lidless-labs

wazuh-mcp

Community lidless-labs
Updated

MCP server for Wazuh SIEM/XDR: query alerts, agents, vulnerabilities, and rules from Claude or any AI client. Read-only.

wazuh-mcp

An MCP server that lets an AI client query your Wazuh SIEM/XDR: alerts, agents, vulnerabilities, rules, and more, read-only.

Website: lidless.dev/wazuh-mcp

wazuh-mcp is a Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. It exposes your Wazuh manager and Wazuh Indexer as MCP tools so Claude, Claude Code, or any MCP-compatible client can investigate alerts, triage agents, and pull vulnerability inventory in plain language. It is read-only by design and security-first: TLS verification is on by default, sensitive fields (agent IPs, full logs, file hashes, command lines) are hidden unless you opt in per call, and attacker-controlled SIEM text is wrapped in untrusted-data markers to blunt prompt injection against the calling model.

What it does

wazuh-mcp turns a Wazuh SIEM/XDR deployment into a set of MCP tools an AI agent can call. Point your MCP client at the server, give it your Wazuh manager and (optionally) Wazuh Indexer credentials, and the model can list active and disconnected agents, retrieve and full-text search security alerts, pull vulnerability inventory by CVE or severity, inspect detection rules and decoders, review SCA (Security Configuration Assessment) results, walk system inventory (OS, packages, processes, ports, network, hotfixes), read File Integrity Monitoring and rootcheck findings, fetch manager logs and configuration, and run a connection diagnostic. It ships 28 tools, 3 resources, and 3 guided prompts over stdio. The server only ever reads from Wazuh: the sole writes it performs are JWT authentication against the manager and _search queries against the indexer.

Installation

The quickstart below runs the published npm package with npx, which is the recommended path. To work from source instead:

git clone https://github.com/lidless-labs/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build

Quickstart

Run it straight from npm with npx, no clone or build required:

{
  "mcpServers": {
    "wazuh": {
      "command": "npx",
      "args": ["-y", "wazuh-mcp"],
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
      }
    }
  }
}

Drop that into your MCP client's server config (see Usage for the exact file per client), restart the client, and ask it something like "list the active Wazuh agents" or "search alerts for brute force in the last 24 hours." The indexer settings are optional: without them the agent, rule, decoder, and version tools still work, and the alert and vulnerability tools return a configuration message instead of failing.

Prefer a global install?

npm install -g wazuh-mcp
# then use "command": "wazuh-mcp" instead of the npx invocation above

Usage

The quickstart mcpServers block at the top works for most clients. The per-client recipes below give you the exact file location or CLI command for each.

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "wazuh": {
      "command": "npx",
      "args": ["-y", "wazuh-mcp"],
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
      }
    }
  }
}

Claude Code

claude mcp add wazuh \
  --env WAZUH_URL=https://your-wazuh-manager:55000 \
  --env WAZUH_USERNAME=wazuh-wui \
  --env WAZUH_PASSWORD=your-password \
  --env WAZUH_INDEXER_URL=https://your-wazuh-indexer:9200 \
  --env WAZUH_INDEXER_USERNAME=admin \
  --env WAZUH_INDEXER_PASSWORD=your-indexer-password \
  -- npx -y wazuh-mcp

Add --scope user to make it available from any directory instead of only the current project.

Codex CLI

Codex CLI registers MCP servers via codex mcp add:

codex mcp add wazuh \
  --env WAZUH_URL=https://your-wazuh-manager:55000 \
  --env WAZUH_USERNAME=wazuh-wui \
  --env WAZUH_PASSWORD=your-password \
  --env WAZUH_INDEXER_URL=https://your-wazuh-indexer:9200 \
  --env WAZUH_INDEXER_USERNAME=admin \
  --env WAZUH_INDEXER_PASSWORD=your-indexer-password \
  -- npx -y wazuh-mcp

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.wazuh]. Verify with codex mcp list.

