gensecaihq/Wazuh-MCP-Server
If you are the rightful owner of Wazuh-MCP-Server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.
Wazuh MCP Server is an AI-powered security operations platform that integrates conversational AI with traditional SIEM operations.
Wazuh MCP Server
Production-ready MCP server connecting AI assistants to Wazuh SIEM.
Version 4.0.6 | Wazuh 4.8.0 - 4.14.3 |
Why This MCP Server?
Security teams using Wazuh SIEM generate thousands of alerts, vulnerabilities, and events daily. Analyzing this data requires constant context-switching between dashboards, writing API queries, and manually correlating information.
This MCP server solves that problem by providing a secure bridge between AI assistants (like Claude) and your Wazuh deployment. Query alerts, analyze threats, check agent health, and generate compliance reports—all through natural conversation.
You: "Show me critical alerts from the last 24 hours"
Claude: [Uses get_wazuh_alerts tool] Found 12 critical alerts...
You: "Which agents have unpatched critical vulnerabilities?"
Claude: [Uses get_wazuh_critical_vulnerabilities tool] 3 agents affected...
Take It Further: Autonomous Agentic SOC
Ready to move beyond manual security operations?
Combine this MCP server with Wazuh OpenClaw Autopilot to build a fully autonomous Security Operations Center powered by AI agents.
While this MCP server gives you conversational access to Wazuh, OpenClaw takes it to the next level—deploying AI agents that work around the clock to triage alerts, correlate incidents, and recommend responses without human intervention.
| Capability | What It Does |
|---|---|
| Autonomous Alert Triage | AI agents continuously analyze incoming alerts, prioritize threats, and create structured incident cases |
| Intelligent Correlation | Automatically groups related alerts into attack timelines with blast radius assessment |
| AI-Powered Response Planning | Generates actionable response recommendations with risk scoring |
| Human-in-the-Loop Safety | Critical actions require Slack approval—automation with guardrails |
Traditional SOC: Alert → Analyst reviews → Hours later → Response
Agentic SOC: Alert → AI triages → Seconds later → Response ready for approval
This is the future of security operations. Start with the MCP server, scale to autonomous agents.
Features
| Category | Capabilities |
|---|---|
| MCP Protocol | 100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE |
| Security Tools | 29 specialized tools for alerts, agents, vulnerabilities, compliance |
| Authentication | OAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode |
| Production Ready | Circuit breakers, rate limiting, graceful shutdown, Prometheus metrics |
| Deployment | Docker containerized, multi-platform (AMD64/ARM64), serverless-ready |
| Token Efficiency | Compact output mode reduces responses by ~66% |
29 Security Tools
| Category | Tools |
|---|---|
| Alerts (3) | get_wazuh_alerts, get_wazuh_alert_summary, analyze_alert_patterns |
| Agents (6) | get_wazuh_agents, get_wazuh_running_agents, check_agent_health, get_agent_processes, get_agent_ports, get_agent_configuration |
| Vulnerabilities (3) | get_wazuh_vulnerabilities, get_wazuh_critical_vulnerabilities, get_wazuh_vulnerability_summary |
| Security Analysis (7) | search_security_events, analyze_security_threat, check_ioc_reputation, perform_risk_assessment, get_top_security_threats, generate_security_report, run_compliance_check |
| System (10) | get_wazuh_statistics, get_wazuh_weekly_stats, get_wazuh_cluster_health, get_wazuh_cluster_nodes, get_wazuh_rules_summary, get_wazuh_remoted_stats, get_wazuh_log_collector_stats, search_wazuh_manager_logs, get_wazuh_manager_error_logs, validate_wazuh_connection |
