claudeers.

🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?

Claim this page →
// Security & Compliance

Wazuh-MCP-Server

AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident tri…

// Security & Compliance[ cli ][ api ][ desktop ][ web ][ claude ]#claude#ai#claude-ai#claude-code#claudedxt#dxt#genai#hacktoberfest#securityMIT$open-sourceupdated 15 days ago
Actively maintained
100/100
last commit 13 days ago
last release 3 months ago
releases 19
open issues 3
// install
git clone https://github.com/gensecaihq/Wazuh-MCP-Server

Wazuh MCP Server

Talk to your SIEM. Query alerts, hunt threats, check vulnerabilities, and trigger active responses across your entire Wazuh deployment — through natural conversation with any AI assistant.

v4.2.1 | 48 security tools | Wazuh 4.8.0–4.14.4 | Changelog


What This Does

Your Wazuh SIEM generates thousands of alerts, vulnerability findings, and agent events daily. Investigating them means juggling dashboards, writing API queries, and manually correlating data across tools.

This MCP server turns that workflow into a conversation:

You:    "Show me critical alerts from the last hour"
AI:     [calls get_wazuh_alerts] Found 3 critical alerts:
        1. SSH brute force from 10.0.1.45 → agent-003 (Rule 5712, Level 10)
        2. Rootkit detection on agent-007 (Rule 510, Level 12)
        3. FIM change /etc/shadow on agent-001 (Rule 550, Level 10)

You:    "Block that source IP on agent-003"
AI:     [calls wazuh_block_ip] Blocked 10.0.1.45 via firewall-drop on agent-003.

You:    "Which agents have unpatched critical CVEs?"
AI:     [calls get_critical_vulnerabilities] 3 agents with critical vulnerabilities...

It works with Claude Desktop, Open WebUI + Ollama (fully local, air-gapped), mcphost, or any MCP-compliant client.


Works With Cloud AND Local LLMs

This is a standard MCP tool server. It doesn't care what LLM you use — it just executes tools and returns results.

ModeLLMClientData leaves your network?
CloudClaude, GPT, etc.Claude Desktop, any MCP clientYes (to LLM provider)
LocalLlama, Qwen, Mistral via OllamaOpen WebUI, mcphost, IBM/mcp-cliNo. Fully air-gappable.

For security teams that can't send SIEM data to cloud APIs (compliance, air-gapped networks, data sovereignty), the local mode with Ollama keeps everything on-premises. Both modes coexist — same server, same tools, same API.

Quick Start: Local LLM with mcphost

# 1. Start the MCP server
docker compose up -d

# 2. Install mcphost (Go binary, no dependencies)
go install github.com/mark3labs/mcphost@latest

# 3. Configure
cat > ~/.mcphost.yml << 'EOF'
mcpServers:
  wazuh:
    type: remote
    url: http://localhost:3000/mcp
    headers: ["Authorization: Bearer ${env://MCP_API_KEY}"]
EOF

# 4. Chat with your SIEM using a local model
export MCP_API_KEY="your-key-from-server-logs"
mcphost --model ollama/qwen2.5:7b

Quick Start: Multi-User SOC with Open WebUI

Open WebUI v0.6.31+ connects to our /mcp endpoint natively. Add it as an MCP tool server in Admin Settings, and your entire team gets AI-powered SIEM analysis with conversation history, RBAC, and a web UI.


48 Security Tools

Every tool is validated, rate-limited, scope-checked, and audit-logged.

CategoryToolsWhat They Do
Alerts (4)get_wazuh_alerts get_wazuh_alert_summary analyze_alert_patterns search_security_eventsQuery, filter, search, and analyze alert data via Elasticsearch
Agents (6)get_wazuh_agents get_wazuh_running_agents check_agent_health get_agent_processes get_agent_ports get_agent_configurationMonitor agent status, running processes, open ports, and configs
Vulnerabilities (3)get_wazuh_vulnerabilities get_critical_vulnerabilities vulnerability_summaryQuery CVEs by severity, agent, and package
Security Analysis (6)analyze_security_threat check_ioc_reputation perform_risk_assessment get_top_security_threats generate_security_report run_compliance_checkThreat analysis, IOC lookup, risk scoring, compliance checks
System (10)get_wazuh_statistics get_wazuh_cluster_health get_wazuh_rules_summary search_wazuh_manager_logs ...Cluster health, rules, manager logs, stats
Active Response (9)wazuh_block_ip wazuh_isolate_host wazuh_kill_process wazuh_disable_user wazuh_quarantine_file ...Block IPs, isolate hosts, kill processes, quarantine files
Verification (5)wazuh_check_blocked_ip wazuh_check_agent_isolation wazuh_check_process wazuh_check_user_status ...Verify active response actions took effect
Rollback (5)wazuh_unisolate_host wazuh_enable_user wazuh_restore_file wazuh_firewall_allow wazuh_host_allowUndo active response actions

