andersnygaard/winlog-mcp-server

Windows Event Log Parser with MCP Server

A Node.js application for parsing Windows Event Logs with an MCP (Model Context Protocol) server interface.

Features

• Parse Windows Event Logs (Application, System, Security, etc.)
• Filter events by ID, level, or log name
• MCP server interface for AI assistant integration
• List available Windows Event Logs

Installation

npm install

Usage

Standalone Script

Run the script directly to view logs in the console:

npm start
# or
node index.js

MCP Server

Run the MCP server:

npm run mcp
# or
node mcp-server.js

The MCP server exposes the following tools:

1. list_windows_logs - List all available Windows Event Log names
2. get_windows_log_events - Retrieve events from a specific log with optional filters

Example MCP Tool Usage

{
  "name": "get_windows_log_events",
  "arguments": {
    "logName": "Application",
    "maxEvents": 10,
    "level": "Error"
  }
}

MCP Configuration

Add to your MCP client configuration:

{
  "mcpServers": {
    "windows-logs": {
      "command": "node",
      "args": ["mcp-server.js"],
      "cwd": "/path/to/winlogtest"
    }
  }
}

Available Log Names

Common Windows Event Log names:

• Application
• System
• Security
• Setup
• ForwardedEvents

Use list_windows_logs tool to get a complete list on your system.

Security Notice

⚠️ Important: This tool reads Windows Event Logs, including Security logs which may contain sensitive information such as:

• Authentication events
• Account management activities
• System access records
• Security-related events

Best Practices:

• Only use this tool on systems you own or have explicit permission to access
• Be cautious when sharing log data, as it may contain sensitive information
• Review the data before sharing or exporting
• The tool runs locally and does not transmit data externally