OpenClaw

With the npm package:

openclaw mcp set wazuh '{
  "command": "npx",
  "args": ["-y", "wazuh-mcp"],
  "env": {
    "WAZUH_URL": "https://your-wazuh-manager:55000",
    "WAZUH_USERNAME": "wazuh-wui",
    "WAZUH_PASSWORD": "your-password",
    "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
    "WAZUH_INDEXER_USERNAME": "admin",
    "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
  }
}'

Or, when running from a source checkout, point command/args at the built dist/index.js:

openclaw mcp set wazuh '{
  "command": "node",
  "args": ["/absolute/path/to/wazuh-mcp/dist/index.js"],
  "env": {
    "WAZUH_URL": "https://your-wazuh-manager:55000",
    "WAZUH_USERNAME": "wazuh-wui",
    "WAZUH_PASSWORD": "your-password",
    "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
    "WAZUH_INDEXER_USERNAME": "admin",
    "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
  }
}'

Then restart the gateway so the new server is picked up:

systemctl --user restart openclaw-gateway
openclaw mcp list   # confirm "wazuh" is registered

Hermes Agent

Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:

mcp_servers:
  wazuh:
    command: "npx"
    args: ["-y", "wazuh-mcp"]
    env:
      WAZUH_URL: "https://your-wazuh-manager:55000"
      WAZUH_USERNAME: "wazuh-wui"
      WAZUH_PASSWORD: "your-password"
      WAZUH_INDEXER_URL: "https://your-wazuh-indexer:9200"
      WAZUH_INDEXER_USERNAME: "admin"
      WAZUH_INDEXER_PASSWORD: "your-indexer-password"

Then reload MCP from inside a Hermes session with /reload-mcp.

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npx -y wazuh-mcp

Development

npm run dev    # Watch mode with tsx
npm run lint   # Type checking
npm test       # Run tests

MCP Tools

All 28 tools are read-only.

Agent Tools

Tool Description
list_agents List all agents with optional status filtering (active, disconnected, never_connected, pending)
get_agent Get detailed info for a specific agent by ID
get_agent_stats Get CPU, memory, and disk statistics for an agent

Alert Tools

Tool Description
get_alerts Retrieve recent alerts with filtering by time range, level, agent, rule, and text search
get_alert Retrieve a single alert by ID
search_alerts Full-text search across alerts with optional time range filtering

Vulnerability Tools

Tool Description
list_vulnerabilities List vulnerability inventory with optional CVE, agent, severity, and package filters
search_vulnerabilities Search vulnerability inventory by CVE, package, agent, or description

Rule Tools

Tool Description
list_rules List detection rules with level and group filtering
get_rule Get full rule details including compliance mappings
search_rules Search rules by description text

SCA Tools (Security Configuration Assessment)

Tool Description
get_sca_policies List SCA policies and scores for an agent (CIS benchmarks, etc.)
get_sca_checks Get individual check results with remediation steps and compliance mappings

Syscollector Tools (System Inventory)

Tool Description
get_agent_os Get OS information (name, version, architecture, hostname)
get_agent_packages List installed software packages with versions
get_agent_processes List running processes with PIDs and command lines
get_agent_ports List open network ports with associated processes
get_agent_network List network interfaces and IP addresses
get_agent_hotfixes List installed Windows hotfixes/patches

FIM & Rootcheck Tools

Tool Description
get_fim_files Get File Integrity Monitoring results (files, registry keys, hashes)
get_rootcheck Get rootkit detection scan findings

Manager Tools

Tool Description
get_manager_logs Get Wazuh manager logs filtered by level and module
get_manager_config Get active manager configuration by section with secret-like values redacted by default

Group Tools

Tool Description
list_groups List all agent groups
get_group_agents List agents in a specific group

Other Tools

Tool Description
list_decoders List log decoders with optional name filtering
get_wazuh_version Get Wazuh manager version and API info
diagnose_wazuh_connection Check sanitized configuration, URL/TLS settings, manager auth/version, and indexer readiness

Configuration

Set the following environment variables:

Variable Required Default Description
WAZUH_URL Yes - Wazuh API URL (e.g., https://192.0.2.2:55000)
WAZUH_USERNAME Yes - API username
WAZUH_PASSWORD Yes - API password
WAZUH_VERIFY_SSL No true Verifies SSL certificates by default. Set to false (also accepts 0/no/off) to disable verification for trusted self-signed lab environments only.
WAZUH_TIMEOUT No 30 Request timeout in seconds. Must be a positive integer.
WAZUH_ALLOW_SENSITIVE_CONFIG No false Server-side gate for get_manager_config. When unset/false, sensitive configuration values are always redacted even if the tool's include_sensitive_config argument is true. Set to true (also accepts 1/yes/on) to allow unredacted output when explicitly requested.
WAZUH_MCP_MAX_RESPONSE_BYTES No 250000 Maximum MCP tool response size before returning a truncated preview with metadata.

