Wazuh-MCP-Server MCP Server

Wazuh MCP Server

Production-ready MCP server connecting AI assistants to Wazuh SIEM.

Version 4.0.9 | Wazuh 4.8.0 - 4.14.3 | Full Changelog

Why This MCP Server?

Security teams using Wazuh SIEM generate thousands of alerts, vulnerabilities, and events daily. Analyzing this data requires constant context-switching between dashboards, writing API queries, and manually correlating information.

This MCP server solves that problem by providing a secure bridge between AI assistants (like Claude) and your Wazuh deployment. Query alerts, analyze threats, check agent health, and generate compliance reports—all through natural conversation.

You: "Show me critical alerts from the last 24 hours"
Claude: [Uses get_wazuh_alerts tool] Found 12 critical alerts...

You: "Which agents have unpatched critical vulnerabilities?"
Claude: [Uses get_wazuh_critical_vulnerabilities tool] 3 agents affected...

Take It Further: Autonomous Agentic SOC

Ready to move beyond manual security operations?

Combine this MCP server with Wazuh OpenClaw Autopilot to build a fully autonomous Security Operations Center powered by AI agents.

While this MCP server gives you conversational access to Wazuh, OpenClaw takes it to the next level—deploying AI agents that work around the clock to triage alerts, correlate incidents, and recommend responses without human intervention.

Capability	What It Does
Autonomous Alert Triage	AI agents continuously analyze incoming alerts, prioritize threats, and create structured incident cases
Intelligent Correlation	Automatically groups related alerts into attack timelines with blast radius assessment
AI-Powered Response Planning	Generates actionable response recommendations with risk scoring
Human-in-the-Loop Safety	Critical actions require Slack approval—automation with guardrails

Traditional SOC: Alert → Analyst reviews → Hours later → Response
Agentic SOC:     Alert → AI triages → Seconds later → Response ready for approval

This is the future of security operations. Start with the MCP server, scale to autonomous agents.

Explore OpenClaw Autopilot →

Features

Category	Capabilities
MCP Protocol	100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE
Security Tools	48 specialized tools for alerts, agents, vulnerabilities, compliance, active response
Authentication	OAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode
Production Ready	Circuit breakers, rate limiting, security & monitoring middleware, Prometheus metrics
Deployment	Docker containerized, multi-platform (AMD64/ARM64), serverless-ready
Token Efficiency	Compact output mode reduces responses by ~66%

48 Security Tools

Category	Tools
Alerts (3)	`get_wazuh_alerts`, `get_wazuh_alert_summary`, `analyze_alert_patterns`
Agents (6)	`get_wazuh_agents`, `get_wazuh_running_agents`, `check_agent_health`, `get_agent_processes`, `get_agent_ports`, `get_agent_configuration`
Vulnerabilities (3)	`get_wazuh_vulnerabilities`, `get_wazuh_critical_vulnerabilities`, `get_wazuh_vulnerability_summary`
Security Analysis (7)	`search_security_events`, `analyze_security_threat`, `check_ioc_reputation`, `perform_risk_assessment`, `get_top_security_threats`, `generate_security_report`, `run_compliance_check`
System (10)	`get_wazuh_statistics`, `get_wazuh_weekly_stats`, `get_wazuh_cluster_health`, `get_wazuh_cluster_nodes`, `get_wazuh_rules_summary`, `get_wazuh_remoted_stats`, `get_wazuh_log_collector_stats`, `search_wazuh_manager_logs`, `get_wazuh_manager_error_logs`, `validate_wazuh_connection`
Active Response (9)	`wazuh_block_ip`, `wazuh_isolate_host`, `wazuh_kill_process`, `wazuh_disable_user`, `wazuh_quarantine_file`, `wazuh_active_response`, `wazuh_firewall_drop`, `wazuh_host_deny`, `wazuh_restart`
Verification (5)	`wazuh_check_blocked_ip`, `wazuh_check_agent_isolation`, `wazuh_check_process`, `wazuh_check_user_status`, `wazuh_check_file_quarantine`
Rollback (5)	`wazuh_unisolate_host`, `wazuh_enable_user`, `wazuh_restore_file`, `wazuh_firewall_allow`, `wazuh_host_allow`

Quick Start

Prerequisites

Docker 20.10+ with Compose v2.20+
Wazuh 4.8.0 - 4.14.3 with API access

1. Clone and Configure

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env

Edit .env with your Wazuh credentials:

WAZUH_HOST=https://your-wazuh-server.com
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password

