.py # TTL cache ├── clients/ # HTTP clients (graylog, prometheus, influxdb) ├── tools/ # MCP tool implementations └── models/ # Pydantic models

127 tests (89 unit, 38 integration).

Troubleshooting

Server won't start: Check config/config.yaml exists and env vars are set.

Datasource unavailable: Verify URL, check token permissions. Server continues with available datasources.

Query errors: Check syntax (Lucene/PromQL/Flux), verify time range within limits, ensure bucket is allowlisted for InfluxDB.

License

MIT

Overwatch MCP

Overwatch MCP

Tools

Quick Start

Docker

Local Install

Claude Desktop Config

Docker

Local Python

Configuration

config.yaml

Tool Parameters

graylog_search

graylog_fields

prometheus_query

prometheus_query_range

prometheus_metrics

influxdb_query

Error Codes

Development

Project Structure

Troubleshooting

License

Resources

New MCP Servers

Latest Blog Posts

MCP directory API