ossec-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| MCP_HOST | No | SSE bind address (SSE transport only) | 127.0.0.1 |
| MCP_PORT | No | SSE port (SSE transport only) | 8000 |
| LOG_LEVEL | No | Logging level (DEBUG, INFO, WARNING, ERROR) | INFO |
| MAX_ALERTS | No | Maximum alerts returned per query | 500 |
| OSSEC_MODE | No | local (CLI tools + filesystem) or api (REST API) | local |
| OSSEC_PATH | No | OSSEC installation root directory | /var/ossec |
| MCP_TRANSPORT | No | MCP transport: stdio or sse | stdio |
| OSSEC_API_HOST | No | API hostname (API mode only) | localhost |
| OSSEC_API_PORT | No | API port (API mode only) | 55000 |
| OSSEC_API_USER | No | API username (API mode only) | admin |
| MIN_ALERT_LEVEL | No | Default minimum alert level filter | 1 |
| OSSEC_API_PASSWORD | No | API password (API mode only) | |
| OSSEC_API_SSL_VERIFY | No | Verify TLS certificates for API connections | true |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| get_alertsA | Retrieve recent OSSEC security alerts with optional filtering. Args: limit: Maximum number of alerts to return (default: 50, max: 500). level_min: Minimum alert severity level (0-16). Level 0 = ignored, 3 = successful events, 5 = user errors, 7 = bad words, 10 = multiple failures, 12 = high importance, 15 = severe. level_max: Maximum alert severity level (0-16). group: Filter by rule group (e.g., 'syslog', 'sshd', 'authentication_failed'). search: Free-text search across alert content. time_range: Time range filter. Examples: '1h' (last hour), '24h' (last day), '7d' (last week), '30m' (last 30 minutes). Returns: JSON array of alert objects containing timestamp, rule info, agent details, etc. |
| get_alert_summaryA | Get a summary of OSSEC alerts over a time period. Provides counts grouped by severity level, rule group, and top triggered rules. Args: time_range: Time range to summarize. Examples: '1h', '24h', '7d'. Default: '24h'. Returns: JSON summary with alert counts by level, group, and top rules. |
| search_alertsA | Search OSSEC alerts using a free-text query. Searches across all alert fields including rule descriptions, source IPs, agent names, log content, and more. Args: query: Search string to match across alert content. limit: Maximum number of matching alerts to return (default: 50). time_range: Optional time range filter (e.g., '1h', '24h', '7d'). Returns: JSON array of matching alert objects. |
| list_agentsA | List all OSSEC agents managed by this server. Retrieves the full list of agents including their ID, name, IP address, and status information. Args: status: Optional filter by agent status. Valid values: 'active', 'disconnected', 'never_connected', 'pending'. If not specified, returns all agents. Returns: JSON array of agent objects with id, name, ip, and status. |
| get_agent_infoA | Get detailed information about a specific OSSEC agent. Retrieves comprehensive details including agent name, IP, OS info, last keep-alive time, group membership, and current status. Args: agent_id: The agent ID (e.g., '001', '002'). Use '000' for the manager. Returns: JSON object with detailed agent information. |
| add_agentA | Add a new agent to the OSSEC manager. Registers a new agent with the specified name and IP address. The agent will need to be authenticated and configured to connect. Args: name: Unique name for the new agent (e.g., 'webserver-01'). ip: IP address of the agent (e.g., '10.0.0.10'). Use 'any' for dynamic IPs. Returns: JSON object with the result including the new agent's ID and key. |
| remove_agentA | Remove an agent from the OSSEC manager. Permanently removes the agent registration. The agent will no longer be able to connect to the manager. Args: agent_id: The agent ID to remove (e.g., '001'). Returns: JSON object indicating success or failure. |
| restart_agentA | Restart a specific OSSEC agent. Sends a restart command to the agent, causing it to reload its configuration and reconnect. Args: agent_id: The agent ID to restart (e.g., '001'). Returns: JSON object indicating success or failure. |