2. Deploy

python deploy.py
# Or: docker compose up -d

3. Verify

curl http://localhost:3000/health

4. Connect Claude Desktop

Go to Settings → Connectors → Add custom connector
Enter: https://your-server-domain.com/mcp
Add authentication in Advanced settings

Detailed setup: Claude Integration Guide

Configuration

Required Variables

Variable	Description
`WAZUH_HOST`	Wazuh server URL
`WAZUH_USER`	API username
`WAZUH_PASS`	API password

Optional Variables

Variable	Default	Description
`WAZUH_PORT`	`55000`	API port
`MCP_HOST`	`0.0.0.0`	Server bind address
`MCP_PORT`	`3000`	Server port
`AUTH_MODE`	`bearer`	`oauth`, `bearer`, or `none`
`AUTH_SECRET_KEY`	auto	JWT signing key
`ALLOWED_ORIGINS`	`https://claude.ai`	CORS origins
`REDIS_URL`	-	Redis URL for serverless mode

Wazuh Indexer (Required for vulnerabilities in 4.8.0+)

Variable	Description
`WAZUH_INDEXER_HOST`	Indexer hostname
`WAZUH_INDEXER_PORT`	Indexer port (default: 9200)
`WAZUH_INDEXER_USER`	Indexer username
`WAZUH_INDEXER_PASS`	Indexer password

API Endpoints

Endpoint	Description
`/mcp`	Recommended - Streamable HTTP (MCP 2025-11-25)
`/sse`	Legacy SSE endpoint
`/health`	Health check
`/metrics`	Prometheus metrics
`/docs`	OpenAPI documentation
`/auth/token`	Token exchange (bearer mode)

Documentation

Guide	Description
Claude Integration	Claude Desktop setup, authentication modes
Advanced Features	HA, serverless, compact mode, MCP compliance
Troubleshooting	Common issues and solutions
Operations	Deployment, monitoring, maintenance
API Documentation	Tool-specific documentation
Security	Security configuration and best practices

Project Structure

src/wazuh_mcp_server/
├── server.py           # MCP server with 48 tools (Streamable HTTP + SSE)
├── config.py           # Configuration management with validation
├── config_validator.py # Startup configuration validation
├── auth.py             # JWT & API key authentication
├── oauth.py            # OAuth 2.0 with DCR
├── security.py         # Rate limiting, CORS, input validation, security middleware
├── monitoring.py       # Prometheus metrics, request tracking middleware
├── resilience.py       # Circuit breakers, retries, graceful shutdown
├── session_store.py    # Pluggable sessions (in-memory + Redis)
└── api/
    ├── wazuh_client.py    # Wazuh Manager API client
    └── wazuh_indexer.py   # Wazuh Indexer API client (alerts + vulnerabilities)

Security

Authentication: JWT tokens, OAuth 2.0 with DCR, all endpoints protected
Security Middleware: Automatic security headers (X-Content-Type-Options, X-Frame-Options, CSP)
Rate Limiting: Per-client request throttling
Input Validation: Comprehensive parameter validation with SQL injection and XSS protection
Container Security: Non-root user, read-only filesystem

# Generate secure API key
openssl rand -hex 32

# Set file permissions
chmod 600 .env

Contributing

We welcome contributions! Please see:

Issues - Bug reports and feature requests
Discussions - Questions and ideas

License

MIT License - see LICENSE

Acknowledgments

Wazuh - Open source security platform
Model Context Protocol - AI integration standard
FastAPI - Python web framework

Contributors

Contributors

Avatar	Username	Contributions
	@alokemajumder	Code, Issues, Discussions
	@gensecai-dev	Code, Discussions
	@aiunmukto	Code, PRs
	@Karibusan	Code, Issues, PRs
	@lwsinclair	Code, PRs
	@taylorwalton	PRs
	@MilkyWay88	PRs
	@kanylbullen	Code, PRs
	@Uberkarhu	Issues
	@cbassonbgroup	Issues
	@cybersentinel-06	Issues
	@daod-arshad	Issues
	@mamema	Issues
	@marcolinux46	Issues
	@matveevandrey	Issues
	@punkpeye	Issues
	@tonyliu9189	Issues
	@Vasanth120v	Discussions
	@gnix45	Discussions
	@melmasry1987	Discussions

Auto-updated by GitHub Actions

Wazuh MCP Server

Production-ready MCP server connecting AI assistants to Wazuh SIEM.

Version 4.0.9 | Wazuh 4.8.0 - 4.14.3 | Full Changelog

Why This MCP Server?

