What can you do with this server?

The wazuh-mcp server integrates with Wazuh SIEM/XDR to provide AI agents with tools, resources, and prompts for querying and managing security data. Agent Management * list_agents – List agents with optional status filtering (active, disconnected, never_connected, pending), sorting, and pagination * get_agent – Retrieve detailed information for a specific agent by ID * get_agent_stats – Get system statistics (CPU, memory, disk) for a specific agent Security Alerts (requires a configured Wazuh Indexer/OpenSearch) * get_alerts – Retrieve recent alerts with filters for severity, agent ID, rule ID, and text search * get_alert – Fetch a single alert by ID * search_alerts – Full-text search across all alerts with optional severity and agent filters Detection Rules * list_rules – List rules with optional filtering by severity level and group * get_rule – Get full rule details including compliance mappings (MITRE ATT\&CK, PCI-DSS, GDPR, HIPAA, NIST 800-53) * search_rules – Search rules by description text Decoders & System Info * list_decoders – List available log decoders with optional name filtering * get_wazuh_version – Retrieve Wazuh manager version and API information Pre-built Resources * Aggregated views of all registered agents, the 25 most recent security alerts, and detection rules sorted by severity Prompt Templates * Guided workflows for alert investigation (with MITRE mapping and remediation), agent health checks, and a full security overview with compliance coverage Additional Features * Pagination support (limit/offset) on all list endpoints (1–100 items per request) * Automatic JWT token management with refresh on expiry * Full compliance mapping for PCI-DSS, GDPR, HIPAA, NIST 800-53, and MITRE ATT\&CK

Which integrations are available for this server?

Integrates with the Wazuh Indexer (OpenSearch) to provide tools for retrieving, searching, and filtering security alerts across the platform.

How do I use wazuh-mcp?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@wazuh-mcp Investigate the most recent high-severity alert for agent 001" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

de en es ja ko ru zh

wazuh-mcp

by solomonneas

Overview Schema Related Servers Score Discussions

TypeScript

Remote

A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.

Features

25 MCP Tools - Agents, alerts, rules, decoders, SCA, syscollector, FIM, rootcheck, groups, and manager
3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
3 MCP Prompts - Alert investigation, agent health checks, and security overviews
JWT Authentication - Automatic token management with refresh on expiry
Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
Pagination - All list endpoints support limit/offset pagination
Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

Node.js 20+

A running Wazuh manager with API access (default port 55000)
Wazuh API credentials (username/password)
(Optional) Wazuh Indexer (OpenSearch) access for alert queries

Installation

git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build

Configuration

Set the following environment variables:

Variable

Required

Default

Description

| WAZUH_URL | Yes | - | Wazuh API URL (e.g., https://10.0.0.2:55000) | | WAZUH_USERNAME | Yes | - | API username | | WAZUH_PASSWORD | Yes | - | API password | | WAZUH_VERIFY_SSL | No | false | Set to true to verify SSL certificates |

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Wazuh Indexer (OpenSearch) - Required for Alerts

Wazuh 4.x stores alerts in the Wazuh Indexer (OpenSearch), not the REST API. To enable alert tools (get_alerts, get_alert, search_alerts) and the wazuh://alerts/recent resource, configure the indexer connection:

Variable

Required

Default

Description

If WAZUH_INDEXER_URL is not set, alert tools will return a helpful configuration message. All other tools (agents, rules, decoders, version) work without the indexer.

Usage

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "wazuh": {
      "command": "wazuh-mcp",
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
      }
    }
  }
}

Claude Code

claude mcp add wazuh \
  --env WAZUH_URL=https://your-wazuh-manager:55000 \
  --env WAZUH_USERNAME=wazuh-wui \
  --env WAZUH_PASSWORD=your-password \
  --env WAZUH_INDEXER_URL=https://your-wazuh-indexer:9200 \
  --env WAZUH_INDEXER_USERNAME=admin \
  --env WAZUH_INDEXER_PASSWORD=your-indexer-password \
  -- wazuh-mcp

Add --scope user to make it available from any directory instead of only the current project.

OpenClaw

If you're running from a source checkout instead of the npm-installed binary, point command/args at the built dist/index.js:

openclaw mcp set wazuh '{
  "command": "node",
  "args": ["/absolute/path/to/wazuh-mcp/dist/index.js"],
  "env": {
    "WAZUH_URL": "https://your-wazuh-manager:55000",
    "WAZUH_USERNAME": "wazuh-wui",
    "WAZUH_PASSWORD": "your-password",
    "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
    "WAZUH_INDEXER_USERNAME": "admin",
    "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
  }
}'

Or, with the global npm install:

openclaw mcp set wazuh '{
  "command": "wazuh-mcp",
  "env": {
    "WAZUH_URL": "https://your-wazuh-manager:55000",
    "WAZUH_USERNAME": "wazuh-wui",
    "WAZUH_PASSWORD": "your-password",
    "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
    "WAZUH_INDEXER_USERNAME": "admin",
    "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
  }
}'

Then restart the OpenClaw gateway so the new server is picked up:

systemctl --user restart openclaw-gateway
openclaw mcp list   # confirm "wazuh" is registered

Hermes Agent

Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:

mcp_servers:
  wazuh:
    command: "wazuh-mcp"
    env:
      WAZUH_URL: "https://your-wazuh-manager:55000"
      WAZUH_USERNAME: "wazuh-wui"
      WAZUH_PASSWORD: "your-password"
      WAZUH_INDEXER_URL: "https://your-wazuh-indexer:9200"
      WAZUH_INDEXER_USERNAME: "admin"
      WAZUH_INDEXER_PASSWORD: "your-indexer-password"

