Wazuh MCP Server

Production-ready MCP server connecting AI assistants to Wazuh SIEM.

Version 4.0.6 | Wazuh 4.8.0 - 4.14.3 | Full Changelog

---

Why This MCP Server?

Security teams using Wazuh SIEM generate thousands of alerts, vulnerabilities, and events daily. Analyzing this data requires constant context-switching between dashboards, writing API queries, and manually correlating information.

This MCP server solves that problem by providing a secure bridge between AI assistants (like Claude) and your Wazuh deployment. Query alerts, analyze threats, check agent health, and generate compliance reports—all through natural conversation.

You: "Show me critical alerts from the last 24 hours"
Claude: [Uses get_wazuh_alerts tool] Found 12 critical alerts...

You: "Which agents have unpatched critical vulnerabilities?"
Claude: [Uses get_wazuh_critical_vulnerabilities tool] 3 agents affected...

---

Take It Further: Autonomous Agentic SOC

Ready to move beyond manual security operations?

Combine this MCP server with Wazuh OpenClaw Autopilot to build a fully autonomous Security Operations Center powered by AI agents.

While this MCP server gives you conversational access to Wazuh, OpenClaw takes it to the next level—deploying AI agents that work around the clock to triage alerts, correlate incidents, and recommend responses without human intervention.

Capability	What It Does
Autonomous Alert Triage	AI agents continuously analyze incoming alerts, prioritize threats, and create structured incident cases
Intelligent Correlation	Automatically groups related alerts into attack timelines with blast radius assessment
AI-Powered Response Planning	Generates actionable response recommendations with risk scoring
Human-in-the-Loop Safety	Critical actions require Slack approval—automation with guardrails

Traditional SOC: Alert → Analyst reviews → Hours later → Response
Agentic SOC:     Alert → AI triages → Seconds later → Response ready for approval

This is the future of security operations. Start with the MCP server, scale to autonomous agents.

Explore OpenClaw Autopilot →

---

Features

Category	Capabilities
MCP Protocol	100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE
Security Tools	29 specialized tools for alerts, agents, vulnerabilities, compliance
Authentication	OAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode
Production Ready	Circuit breakers, rate limiting, graceful shutdown, Prometheus metrics
Deployment	Docker containerized, multi-platform (AMD64/ARM64), serverless-ready
Token Efficiency	Compact output mode reduces responses by ~66%

29 Security Tools

Category	Tools
Alerts (3)	get_wazuh_alerts, get_wazuh_alert_summary, analyze_alert_patterns
Agents (6)	get_wazuh_agents, get_wazuh_running_agents, check_agent_health, get_agent_processes, get_agent_ports, get_agent_configuration
Vulnerabilities (3)	get_wazuh_vulnerabilities, get_wazuh_critical_vulnerabilities, get_wazuh_vulnerability_summary
Security Analysis (7)	search_security_events, analyze_security_threat, check_ioc_reputation, perform_risk_assessment, get_top_security_threats, generate_security_report, run_compliance_check
System (10)	get_wazuh_statistics, get_wazuh_weekly_stats, get_wazuh_cluster_health, get_wazuh_cluster_nodes, get_wazuh_rules_summary, get_wazuh_remoted_stats, get_wazuh_log_collector_stats, search_wazuh_manager_logs, get_wazuh_manager_error_logs, validate_wazuh_connection

---

Quick Start

Prerequisites

• Docker 20.10+ with Compose v2.20+
• Wazuh 4.8.0 - 4.14.3 with API access

1. Clone and Configure

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env

Edit .env with your Wazuh credentials:

WAZUH_HOST=https://your-wazuh-server.com
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password

2. Deploy

python deploy.py
# Or: docker compose up -d

3. Verify

curl http://localhost:3000/health

4. Connect Claude Desktop

1. Go to Settings → Connectors → Add custom connector
2. Enter: https://your-server-domain.com/mcp
3. Add authentication in Advanced settings

Detailed setup: Claude Integration Guide

---

Configuration

Required Variables

Variable	Description
WAZUH_HOST	Wazuh server URL
WAZUH_USER	API username
WAZUH_PASS	API password

Optional Variables

Variable	Default	Description
WAZUH_PORT	55000	API port
MCP_HOST	0.0.0.0	Server bind address
MCP_PORT	3000	Server port
AUTH_MODE	bearer	oauth, bearer, or none
AUTH_SECRET_KEY	auto	JWT signing key
ALLOWED_ORIGINS	https://claude.ai	CORS origins
REDIS_URL	-	Redis URL for serverless mode

Wazuh Indexer (Required for vulnerabilities in 4.8.0+)

Variable	Description
WAZUH_INDEXER_HOST	Indexer hostname
WAZUH_INDEXER_PORT	Indexer port (default: 9200)
WAZUH_INDEXER_USER	Indexer username
WAZUH_INDEXER_PASS	Indexer password

---

API Endpoints

Endpoint	Description
/mcp	Recommended - Streamable HTTP (MCP 2025-11-25)
/sse	Legacy SSE endpoint
/health	Health check
/metrics	Prometheus metrics
/docs	OpenAPI documentation
/auth/token	Token exchange (bearer mode)

---

Documentation

Guide	Description
Claude Integration	Claude Desktop setup, authentication modes
Advanced Features	HA, serverless, compact mode, MCP compliance
Troubleshooting	Common issues and solutions
Operations	Deployment, monitoring, maintenance
API Documentation	Tool-specific documentation
Security	Security configuration and best practices

---

Project Structure

src/wazuh_mcp_server/
├── server.py           # MCP server with 29 tools
├── config.py           # Configuration management
├── auth.py             # JWT authentication
├── oauth.py            # OAuth 2.0 with DCR
├── security.py         # Rate limiting, CORS
├── monitoring.py       # Prometheus metrics
├── resilience.py       # Circuit breakers, retries
├── session_store.py    # Pluggable sessions
└── api/
    ├── wazuh_client.py    # Wazuh Manager API
    └── wazuh_indexer.py   # Wazuh Indexer API

---

Security

• Authentication: JWT tokens, OAuth 2.0 with DCR
• Rate Limiting: Per-client request throttling
• Input Validation: SQL injection and XSS protection
• Container Security: Non-root user, read-only filesystem

# Generate secure API key
openssl rand -hex 32

# Set file permissions
chmod 600 .env

---

Contributing

We welcome contributions! Please see:

• Issues - Bug reports and feature requests
• Discussions - Questions and ideas

---

License

MIT License - see LICENSE

---

Acknowledgments

• Wazuh - Open source security platform
• Model Context Protocol - AI integration standard
• FastAPI - Python web framework

---

Contributors

Contributors

Avatar	Username	Contributions
	@alokemajumder	Code, Issues, Discussions
	@gensecai-dev	Code, Discussions
	@aiunmukto	Code, PRs
	@Karibusan	Code, Issues, PRs
	@lwsinclair	Code, PRs
	@taylorwalton	PRs
	@MilkyWay88	PRs
	@kanylbullen	Code, PRs
	@Uberkarhu	Issues
	@cbassonbgroup	Issues
	@cybersentinel-06	Issues
	@daod-arshad	Issues
	@mamema	Issues
	@marcolinux46	Issues
	@matveevandrey	Issues
	@punkpeye	Issues
	@tonyliu9189	Issues
	@Vasanth120v	Discussions
	@gnix45	Discussions
	@melmasry1987	Discussions

Auto-updated by GitHub Actions