| get_rulesA | Search and retrieve OSSEC detection rules. OSSEC rules define what events trigger alerts. Each rule has an ID, severity level, group classification, and matching criteria. Args: rule_id: Filter by specific rule ID (e.g., '5710' for SSH brute force). level_min: Minimum rule level (0-16). level_max: Maximum rule level (0-16). group: Filter by rule group (e.g., 'sshd', 'web', 'syslog', 'authentication_failed'). search: Free-text search in rule descriptions. filename: Filter by rule file name (e.g., 'sshd_rules.xml'). Returns: JSON array of rule objects with id, level, description, groups, and match criteria. |
| get_rule_detailsA | Get the full details of a specific OSSEC rule by its ID. Returns the complete rule definition including all matching criteria, parent rules, frequency settings, and associated group. Args: rule_id: The rule ID to look up (e.g., '5710'). Returns: JSON object with the complete rule definition. |
| list_rule_filesA | List all OSSEC rule files. Returns the file names of all rule XML files, which can be used to inspect or filter rules by file. Returns: JSON array of rule file information including filename and path. |
| get_decodersA | Search and retrieve OSSEC log decoders. Decoders are used to parse and normalize log data before it is evaluated against rules. They extract fields like source IP, username, program name, etc. Args: search: Free-text search in decoder names. filename: Filter by decoder file name (e.g., 'local_decoder.xml'). Returns: JSON array of decoder objects with name, parent, fields extracted, etc. |
| get_syscheck_resultsA | Get File Integrity Monitoring (FIM) results for an agent. Syscheck monitors files and directories for changes. It detects modifications to file content, permissions, ownership, and attributes. Args: agent_id: Agent ID to query (default: '000' for the manager). file: Optional specific file path to check (e.g., '/etc/passwd'). Returns: JSON object with syscheck results including changed files and their details. |
| run_syscheck_scanA | Trigger a File Integrity Monitoring scan on an agent. Initiates a new syscheck scan that will check all monitored files and directories for changes since the last scan. Args: agent_id: Agent ID to scan (default: '000' for the manager). Returns: JSON object indicating whether the scan was triggered successfully. |
| clear_syscheck_databaseA | Clear the syscheck database for an agent. Removes all stored file integrity data. The next scan will create a new baseline. Args: agent_id: Agent ID whose database to clear (default: '000' for the manager). Returns: JSON object indicating success or failure. |
| get_rootcheck_resultsA | Get rootcheck results for an agent. Rootcheck performs system auditing, checking for rootkits, trojans, hidden processes, suspicious files, and system anomalies. Args: agent_id: Agent ID to query (default: '000' for the manager). Returns: JSON object with rootcheck findings. |
| run_rootcheck_scanA | Trigger a rootcheck scan on an agent. Initiates a new rootcheck scan that will check for rootkits, trojans, and other security issues. Args: agent_id: Agent ID to scan (default: '000' for the manager). Returns: JSON object indicating whether the scan was triggered successfully. |
| get_ossec_statusA | Get the current status of all OSSEC services. Checks whether each OSSEC daemon is running or stopped, including: ossec-analysisd, ossec-remoted, ossec-syscheckd, ossec-logcollector, ossec-maild, ossec-execd, and ossec-monitord. Returns: JSON object with service status, running count, and overall state. |
| restart_ossecA | Restart all OSSEC services. Stops and restarts all OSSEC daemons. Use this after making configuration changes to apply them. Returns: JSON object indicating success or failure with service output. |
| get_ossec_logsA | Get OSSEC internal logs (ossec.log). Retrieves the latest entries from OSSEC's own log file, useful for troubleshooting and monitoring OSSEC's operation. Args: lines: Number of log lines to retrieve (default: 100). category: Optional filter by log category (e.g., 'ossec-analysisd', 'ossec-remoted', 'error', 'warning'). Returns: JSON array of log lines. |
| get_ossec_statsA | Get OSSEC processing statistics. Retrieves statistics about events analyzed, alerts generated, firewall events, and other metrics. Args: date: Optional date filter (YYYY-MM-DD format). Default: current day. Returns: JSON object with statistical data. |
