Wazuh MCP Server
AI-powered security operations with Wazuh SIEM + Claude Desktop. Natural language threat detection, automated incident response & compliance.
Wazuh MCP Server
Production-ready MCP server connecting AI assistants to Wazuh SIEM.
Version 4.0.6 | Wazuh 4.8.0 - 4.14.3 | Full Changelog
Why This MCP Server?
Security teams using Wazuh SIEM generate thousands of alerts, vulnerabilities, and events daily. Analyzing this data requires constant context-switching between dashboards, writing API queries, and manually correlating information.
This MCP server solves that problem by providing a secure bridge between AI assistants (like Claude) and your Wazuh deployment. Query alerts, analyze threats, check agent health, and generate compliance reports—all through natural conversation.
You: "Show me critical alerts from the last 24 hours"
Claude: [Uses get_wazuh_alerts tool] Found 12 critical alerts...
You: "Which agents have unpatched critical vulnerabilities?"
Claude: [Uses get_wazuh_critical_vulnerabilities tool] 3 agents affected...
Works With
Wazuh OpenClaw Autopilot
Transform your Wazuh deployment into an autonomous SOC powered by this MCP server:
- Automatic Alert Triage - AI agents analyze high/critical alerts and create structured incident cases
- Incident Correlation - Groups related alerts into timelines with blast radius assessment
- Response Planning - Generates response recommendations with risk scoring
- Human-in-the-Loop - Routes risky actions to Slack for approval before execution
OpenClaw uses this MCP server as its interface to Wazuh, enabling autonomous security operations while maintaining human oversight.
Features
| Category | Capabilities |
|---|---|
| MCP Protocol | 100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE |
| Security Tools | 29 specialized tools for alerts, agents, vulnerabilities, compliance |
| Authentication | OAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode |
| Production Ready | Circuit breakers, rate limiting, graceful shutdown, Prometheus metrics |
| Deployment | Docker containerized, multi-platform (AMD64/ARM64), serverless-ready |
| Token Efficiency | Compact output mode reduces responses by ~66% |
29 Security Tools
| Category | Tools |
|---|---|
| Alerts (3) | get_wazuh_alerts, get_wazuh_alert_summary, analyze_alert_patterns |
| Agents (6) | get_wazuh_agents, get_wazuh_running_agents, check_agent_health, get_agent_processes, get_agent_ports, get_agent_configuration |
| Vulnerabilities (3) | get_wazuh_vulnerabilities, get_wazuh_critical_vulnerabilities, get_wazuh_vulnerability_summary |
| Security Analysis (7) | search_security_events, analyze_security_threat, check_ioc_reputation, perform_risk_assessment, get_top_security_threats, generate_security_report, run_compliance_check |
| System (10) | get_wazuh_statistics, get_wazuh_weekly_stats, get_wazuh_cluster_health, get_wazuh_cluster_nodes, get_wazuh_rules_summary, get_wazuh_remoted_stats, get_wazuh_log_collector_stats, search_wazuh_manager_logs, get_wazuh_manager_error_logs, validate_wazuh_connection |
Quick Start
Prerequisites
- Docker 20.10+ with Compose v2.20+
- Wazuh 4.8.0 - 4.14.3 with API access
1. Clone and Configure
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env
Edit .env with your Wazuh credentials:
WAZUH_HOST=https://your-wazuh-server.com
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password
2. Deploy
python deploy.py
# Or: docker compose up -d
3. Verify
curl http://localhost:3000/health
4. Connect Claude Desktop
- Go to Settings → Connectors → Add custom connector
- Enter:
https://your-server-domain.com/mcp - Add authentication in Advanced settings
Detailed setup: Claude Integration Guide
Configuration
Required Variables
| Variable | Description |
|---|---|
WAZUH_HOST | Wazuh server URL |
WAZUH_USER | API username |
WAZUH_PASS | API password |
Optional Variables
| Variable | Default | Description |
|---|---|---|
WAZUH_PORT | 55000 | API port |
MCP_HOST | 0.0.0.0 | Server bind address |
MCP_PORT | 3000 | Server port |