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Wazuh Indexer (OpenSearch) - Required for Alerts and Vulnerabilities

Wazuh 4.x stores alerts and vulnerability inventory in the Wazuh Indexer (OpenSearch), not the REST API. To enable alert tools (get_alerts, get_alert, search_alerts), vulnerability tools (list_vulnerabilities, search_vulnerabilities), and the wazuh://alerts/recent resource, configure the indexer connection:

Variable Required Default Description
WAZUH_INDEXER_URL No - Wazuh Indexer URL (e.g., https://192.0.2.2:9200)
WAZUH_INDEXER_USERNAME No admin Indexer username
WAZUH_INDEXER_PASSWORD Yes, when WAZUH_INDEXER_URL is set - Indexer password. The server fails fast at startup if WAZUH_INDEXER_URL is set without it.
WAZUH_INDEXER_VERIFY_SSL No true Verifies SSL certificates by default. Set to false (also accepts 0/no/off) to disable verification for trusted self-signed lab environments only.
WAZUH_INDEXER_TIMEOUT No 30 Indexer request timeout in seconds. Must be a positive integer.

If WAZUH_INDEXER_URL is not set, alert and vulnerability tools will return a helpful configuration message. All other tools (agents, rules, decoders, version) work without the indexer.

SSL certificate verification is enabled by default (secure by default). When either SSL verification setting is explicitly set to false, the server prints a startup warning to stderr. TLS verification is disabled only for that configured Wazuh client.

Sensitive Output Defaults

Several tools return minimized output by default to avoid exposing raw logs, IPs, command lines, hashes, or raw event payloads unless requested:

Tool Hidden by default Opt-in field
list_agents, get_agent, get_group_agents Agent IP details include_ip: true
get_alerts, search_alerts full_log include_full_log: true
get_alert full_log, raw data include_full_log: true, include_raw_data: true
list_vulnerabilities, search_vulnerabilities Vulnerability descriptions include_description: true
get_agent_processes Process command lines and arguments include_command: true
get_fim_files MD5 and SHA-256 hashes include_hashes: true
get_manager_logs Full log descriptions include_description: true
get_manager_config Secret-like config values include_sensitive_config: true (only honored when the server-side WAZUH_ALLOW_SENSITIVE_CONFIG flag is enabled; otherwise always redacted)

Untrusted SIEM Content

Alert and log fields originate on monitored endpoints: anyone who can write a log line to a monitored host (a failed SSH login with a crafted username, a web request path, a syslog message) controls the text that lands in full_log, alert rule_description, raw event data, and manager log descriptions. To blunt prompt injection against the calling agent, the server wraps those values in <untrusted_siem_data>...</untrusted_siem_data> markers, includes an output.untrusted_data_note warning in affected responses, and states in the tool descriptions that the content is attacker-influenced data, never instructions to follow.

Input Validation

Tool inputs are validated before requests are sent to Wazuh. Pagination is bounded, search text is length-limited, sort fields are enumerated per tool, and path-oriented identifiers such as agent IDs, alert IDs, group IDs, and SCA policy IDs reject unsupported characters.

Paginated tool responses include a pagination object with total, limit, offset, and has_more fields while preserving the existing top-level total, limit, and offset fields.

Tool responses are capped by WAZUH_MCP_MAX_RESPONSE_BYTES. Oversized responses return valid JSON with output.response_truncated, byte counts, and a preview instead of flooding the MCP client.

Transient manager GET requests and indexer search/readiness requests retry briefly on 429, 502, 503, 504, and common transient network reset or timeout errors.

Features

  • 28 MCP Tools - Agents, alerts, vulnerabilities, rules, decoders, SCA, syscollector, FIM, rootcheck, groups, manager, and diagnostics
  • 3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
  • 3 MCP Prompts - Alert investigation, agent health checks, and security overviews
  • Read-only by design - The only writes are JWT auth and indexer _search; no tool changes Wazuh state
  • Secure by default - TLS verification on, sensitive fields redacted unless opted in, untrusted SIEM content delimited, every error sanitized before it reaches the client
  • JWT Authentication - Automatic token management with refresh on expiry
  • Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
  • Pagination - All list endpoints support limit/offset pagination
  • Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

  • Node.js 20+
  • A running Wazuh manager with API access (default port 55000)
  • Wazuh API credentials (username/password)
  • (Optional) Wazuh Indexer (OpenSearch) access for alert queries

MCP Resources

Resource URI Description
wazuh://agents All registered agents and their status
wazuh://alerts/recent 25 most recent security alerts
wazuh://rules/summary Detection rules sorted by severity

MCP Prompts

Prompt Description
investigate-alert Step-by-step alert investigation with MITRE mapping and remediation
agent-health-check Comprehensive agent health assessment (status, resources, alerts)
security-overview Full environment security summary with compliance coverage

Examples

List active agents

Use list_agents with status "active" to see all connected agents.

Investigate a brute force attempt

Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.