| get_ossec_configurationA | Read the OSSEC configuration (ossec.conf). Retrieves the parsed configuration. Can return the full config or a specific section. Args: section: Optional configuration section to retrieve. Common sections: 'global', 'alerts', 'syscheck', 'rootcheck', 'localfile', 'remote', 'rules', 'command', 'active-response', 'syslog_output'. If not specified, returns the full configuration. Returns: JSON object with the parsed configuration. |
| get_ossec_configuration_rawA | Get the raw OSSEC configuration file content. Returns the complete ossec.conf file as plain text, preserving all XML formatting and comments. Returns: The raw content of ossec.conf. |
| run_logtestA | Test a log line against OSSEC rules and decoders. Runs a log line through OSSEC's analysis engine to see how it would be decoded, which rules it matches, and what alert level it would generate. Extremely useful for debugging rules and decoders. Args: log_line: The log line to test (e.g., a syslog line, auth.log entry, etc.). verbose: If True, include verbose rule matching details. Returns: JSON object with decoding results, matched rules, and alert info. Example log lines to test: - 'Mar 12 10:00:00 server sshd[1234]: Failed password for root from 10.0.0.1 port 22' - 'Mar 12 10:00:00 server sudo: user1 : TTY=pts/0 ; PWD=/home ; COMMAND=/bin/su -' |
| get_active_responsesA | Get configured active response rules. Active responses are automated actions OSSEC can take when specific alerts trigger, such as blocking an IP, restarting a service, or running a custom script. Returns: JSON array of active response configurations including command, location, rules_id, and timeout. |
| run_active_responseA | Execute an active response command on an agent. Triggers a configured active response action on a specific agent. Common commands include firewall-drop, host-deny, disable-account, etc. ⚠️ WARNING: This performs real actions on the agent! Ensure you understand the command's effect before executing. Args: agent_id: Target agent ID (e.g., '001'). Use '000' for the manager. command: Active response command name (e.g., 'firewall-drop', 'host-deny', 'restart-ossec', 'disable-account'). arguments: Optional space-separated arguments (e.g., IP to block: '10.0.0.5'). Returns: JSON object indicating success or failure. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| analyze_alerts | Analyze recent OSSEC security alerts. Guides the AI to retrieve and analyze recent alerts, identifying patterns, threats, and recommended actions. Args: time_range: Time period to analyze (e.g., '1h', '24h', '7d'). min_level: Minimum alert level to focus on (0-16). |
| investigate_agent | Investigate a specific OSSEC agent's security posture. Performs a deep-dive investigation of an agent including its status, alerts, file integrity, and rootcheck results. Args: agent_id: The agent ID to investigate (e.g., '001'). |
| security_audit | Run a comprehensive OSSEC security audit. Guides the AI through a full audit of the OSSEC deployment including service health, configuration review, alert analysis, and agent status. |
| incident_response | Guide an incident response workflow for an OSSEC alert. Walks through structured incident response steps for investigating and responding to a security incident detected by OSSEC. Args: alert_id: Optional specific alert/rule ID that triggered the incident. description: Optional description of the incident being investigated. |
| tune_rules | Help tune OSSEC rules to reduce false positives. Analyzes alert patterns and suggests rule tuning to improve signal-to-noise ratio. Args: rule_group: Optional rule group to focus on (e.g., 'sshd', 'web', 'syslog'). |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| ossec_status | Current OSSEC service status and health information. |
| recent_alerts | Most recent 50 OSSEC security alerts. |
| critical_alerts | Recent critical alerts (level 12+) from the last 24 hours. |
| agents_list | Complete list of all OSSEC agents. |
| main_configuration | Current OSSEC configuration (ossec.conf) as parsed JSON. |
| raw_configuration | Raw OSSEC configuration file (ossec.conf) as XML text. |
| rules_summary | Summary of all loaded OSSEC rule files. |
| recent_logs | Last 100 lines of OSSEC internal logs (ossec.log). |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/president-xd/ossec-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server