You: "Show me critical alerts from the last 24 hours"
Claude: [Uses get_wazuh_alerts tool] Found 12 critical alerts...

You: "Which agents have unpatched critical vulnerabilities?"
Claude: [Uses get_wazuh_critical_vulnerabilities tool] 3 agents affected...

Take It Further: Autonomous Agentic SOC

Ready to move beyond manual security operations?

Combine this MCP server with Wazuh OpenClaw Autopilot to build a fully autonomous Security Operations Center powered by AI agents.

Capability	What It Does
Autonomous Alert Triage	AI agents continuously analyze incoming alerts, prioritize threats, and create structured incident cases
Intelligent Correlation	Automatically groups related alerts into attack timelines with blast radius assessment
AI-Powered Response Planning	Generates actionable response recommendations with risk scoring
Human-in-the-Loop Safety	Critical actions require Slack approval—automation with guardrails

Traditional SOC: Alert → Analyst reviews → Hours later → Response
Agentic SOC:     Alert → AI triages → Seconds later → Response ready for approval

This is the future of security operations. Start with the MCP server, scale to autonomous agents.

Explore OpenClaw Autopilot →

Features

Category	Capabilities
MCP Protocol	100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE
Security Tools	48 specialized tools for alerts, agents, vulnerabilities, compliance, active response
Authentication	OAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode
Production Ready	Circuit breakers, rate limiting, security & monitoring middleware, Prometheus metrics
Deployment	Docker containerized, multi-platform (AMD64/ARM64), serverless-ready
Token Efficiency	Compact output mode reduces responses by ~66%

48 Security Tools

Category	Tools
Alerts (3)	`get_wazuh_alerts`, `get_wazuh_alert_summary`, `analyze_alert_patterns`
Agents (6)	`get_wazuh_agents`, `get_wazuh_running_agents`, `check_agent_health`, `get_agent_processes`, `get_agent_ports`, `get_agent_configuration`
Vulnerabilities (3)	`get_wazuh_vulnerabilities`, `get_wazuh_critical_vulnerabilities`, `get_wazuh_vulnerability_summary`
Security Analysis (7)	`search_security_events`, `analyze_security_threat`, `check_ioc_reputation`, `perform_risk_assessment`, `get_top_security_threats`, `generate_security_report`, `run_compliance_check`
System (10)	`get_wazuh_statistics`, `get_wazuh_weekly_stats`, `get_wazuh_cluster_health`, `get_wazuh_cluster_nodes`, `get_wazuh_rules_summary`, `get_wazuh_remoted_stats`, `get_wazuh_log_collector_stats`, `search_wazuh_manager_logs`, `get_wazuh_manager_error_logs`, `validate_wazuh_connection`
Active Response (9)	`wazuh_block_ip`, `wazuh_isolate_host`, `wazuh_kill_process`, `wazuh_disable_user`, `wazuh_quarantine_file`, `wazuh_active_response`, `wazuh_firewall_drop`, `wazuh_host_deny`, `wazuh_restart`
Verification (5)	`wazuh_check_blocked_ip`, `wazuh_check_agent_isolation`, `wazuh_check_process`, `wazuh_check_user_status`, `wazuh_check_file_quarantine`
Rollback (5)	`wazuh_unisolate_host`, `wazuh_enable_user`, `wazuh_restore_file`, `wazuh_firewall_allow`, `wazuh_host_allow`

Quick Start

Prerequisites

Docker 20.10+ with Compose v2.20+
Wazuh 4.8.0 - 4.14.3 with API access

1. Clone and Configure

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env

Edit .env with your Wazuh credentials:

WAZUH_HOST=https://your-wazuh-server.com
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password

2. Deploy

python deploy.py
# Or: docker compose up -d

3. Verify

curl http://localhost:3000/health

4. Connect Claude Desktop

Go to Settings → Connectors → Add custom connector
Enter: https://your-server-domain.com/mcp
Add authentication in Advanced settings

Detailed setup: Claude Integration Guide

Configuration

Required Variables

Variable	Description
`WAZUH_HOST`	Wazuh server URL
`WAZUH_USER`	API username
`WAZUH_PASS`	API password

Optional Variables

Variable	Default	Description
`WAZUH_PORT`	`55000`	API port
`MCP_HOST`	`0.0.0.0`	Server bind address
`MCP_PORT`	`3000`	Server port
`AUTH_MODE`	`bearer`	`oauth`, `bearer`, or `none`
`AUTH_SECRET_KEY`	auto	JWT signing key
`ALLOWED_ORIGINS`	`https://claude.ai`	CORS origins
`REDIS_URL`	-	Redis URL for serverless mode