Check agent health

Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.

Find high-severity rules

List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.

Why not the Wazuh dashboard or the raw API?

  • The Wazuh dashboard is built for humans clicking through Kibana-style views. It is great for a SOC analyst at a screen, but an AI agent cannot drive it, and it does not turn natural-language questions into the right manager and indexer queries. wazuh-mcp gives the model typed tools instead.
  • The raw Wazuh REST API + indexer _search can be called directly, but then every agent has to learn JWT auth, the manager-versus-indexer split (alerts and vulnerabilities live in the indexer in Wazuh 4.x), pagination shapes, and which fields are sensitive. wazuh-mcp wraps all of that, validates inputs, caps response size, and sanitizes errors so credentials never leak back to the model.
  • A general "run any HTTP request" tool would technically reach Wazuh, but it hands the model your credentials, no input validation, no read-only guarantee, and no redaction of IPs, hashes, or full logs. This server is deliberately read-only and minimizes sensitive output by default.
  • Writing your own Wazuh MCP shim is reasonable, and the source here is MIT-licensed if you want to fork it. This one already handles auth refresh, the indexer fallback message, untrusted-content delimiting, transient-error retries, and 28 vetted tools.

What wazuh-mcp is not

  • Not a write path. No tool modifies Wazuh state. It cannot restart agents, edit rules, acknowledge alerts, or change configuration. The only writes are JWT authentication and indexer _search queries.
  • Not a replacement for the Wazuh dashboard or SIEM. It is a query surface for AI clients, not an analyst UI, a data store, or an alerting engine.
  • Not a hosted service. It runs locally as a stdio MCP server next to your client. Your Wazuh credentials stay on your machine and in your client's config.
  • Not a guarantee against prompt injection. It delimits attacker-influenced SIEM content and warns the model, which reduces risk but does not eliminate it. Treat tool output as data, not instructions.
  • Not a way to bypass Wazuh access control. It uses the credentials you give it and can see only what that account can see.

Documentation and links

Testing

npm test               # Run all tests
npm run typecheck      # Type-check TypeScript
npm audit --omit=dev   # Audit production dependencies
npm run pack:check     # Verify package contents
npm run test:watch     # Watch mode

Tests use mocked Wazuh API responses - no live Wazuh instance needed.

Project Structure

wazuh-mcp/
├── src/
│   ├── index.ts           # MCP server entry point
│   ├── config.ts          # Environment configuration
│   ├── client.ts          # Wazuh REST API client (JWT auth)
│   ├── indexer-client.ts  # Wazuh Indexer (OpenSearch) client
│   ├── types.ts           # TypeScript type definitions
│   ├── resources.ts       # MCP resource handlers
│   ├── prompts.ts         # MCP prompt templates
│   └── tools/
│       ├── agents.ts      # Agent management tools
│       ├── alerts.ts      # Alert query tools
│       ├── rules.ts       # Rule query tools
│       ├── decoders.ts    # Decoder listing tool
│       ├── version.ts     # Version info tool
│       ├── sca.ts         # Security Configuration Assessment
│       ├── syscollector.ts # System inventory (OS, packages, ports, etc.)
│       ├── syscheck.ts    # File Integrity Monitoring
│       ├── rootcheck.ts   # Rootkit detection
│       ├── manager.ts     # Manager logs and configuration
│       └── groups.ts      # Agent group management
├── tests/
│   ├── client.test.ts     # API client unit tests
│   └── tools.test.ts      # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts

License

MIT. See LICENSE.

MCP Server · Populars

MCP Server · New

    tsouth89

    Toolport

    Local-first MCP gateway. One port for every tool and every AI client: lazy discovery (~90% token savings), tool integrity + quarantine, secrets in the OS keychain.

    Community tsouth89
    Sendmux

    Email Inbox API + Sending by Sendmux

    Official monorepo of SDKs, CLI, and MCP servers for Sendmux email APIs across TypeScript, Python, Go, PHP, Rust, and Ruby.

    Community Sendmux
    ATH-MaaS

    🎨 Pixelle MCP - Omnimodal Agent Framework

    An Open-Source Multimodal AIGC Solution based on ComfyUI + MCP + LLM https://pixelle.ai

    Community ATH-MaaS
    cauldr0nx

    EspoCRM MCP Server

    Opensource MCP Server for EspoCRM

    Community cauldr0nx
    cisco-open

    Network Sketcher

    Network Sketcher is an AI-ready network design tool with Local MCP, Online, and Offline editions for creating network designs and exporting PowerPoint diagrams and Excel-based configuration data.

    Community cisco-open