gensecaihq/Wazuh-MCP-Server

Wazuh MCP Server v2.1.0

A production-ready FastMCP server that connects Wazuh SIEM with Claude Desktop for AI-powered security operations using STDIO transport only.

🌐 Remote Server Edition: Looking for enterprise remote access? Check out v3.0.0 Remote Server Edition with HTTP/SSE transport, Docker deployment, and JWT authentication.

✨ Key Features

• 🔍 29 Security Tools: Complete FastMCP tool suite for Wazuh integration
• 🧠 AI-Powered Analysis: Threat analysis, risk assessment, and compliance reporting
• 💬 Natural Language Queries: Ask Claude "Show me critical vulnerabilities"
• 📡 STDIO Only: Secure local connection to Claude Desktop - no network setup
• ⚡ Dual API Support: Intelligent routing between Wazuh Server API and Indexer API
• 🛡️ Production Ready: Comprehensive health checks, error handling, and security

🚀 Quick Start

Installation

# Clone the repository
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server

# Install in development mode
pip install -e .

# Configure environment
cp .env.example .env
# Edit .env with your settings

# Validate setup
wazuh-mcp-server --check

⚙️ Configuration

Required Wazuh Settings

Edit .env with your Wazuh server details:

# Wazuh Server API Configuration
WAZUH_HOST=your-wazuh-server.com
WAZUH_PORT=55000
WAZUH_USER=your-api-username
WAZUH_PASS=your-secure-password

# Wazuh Indexer Configuration (for 4.8.0+)
WAZUH_INDEXER_HOST=your-wazuh-server.com
WAZUH_INDEXER_PORT=9200
WAZUH_INDEXER_USER=your-indexer-username
WAZUH_INDEXER_PASS=your-indexer-password

# SSL Configuration (Production Ready Defaults)
VERIFY_SSL=true                    # Enable SSL verification
WAZUH_ALLOW_SELF_SIGNED=true      # Allow self-signed certificates

SSL Configuration Options

🖥️ Claude Desktop Integration

Configuration

Add to Claude Desktop config:

• Windows: %APPDATA%\\Claude\\claude_desktop_config.json
• macOS/Linux: ~/.config/claude/claude_desktop_config.json

{
  "mcpServers": {
    "wazuh": {
      "command": "wazuh-mcp-server",
      "args": []
    }
  }
}

Usage Examples

Once configured, you can interact with Wazuh through Claude Desktop:

🔍 "Show me all critical security alerts from the last 24 hours"
🚨 "What are the top 5 security threats in my environment?"
🛡️ "Run a PCI-DSS compliance check"
📊 "Generate a weekly security report"
🔧 "Check the health of agent web-server-01"
🌐 "Show me vulnerability summary for the last week"

📚 Complete Tool Reference

Alert Management (4 tools)

• get_wazuh_alerts - Retrieve security alerts with filtering
• get_wazuh_alert_summary - Alert summaries and statistics
• analyze_alert_patterns - AI-powered pattern analysis
• search_security_events - Advanced security event search

Agent Management (6 tools)

• get_wazuh_agents - Agent information and status
• get_wazuh_running_agents - Active agents overview
• check_agent_health - Comprehensive agent health validation
• get_agent_processes - Running processes per agent
• get_agent_ports - Open ports and services per agent
• get_agent_configuration - Detailed agent configuration

Vulnerability Management (3 tools)

• get_wazuh_vulnerabilities - Comprehensive vulnerability scanning
• get_wazuh_critical_vulnerabilities - Critical vulnerabilities only
• get_wazuh_vulnerability_summary - Vulnerability statistics and trends

Security Analysis (6 tools)

• analyze_security_threat - AI-powered threat indicator analysis
• check_ioc_reputation - IOC reputation checking against threat feeds
• perform_risk_assessment - Comprehensive security risk analysis
• get_top_security_threats - Top threats by severity and frequency
• generate_security_report - Automated security reporting
• run_compliance_check - Multi-framework compliance validation

System Monitoring (10 tools)