Quick Start
Prerequisites
- Docker 20.10+ with Compose v2.20+
- Wazuh 4.8.0 - 4.14.3 with API access
1. Clone and Configure
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env
Edit .env with your Wazuh credentials:
WAZUH_HOST=https://your-wazuh-server.com
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password
2. Deploy
python deploy.py
# Or: docker compose up -d
3. Verify
curl http://localhost:3000/health
4. Connect Claude Desktop
- Go to Settings → Connectors → Add custom connector
- Enter:
https://your-server-domain.com/mcp - Add authentication in Advanced settings
Detailed setup:
Configuration
Required Variables
| Variable | Description |
|---|---|
WAZUH_HOST | Wazuh server URL |
WAZUH_USER | API username |
WAZUH_PASS | API password |
Optional Variables
| Variable | Default | Description |
|---|---|---|
WAZUH_PORT | 55000 | API port |
MCP_HOST | 0.0.0.0 | Server bind address |
MCP_PORT | 3000 | Server port |
AUTH_MODE | bearer | oauth, bearer, or none |
AUTH_SECRET_KEY | auto | JWT signing key |
ALLOWED_ORIGINS | https://claude.ai | CORS origins |
REDIS_URL | - | Redis URL for serverless mode |
Wazuh Indexer (Required for vulnerabilities in 4.8.0+)
| Variable | Description |
|---|---|
WAZUH_INDEXER_HOST | Indexer hostname |
WAZUH_INDEXER_PORT | Indexer port (default: 9200) |
WAZUH_INDEXER_USER | Indexer username |
WAZUH_INDEXER_PASS | Indexer password |
API Endpoints
| Endpoint | Description |
|---|---|
/mcp | Recommended - Streamable HTTP (MCP 2025-11-25) |
/sse | Legacy SSE endpoint |
/health | Health check |
/metrics | Prometheus metrics |
/docs | OpenAPI documentation |
/auth/token | Token exchange (bearer mode) |
Documentation
| Guide | Description |
|---|---|
| Claude Desktop setup, authentication modes | |
| HA, serverless, compact mode, MCP compliance | |
| Common issues and solutions | |
| Deployment, monitoring, maintenance | |
| Tool-specific documentation | |
| Security configuration and best practices |
Project Structure
src/wazuh_mcp_server/
├── server.py # MCP server with 29 tools
├── config.py # Configuration management
├── auth.py # JWT authentication
├── oauth.py # OAuth 2.0 with DCR
├── security.py # Rate limiting, CORS
├── monitoring.py # Prometheus metrics
├── resilience.py # Circuit breakers, retries
├── session_store.py # Pluggable sessions
└── api/
├── wazuh_client.py # Wazuh Manager API
└── wazuh_indexer.py # Wazuh Indexer API
Security
- Authentication: JWT tokens, OAuth 2.0 with DCR
- Rate Limiting: Per-client request throttling
- Input Validation: SQL injection and XSS protection
- Container Security: Non-root user, read-only filesystem
# Generate secure API key
openssl rand -hex 32
# Set file permissions
chmod 600 .env
Contributing
We welcome contributions! Please see:
- Issues - Bug reports and feature requests
- Discussions - Questions and ideas
License
MIT License - see
Acknowledgments
- Wazuh - Open source security platform
- Model Context Protocol - AI integration standard
- FastAPI - Python web framework
Contributors
Contributors
| Avatar | Username | Contributions |
|---|---|---|
 | @alokemajumder | Code, Issues, Discussions |
 | @gensecai-dev | Code, Discussions |
 | @aiunmukto | Code, PRs |
 | @Karibusan | Code, Issues, PRs |
 | @lwsinclair | Code, PRs |
 | @taylorwalton | PRs |
 | @MilkyWay88 | PRs |
 | @kanylbullen | Code, PRs |
 | @Uberkarhu | Issues |
 | @cbassonbgroup | Issues |
 | @cybersentinel-06 | Issues |
 | @daod-arshad | Issues |
 | @mamema | Issues |
 | @marcolinux46 | Issues |
 | @matveevandrey | Issues |
 | @punkpeye | Issues |
 | @tonyliu9189 | Issues |
 | @Vasanth120v | Discussions |
 | @gnix45 | Discussions |
 | @melmasry1987 | Discussions |
Auto-updated by