Quick Start

Prerequisites

  • Docker 20.10+ with Compose v2
  • Wazuh 4.8.0–4.14.4 with API access enabled

Deploy

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env

Edit .env:

WAZUH_HOST=your-wazuh-server
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password
docker compose up -d
curl http://localhost:3000/health

Connect Claude Desktop

  1. SettingsConnectorsAdd custom connector
  2. URL: https://your-server/mcp
  3. Add Bearer token in Advanced settings

Detailed setup: Claude Integration Guide


Security

This server sits between an LLM and your SIEM. Security is not optional.

LayerWhat It Does
RBACPer-tool scope enforcement. 14 active response tools require wazuh:write. Read-only tokens can query but never trigger actions. Authless mode is read-only by default.
Audit LoggingEvery destructive tool call (block IP, isolate host, kill process) is logged with client ID, session, timestamp, and full arguments.
Output SanitizationCredentials, tokens, and API keys in alert full_log fields are redacted before reaching the LLM. Prevents credential leakage through AI responses.
Input ValidationEvery parameter validated: regex agent IDs, ipaddress module for IPs, shell metacharacter blocking for active response, Elasticsearch Query DSL (no string interpolation).
Rate LimitingPer-client sliding window with escalating block duration (10s → 5min).
Circuit BreakersWazuh API failures trigger fail-fast for 60s, auto-recover. Single trial in HALF_OPEN state.
Log SanitizationGlobal filter redacts passwords, tokens, secrets from all server logs.
Container HardeningNon-root user, read-only filesystem, CAP_DROP ALL, no-new-privileges.
# Generate a secure API key
python -c "import secrets; print('wazuh_' + secrets.token_urlsafe(32))"

Configuration

Required

VariableDescription
WAZUH_HOSTWazuh Manager hostname or IP
WAZUH_USERAPI username
WAZUH_PASSAPI password

Optional

VariableDefaultDescription
WAZUH_PORT55000Manager API port
MCP_HOST0.0.0.0Server bind address
MCP_PORT3000Server port
AUTH_MODEbeareroauth, bearer, or none
AUTH_SECRET_KEYauto-generatedJWT signing key
AUTHLESS_ALLOW_WRITEfalseAllow active response in authless mode
ALLOWED_ORIGINShttps://claude.aiCORS origins (comma-separated)
REDIS_URLRedis URL for multi-instance session storage

Wazuh Indexer (for alert search + vulnerabilities)

VariableDefaultDescription
WAZUH_INDEXER_HOSTIndexer hostname
WAZUH_INDEXER_PORT9200Indexer port
WAZUH_INDEXER_USERIndexer username
WAZUH_INDEXER_PASSIndexer password

Full reference: Configuration Guide


API Endpoints

EndpointMethodDescription
/mcpPOST/GET/DELETEMCP Streamable HTTP (recommended)
/sseGETLegacy Server-Sent Events
/healthGETHealth check (no auth required)
/metricsGETPrometheus metrics
/auth/tokenPOSTExchange API key for JWT
/docsGETOpenAPI documentation

Architecture

src/wazuh_mcp_server/
├── server.py           # MCP protocol + 48 tool handlers
├── config.py           # Environment-based configuration
├── auth.py             # JWT + API key authentication
├── oauth.py            # OAuth 2.0 with Dynamic Client Registration
├── security.py         # Rate limiting, CORS, input validation
├── monitoring.py       # Prometheus metrics, structured logging
├── resilience.py       # Circuit breakers, retries, graceful shutdown
├── session_store.py    # Pluggable sessions (in-memory + Redis)
└── api/
    ├── wazuh_client.py    # Wazuh Manager REST API client
    └── wazuh_indexer.py   # Wazuh Indexer (Elasticsearch) client

Take It Further: Autonomous Agentic SOC

Combine this MCP server with Wazuh OpenClaw Autopilot to build a fully autonomous Security Operations Center.