AUTH_MODE | bearer | oauth, bearer, or none |
AUTH_SECRET_KEY | auto | JWT signing key |
ALLOWED_ORIGINS | https://claude.ai | CORS origins |
REDIS_URL | - | Redis URL for serverless mode |
Wazuh Indexer (Required for vulnerabilities in 4.8.0+)
| Variable | Description |
|---|---|
WAZUH_INDEXER_HOST | Indexer hostname |
WAZUH_INDEXER_PORT | Indexer port (default: 9200) |
WAZUH_INDEXER_USER | Indexer username |
WAZUH_INDEXER_PASS | Indexer password |
API Endpoints
| Endpoint | Description |
|---|---|
/mcp | Recommended - Streamable HTTP (MCP 2025-11-25) |
/sse | Legacy SSE endpoint |
/health | Health check |
/metrics | Prometheus metrics |
/docs | OpenAPI documentation |
/auth/token | Token exchange (bearer mode) |
Documentation
| Guide | Description |
|---|---|
| Claude Integration | Claude Desktop setup, authentication modes |
| Advanced Features | HA, serverless, compact mode, MCP compliance |
| Troubleshooting | Common issues and solutions |
| Operations | Deployment, monitoring, maintenance |
| API Documentation | Tool-specific documentation |
| Security | Security configuration and best practices |
Project Structure
src/wazuh_mcp_server/
├── server.py # MCP server with 29 tools
├── config.py # Configuration management
├── auth.py # JWT authentication
├── oauth.py # OAuth 2.0 with DCR
├── security.py # Rate limiting, CORS
├── monitoring.py # Prometheus metrics
├── resilience.py # Circuit breakers, retries
├── session_store.py # Pluggable sessions
└── api/
├── wazuh_client.py # Wazuh Manager API
└── wazuh_indexer.py # Wazuh Indexer API
Security
- Authentication: JWT tokens, OAuth 2.0 with DCR
- Rate Limiting: Per-client request throttling
- Input Validation: SQL injection and XSS protection
- Container Security: Non-root user, read-only filesystem
# Generate secure API key
openssl rand -hex 32
# Set file permissions
chmod 600 .env
Contributing
We welcome contributions! Please see:
- Issues - Bug reports and feature requests
- Discussions - Questions and ideas
License
MIT License - see LICENSE
Acknowledgments
- Wazuh - Open source security platform
- Model Context Protocol - AI integration standard
- FastAPI - Python web framework
Contributors
| Avatar | Username | Contributions |
|---|---|---|
| @alokemajumder | Code, Issues, Discussions | |
| @gensecai-dev | Code, Discussions | |
| @aiunmukto | Code, PRs | |
| @Karibusan | Code, Issues, PRs | |
| @lwsinclair | Code, PRs | |
| @taylorwalton | PRs | |
| @MilkyWay88 | PRs | |
| @kanylbullen | Code, PRs | |
| @Uberkarhu | Issues | |
| @cbassonbgroup | Issues | |
| @cybersentinel-06 | Issues | |
| @daod-arshad | Issues | |
| @mamema | Issues | |
| @marcolinux46 | Issues | |
| @matveevandrey | Issues | |
| @punkpeye | Issues | |
| @tonyliu9189 | Issues | |
| @Vasanth120v | Discussions | |
| @gnix45 | Discussions | |
| @melmasry1987 | Discussions |
Auto-updated by GitHub Actions
Related Servers
Scrptly Video Generator
An Ai Video Agent that can generate professional and complex videos with simple prompts and context images.
BloodHound MCP
Enables Large Language Models to interact with BloodHound Community Edition data.
CS2 RCON MCP
A server for managing Counter-Strike 2 servers using the RCON protocol.
Berlin Transport
Access Berlin's public transport data via the VBB (Verkehrsverbund Berlin-Brandenburg) API.
Factory Insight Service
Analyzes manufacturing production capacity, including evaluations, equipment, processes, and factory distribution to assess enterprise strength.
Shioaji MCP Server
Access the Shioaji trading API for financial data and trading operations, requiring a SinoPac Securities account.
VMS Integration
Connects to a CCTV recording program (VMS) to retrieve recorded and live video streams and control the VMS software.
MCP-TFT
Provides accurate Teamfight Tactics (TFT) analysis using Data Dragon and community meta insights.
timeService-mcp
A simple Model Context Protocol (MCP) server that provides the current date and time.
Haiguitang (Turtle Soup) Game
An MCP server for '海龟汤' (Turtle Soup), a scenario-based reasoning puzzle game.