Skip to main content
Glama
tenzir

Tenzir MCP Server

Official
by tenzir
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault

No arguments

Capabilities

Server capabilities have not been inspected yet.

Tools

Functions exposed to the LLM to take actions

NameDescription
make_ocsf_mapping

Add OCSF mapping to a TQL parsing pipeline.

Use this tool when:

  • You need to map security logs to the OCSF standard

  • You're normalizing data from multiple sources into a common schema

  • You want to make your data compatible with OCSF-aware tools

  • You need guidance on OCSF class selection and field mapping

Follow the workflow instructions provided in the response.

make_parser

Generate a TQL parser for the given log format.

Use this tool when:

  • You have sample log events and need to parse them into structured data

  • You're starting a new parser for JSON, CSV, syslog, or key-value logs

  • You want guidance on format detection and TQL operator selection

  • You need to infer types and create proper schema transformations

This tool provides a complete workflow with step-by-step instructions for:

  1. Analyzing log format and structure

  2. Selecting appropriate TQL operators

  3. Generating parsing code with type conversions

  4. Creating a package with the parser

  5. Testing the parser with sample data

Follow the workflow instructions provided in the response.

docs_read

Read documentation content from the embedded Tenzir documentation.

Use this tool to:

  • Read operator documentation BEFORE using any TQL operator

  • Read function documentation BEFORE using any TQL function

  • Study tutorials and guides for learning workflows

docs_search

Search documentation by keyword or retrieve specific paths with 'See Also' expansion.

Use this tool to:

  • Find operators or functions by keyword or query phrase

  • Discover related documentation through 'See Also' links (depth > 0)

  • Explore specific documentation areas (search_type filter)

  • Learn about unfamiliar concepts or workflows

The depth parameter traverses cross-references, helping you discover operators and functions you might not have known about.

run_pipeline

Execute a TQL pipeline through the local tenzir binary.

Use this tool to:

  • Test TQL code before adding it to a package

  • Debug pipeline behavior with sample data

  • Verify operator syntax and semantics

  • Iterate quickly on pipeline development

The pipeline runs with diagnostics enabled, providing detailed error messages and warnings to help troubleshoot issues.

run_test

Run tests for TQL pipelines using the tenzir-test framework.

Use this tool to:

  • Verify package operators work correctly

  • Run regression tests after making changes

  • Generate test baselines (with update=True)

  • Debug failing tests (with passthrough=True)

Tests can include fixtures like embedded Tenzir nodes for integration testing. The selection parameter accepts files, directories, or an empty list for all tests.

ocsf_get_class

Get the complete definition of a specific OCSF event class including all fields and metadata.

Use this tool to:

  • Understand the full schema of an OCSF event class before mapping

  • See required vs optional fields

  • Discover nested object structures and their field definitions

  • Validate that your source data can map to the class

This returns the complete class definition including all attributes, types, and constraints needed to create accurate OCSF mappings.

ocsf_get_classes

Get all OCSF event classes and their descriptions for a specific schema version.

Use this tool to:

  • Browse available OCSF event classes before creating a mapping

  • Identify which class best matches your log data

  • Understand the purpose and scope of each event class

Once you identify a candidate class, use ocsf_get_class to see its complete schema with all fields and attributes.

ocsf_get_versions

List all bundled OCSF schema versions.

Use this tool to:

  • See which OCSF schema versions are available

  • Choose a specific version for your mapping work

  • Understand schema evolution across versions

Typically you'll want to use ocsf_get_latest_version instead to get the most recent stable version automatically.

ocsf_get_latest_version

Return the latest stable OCSF schema version.

Use this tool to:

  • Get the current recommended OCSF version for new mappings

  • Ensure you're using up-to-date schema definitions

  • Start OCSF mapping workflows with the latest standard

This filters out development versions (alpha, beta, rc) and returns only stable releases.

ocsf_get_object

Get the complete definition of an OCSF object type including all fields and metadata.

Use this tool to:

  • Understand complex nested object structures in OCSF classes

  • See the fields and types within objects like 'file', 'process', 'user'

  • Map source data to nested OCSF structures correctly

  • Reference when constructing TQL operators for OCSF mapping

Objects are reusable components within OCSF event classes, defining standard structures like endpoints, files, processes, etc.

package_add_changelog

Add a changelog entry to a package.

Use this tool to:

  • Document changes to your package

  • Track breaking changes, new features, bug fixes, and general changes

  • Maintain a history of package evolution

  • Communicate updates to package users

Changelog entries are timestamped and categorized. They help users understand what changed between package versions.

package_add_operator

Add a user-defined operator (UDO) to a package.

Use this tool to:

  • Add custom TQL operators to your package

  • Organize operators using nested namespaces (e.g., 'ocsf::logs::firewall')

  • Create parsers, transformations, or OCSF mappings as reusable operators

  • Automatically generate test scaffolds for new operators

Operators become available as package_id::operator_name in TQL pipelines after the package is installed.

package_add_test

Add a test to a package.

Use this tool to:

  • Create test cases for your operators

  • Define expected behavior with input/output pairs

  • Set up integration tests with fixtures (e.g., embedded Tenzir nodes)

  • Generate test scaffolds to be populated later with run_test

Tests use the tenzir-test framework. Provide input/output when known, or omit output and use the run_test tool with update=True to generate baselines from actual execution.

package_create

Create a new Tenzir package scaffold.

Use this tool to:

  • Start a new Tenzir package project

  • Set up the standard directory structure for operators, tests, and documentation

  • Initialize package metadata (ID, name, author, description)

This creates the foundation for building custom TQL operators, parsers, and OCSF mappings. After creation, use package_add_operator to add functionality and package_add_test to add tests.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/tenzir/mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server