While this server gives you conversational access to Wazuh, OpenClaw deploys AI agents that work around the clock — triaging alerts, correlating incidents, and recommending responses without human intervention.

Manual SOC:    Alert → Analyst reviews → Hours → Response
Agentic SOC:   Alert → AI triages → Seconds → Response ready for approval

Explore OpenClaw Autopilot


Documentation

GuideDescription
Claude IntegrationClaude Desktop setup and authentication
ConfigurationFull configuration reference
Advanced FeaturesHA, serverless, compact mode
API DocumentationPer-tool documentation
SecuritySecurity hardening guide
TroubleshootingCommon issues and solutions
OperationsDeployment, monitoring, maintenance

Contributing

We welcome contributions. See Issues for bugs and feature requests, Discussions for questions.


License

MIT


Acknowledgments


Contributors

Contributors

AvatarUsernameContributions
Wazuh-MCP-Server@alokemajumderCode, Issues, Discussions
Wazuh-MCP-Server@gensecai-devCode, Discussions
Wazuh-MCP-Server@aiunmuktoCode, PRs
Wazuh-MCP-Server@KaribusanCode, Issues, PRs
Wazuh-MCP-Server@lwsinclairCode, PRs
Wazuh-MCP-Server@taylorwaltonPRs
Wazuh-MCP-Server@MilkyWay88PRs
Wazuh-MCP-Server@kanylbullenCode, PRs
Wazuh-MCP-Server@UberkarhuIssues
Wazuh-MCP-Server@cbassonbgroupIssues
Wazuh-MCP-Server@cybersentinel-06Issues
Wazuh-MCP-Server@daod-arshadIssues
Wazuh-MCP-Server@mamemaIssues
Wazuh-MCP-Server@marcolinux46Issues
Wazuh-MCP-Server@matveevandreyIssues
Wazuh-MCP-Server@punkpeyeIssues
Wazuh-MCP-Server@tonyliu9189Issues
Wazuh-MCP-Server@Vasanth120vDiscussions
Wazuh-MCP-Server@gnix45Discussions
Wazuh-MCP-Server@melmasry1987Discussions

Auto-updated by GitHub Actions

// compatibility

Platformscli, api, desktop, web
Operating systems
AI compatibilityclaude
LicenseMIT
Pricingopen-source
LanguagePython

// faq

What is Wazuh-MCP-Server?

AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational SOC workflows.. It is open-source on GitHub.

Is Wazuh-MCP-Server free to use?

Wazuh-MCP-Server is open-source under the MIT license, so it is free to use.

What category does Wazuh-MCP-Server belong to?

Wazuh-MCP-Server is listed under mcp-servers in the Claudeers registry of Claude-compatible tools.

0 views
198 stars
unclaimed
updated 15 days ago

// embed badge

Wazuh-MCP-Server on Claudeers
[![Claudeers](https://claudeers.com/api/badge/wazuh-mcp-server.svg)](https://claudeers.com/wazuh-mcp-server)

// retro hit counter

Wazuh-MCP-Server hit counter
[![Hits](https://claudeers.com/api/counter/wazuh-mcp-server.svg)](https://claudeers.com/wazuh-mcp-server)

// reviews

// guestbook

0/500

// related in Security & Compliance

🔓

A complete AI agency at your fingertips - From frontend wizards to Reddit community ninjas, from whimsy injectors to reality checkers. Each agent is a specia…

// securitymsitarzewski/Shell126,507MIT[ claude ]
🔓

π RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection — all without a single pixel of video.

// securityruvnet/Rust76,321MIT[ claude ]
🔓

Prowler is the world’s most widely used open-source cloud security platform that automates security and compliance across any cloud environment.

// securityprowler-cloud/Python14,101Apache-2.0[ claude ]
🔓

🐶 A curated list of Web Security materials and resources.

// securityqazbnm456/Python13,559[ claude ]
→ see how Wazuh-MCP-Server connects across the ecosystem