• get_wazuh_statistics - Comprehensive system statistics
• get_wazuh_weekly_stats - Weekly performance and security trends
• get_wazuh_cluster_health - Cluster health and status monitoring
• get_wazuh_cluster_nodes - Individual cluster node information
• get_wazuh_rules_summary - Rule effectiveness and performance
• get_wazuh_remoted_stats - Agent communication statistics
• get_wazuh_log_collector_stats - Log collection performance metrics
• search_wazuh_manager_logs - Manager log search and analysis
• get_wazuh_manager_error_logs - Error log retrieval and analysis
• validate_wazuh_connection - Connection validation and diagnostics

📖 Documentation

Complete API Documentation

• - Comprehensive alert management tools
• - Agent monitoring and health tools
• - Vulnerability assessment tools
• - AI-powered security analysis tools
• - Infrastructure monitoring tools
• - Compliance and reporting tools
• - Advanced log search and analysis

Deployment Guides

• - Comprehensive installation instructions
• - Detailed configuration options
• - Common issues and solutions
• - Security best practices and hardening

🔧 Command Line Interface

# Start the MCP server (default)
wazuh-mcp-server

# Validate configuration and connectivity
wazuh-mcp-server --check

# Show version information
wazuh-mcp-server --version

# Show help information
wazuh-mcp-server --help

🏗️ Architecture

┌─────────────────┐    STDIO    ┌─────────────────┐    HTTPS   ┌─────────────────┐
│                 │◄──────────► │                 │◄─────────► │                 │
│  Claude Desktop │             │ Wazuh MCP Server│            │   Wazuh SIEM    │
│                 │             │                 │            │                 │
└─────────────────┘             └─────────────────┘            └─────────────────┘
                                         │                              │
                                         │                              │
                                         ▼                              ▼
                                ┌─────────────────┐            ┌─────────────────┐
                                │                 │            │                 │
                                │ FastMCP Runtime │            │ Wazuh Indexer   │
                                │ (29 Tools)      │            │ (OpenSearch)    │
                                │                 │            │                 │
                                └─────────────────┘            └─────────────────┘

🛡️ Security Features

• 🔐 Secure by Default: SSL/TLS verification enabled by default
• 🚫 No Network Exposure: STDIO transport only - no HTTP server
• 🔑 Credential Validation: Strong password requirements and validation
• 📝 Audit Logging: Comprehensive security event logging
• ⚡ Rate Limiting: Built-in API rate limiting and connection pooling
• 🛠️ Error Handling: Graceful error handling and recovery mechanisms

🧪 Testing & Validation

# Install development dependencies
pip install -e ".[dev]"

# Run tests
pytest tests/

# Run security validation
wazuh-mcp-server --check

# Test Claude Desktop integration
# (Configure Claude Desktop and test with natural language queries)

📊 System Requirements

Minimum Requirements

• OS: Windows 10+, macOS 10.15+, Linux (any modern distribution)
• Python: 3.11 or higher
• RAM: 512MB available memory
• Network: HTTPS access to Wazuh server

Recommended Requirements

• Python: 3.12 or higher
• RAM: 2GB available memory
• SSL: Valid SSL certificates for production use
• Monitoring: Centralized logging and monitoring setup

🤝 Contributing

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

📄 License

This project is licensed under the MIT License - see the file for details.

🆘 Support

• Documentation:
• Issues: GitHub Issues
• Discussions: GitHub Discussions

🏆 Production Ready

This software has been designed for enterprise production use with:

• ✅ Comprehensive error handling and recovery
• ✅ Production-grade logging and monitoring
• ✅ Security hardening and validation
• ✅ Cross-platform compatibility
• ✅ Extensive documentation and support
• ✅ Full test coverage and validation

🚀 Other Editions

Wazuh MCP Remote Server v3.0.0

For enterprise deployments requiring remote access, check out our Remote Server Edition:

• 🌐 Remote Access: HTTP/SSE transport for cloud and distributed environments
• 🔐 JWT Authentication: Enterprise-grade Bearer token authentication
• 🐳 Docker Native: Multi-platform container deployment
• 📊 Full Monitoring: Prometheus metrics, health checks, and observability
• ⚡ High Availability: Circuit breakers, retry logic, and load balancing ready
• 🏢 Enterprise Ready: Perfect for corporate and cloud deployments

→ View Remote Server Edition

Comparison

Made with ❤️ for the cybersecurity community