Wazuh Indexer (Required for vulnerabilities in 4.8.0+)

Variable	Description
`WAZUH_INDEXER_HOST`	Indexer hostname
`WAZUH_INDEXER_PORT`	Indexer port (default: 9200)
`WAZUH_INDEXER_USER`	Indexer username
`WAZUH_INDEXER_PASS`	Indexer password

API Endpoints

Endpoint	Description
`/mcp`	Recommended - Streamable HTTP (MCP 2025-11-25)
`/sse`	Legacy SSE endpoint
`/health`	Health check
`/metrics`	Prometheus metrics
`/docs`	OpenAPI documentation
`/auth/token`	Token exchange (bearer mode)

Documentation

Guide	Description
Claude Integration	Claude Desktop setup, authentication modes
Advanced Features	HA, serverless, compact mode, MCP compliance
Troubleshooting	Common issues and solutions
Operations	Deployment, monitoring, maintenance
API Documentation	Tool-specific documentation
Security	Security configuration and best practices

Project Structure

src/wazuh_mcp_server/
├── server.py           # MCP server with 48 tools (Streamable HTTP + SSE)
├── config.py           # Configuration management with validation
├── config_validator.py # Startup configuration validation
├── auth.py             # JWT & API key authentication
├── oauth.py            # OAuth 2.0 with DCR
├── security.py         # Rate limiting, CORS, input validation, security middleware
├── monitoring.py       # Prometheus metrics, request tracking middleware
├── resilience.py       # Circuit breakers, retries, graceful shutdown
├── session_store.py    # Pluggable sessions (in-memory + Redis)
└── api/
    ├── wazuh_client.py    # Wazuh Manager API client
    └── wazuh_indexer.py   # Wazuh Indexer API client (alerts + vulnerabilities)

Security

Authentication: JWT tokens, OAuth 2.0 with DCR, all endpoints protected
Security Middleware: Automatic security headers (X-Content-Type-Options, X-Frame-Options, CSP)
Rate Limiting: Per-client request throttling
Input Validation: Comprehensive parameter validation with SQL injection and XSS protection
Container Security: Non-root user, read-only filesystem

# Generate secure API key
openssl rand -hex 32

# Set file permissions
chmod 600 .env

Contributing

We welcome contributions! Please see:

Issues - Bug reports and feature requests
Discussions - Questions and ideas

License

MIT License - see LICENSE

Acknowledgments

Wazuh - Open source security platform
Model Context Protocol - AI integration standard
FastAPI - Python web framework

Contributors

Contributors

Avatar	Username	Contributions
	@alokemajumder	Code, Issues, Discussions
	@gensecai-dev	Code, Discussions
	@aiunmukto	Code, PRs
	@Karibusan	Code, Issues, PRs
	@lwsinclair	Code, PRs
	@taylorwalton	PRs
	@MilkyWay88	PRs
	@kanylbullen	Code, PRs
	@Uberkarhu	Issues
	@cbassonbgroup	Issues
	@cybersentinel-06	Issues
	@daod-arshad	Issues
	@mamema	Issues
	@marcolinux46	Issues
	@matveevandrey	Issues
	@punkpeye	Issues
	@tonyliu9189	Issues
	@Vasanth120v	Discussions
	@gnix45	Discussions
	@melmasry1987	Discussions

Auto-updated by GitHub Actions

Wazuh MCP Server

README Documentation

Wazuh MCP Server

Why This MCP Server?

Take It Further: Autonomous Agentic SOC

Features

48 Security Tools

Quick Start

Prerequisites

1. Clone and Configure

2. Deploy

3. Verify

4. Connect Claude Desktop

Configuration

Required Variables

Optional Variables

Wazuh Indexer (Required for vulnerabilities in 4.8.0+)

API Endpoints

Documentation

Project Structure

Security

Contributing

License

Acknowledgments

Contributors

Quick Install

Quick Actions

Key Features

Wazuh MCP Server

README Documentation

Wazuh MCP Server

Why This MCP Server?

Take It Further: Autonomous Agentic SOC

Features

48 Security Tools

Quick Start

Prerequisites

1. Clone and Configure

2. Deploy

3. Verify

4. Connect Claude Desktop

Configuration

Required Variables

Optional Variables

Wazuh Indexer (Required for vulnerabilities in 4.8.0+)

API Endpoints

Documentation

Project Structure

Security

Contributing

License

Acknowledgments

Contributors

Quick Install

Quick Actions

Key Features