Or, when running from a source checkout instead of the global npm install:

mcp_servers:
  wazuh:
    command: "node"
    args: ["/absolute/path/to/wazuh-mcp/dist/index.js"]
    env:
      WAZUH_URL: "https://your-wazuh-manager:55000"
      WAZUH_USERNAME: "wazuh-wui"
      WAZUH_PASSWORD: "your-password"
      WAZUH_INDEXER_URL: "https://your-wazuh-indexer:9200"
      WAZUH_INDEXER_USERNAME: "admin"
      WAZUH_INDEXER_PASSWORD: "your-indexer-password"

Then reload MCP from inside a Hermes session:

/reload-mcp

Codex CLI

Codex CLI registers MCP servers via codex mcp add:

codex mcp add wazuh \
  --env WAZUH_URL=https://your-wazuh-manager:55000 \
  --env WAZUH_USERNAME=wazuh-wui \
  --env WAZUH_PASSWORD=your-password \
  --env WAZUH_INDEXER_URL=https://your-wazuh-indexer:9200 \
  --env WAZUH_INDEXER_USERNAME=admin \
  --env WAZUH_INDEXER_PASSWORD=your-indexer-password \
  -- wazuh-mcp

Or, when running from a source checkout:

codex mcp add wazuh \
  --env WAZUH_URL=https://your-wazuh-manager:55000 \
  --env WAZUH_USERNAME=wazuh-wui \
  --env WAZUH_PASSWORD=your-password \
  -- node /absolute/path/to/wazuh-mcp/dist/index.js

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.wazuh]. Verify with:

codex mcp list

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start

Development

npm run dev    # Watch mode with tsx
npm run lint   # Type checking
npm test       # Run tests

MCP Tools

Agent Tools

Tool	Description
`list_agents`	List all agents with optional status filtering (active, disconnected, never_connected, pending)
`get_agent`	Get detailed info for a specific agent by ID
`get_agent_stats`	Get CPU, memory, and disk statistics for an agent

Alert Tools

Tool	Description
`get_alerts`	Retrieve recent alerts with filtering by level, agent, rule, and text search
`get_alert`	Retrieve a single alert by ID
`search_alerts`	Full-text search across all alerts

Rule Tools

Tool	Description
`list_rules`	List detection rules with level and group filtering
`get_rule`	Get full rule details including compliance mappings
`search_rules`	Search rules by description text

SCA Tools (Security Configuration Assessment)

Tool	Description
`get_sca_policies`	List SCA policies and scores for an agent (CIS benchmarks, etc.)
`get_sca_checks`	Get individual check results with remediation steps and compliance mappings

Syscollector Tools (System Inventory)

Tool	Description
`get_agent_os`	Get OS information (name, version, architecture, hostname)
`get_agent_packages`	List installed software packages with versions
`get_agent_processes`	List running processes with PIDs and command lines
`get_agent_ports`	List open network ports with associated processes
`get_agent_network`	List network interfaces and IP addresses
`get_agent_hotfixes`	List installed Windows hotfixes/patches

FIM & Rootcheck Tools

Tool	Description
`get_fim_files`	Get File Integrity Monitoring results (files, registry keys, hashes)
`get_rootcheck`	Get rootkit detection scan findings

Manager Tools

Tool	Description
`get_manager_logs`	Get Wazuh manager logs filtered by level and module
`get_manager_config`	Get active manager configuration by section

Group Tools

Tool	Description
`list_groups`	List all agent groups
`get_group_agents`	List agents in a specific group

Other Tools

Tool	Description
`list_decoders`	List log decoders with optional name filtering
`get_wazuh_version`	Get Wazuh manager version and API info

MCP Resources

Resource URI	Description
`wazuh://agents`	All registered agents and their status
`wazuh://alerts/recent`	25 most recent security alerts
`wazuh://rules/summary`	Detection rules sorted by severity

MCP Prompts

Prompt	Description
`investigate-alert`	Step-by-step alert investigation with MITRE mapping and remediation
`agent-health-check`	Comprehensive agent health assessment (status, resources, alerts)
`security-overview`	Full environment security summary with compliance coverage

Examples

List active agents

Use list_agents with status "active" to see all connected agents.

Investigate a brute force attempt

Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.

Check agent health

Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.

Find high-severity rules

List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode

Tests use mocked Wazuh API responses - no live Wazuh instance needed.

Project Structure

wazuh-mcp/
├── src/
│   ├── index.ts           # MCP server entry point
│   ├── config.ts          # Environment configuration
│   ├── client.ts          # Wazuh REST API client (JWT auth)
│   ├── indexer-client.ts  # Wazuh Indexer (OpenSearch) client
│   ├── types.ts           # TypeScript type definitions
│   ├── resources.ts       # MCP resource handlers
│   ├── prompts.ts         # MCP prompt templates
│   └── tools/
│       ├── agents.ts      # Agent management tools
│       ├── alerts.ts      # Alert query tools
│       ├── rules.ts       # Rule query tools
│       ├── decoders.ts    # Decoder listing tool
│       ├── version.ts     # Version info tool
│       ├── sca.ts         # Security Configuration Assessment
│       ├── syscollector.ts # System inventory (OS, packages, ports, etc.)
│       ├── syscheck.ts    # File Integrity Monitoring
│       ├── rootcheck.ts   # Rootkit detection
│       ├── manager.ts     # Manager logs and configuration
│       └── groups.ts      # Agent group management
├── tests/
│   ├── client.test.ts     # API client unit tests
│   └── tools.test.ts      # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts

License

MIT

Install Server

license - permissive license

quality

maintenance

How are these scores calculated?

Maintenance

–Maintainers

–Response time

–Release cycle

1Releases (12mo)

Resources

Need Help?

Reddit Discussion

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

View all tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/solomonneas/wazuh-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server