Skip to content

solomonneas/wazuh-mcp

BranchesTags

Repository files navigation

wazuh-mcp

TypeScript Node.js MCP License: MIT

A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.

Features

  • 25 MCP Tools - Agents, alerts, rules, decoders, SCA, syscollector, FIM, rootcheck, groups, and manager
  • 3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
  • 3 MCP Prompts - Alert investigation, agent health checks, and security overviews
  • JWT Authentication - Automatic token management with refresh on expiry
  • Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
  • Pagination - All list endpoints support limit/offset pagination
  • Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

  • Node.js 20+
  • A running Wazuh manager with API access (default port 55000)
  • Wazuh API credentials (username/password)
  • (Optional) Wazuh Indexer (OpenSearch) access for alert queries

Installation

git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build

Configuration

Set the following environment variables:

Variable Required Default Description
WAZUH_URL Yes - Wazuh API URL (e.g., https://10.0.0.2:55000)
WAZUH_USERNAME Yes - API username
WAZUH_PASSWORD Yes - API password
WAZUH_VERIFY_SSL No false Set to true to verify SSL certificates

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Wazuh Indexer (OpenSearch) - Required for Alerts

Wazuh 4.x stores alerts in the Wazuh Indexer (OpenSearch), not the REST API. To enable alert tools (get_alerts, get_alert, search_alerts) and the wazuh://alerts/recent resource, configure the indexer connection:

Variable Required Default Description
WAZUH_INDEXER_URL No - Wazuh Indexer URL (e.g., https://10.0.0.2:9200)
WAZUH_INDEXER_USERNAME No admin Indexer username
WAZUH_INDEXER_PASSWORD No - Indexer password
WAZUH_INDEXER_VERIFY_SSL No false Set to true to verify SSL certificates

If WAZUH_INDEXER_URL is not set, alert tools will return a helpful configuration message. All other tools (agents, rules, decoders, version) work without the indexer.

Usage

Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "wazuh": {
      "command": "node",
      "args": ["/path/to/wazuh-mcp/dist/index.js"],
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
      }
    }
  }
}

OpenClaw

Add to your openclaw.json:

{
  "mcp": {
    "servers": {
      "wazuh": {
        "type": "stdio",
        "command": "node",
        "args": ["/path/to/wazuh-mcp/dist/index.js"],
        "env": {
          "WAZUH_URL": "https://your-wazuh-manager:55000",
          "WAZUH_USERNAME": "wazuh-wui",
          "WAZUH_PASSWORD": "your-password",
          "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
          "WAZUH_INDEXER_USERNAME": "admin",
          "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
        }
      }
    }
  }
}

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start

Development

npm run dev    # Watch mode with tsx
npm run lint   # Type checking
npm test       # Run tests

MCP Tools

Agent Tools

Tool Description
list_agents List all agents with optional status filtering (active, disconnected, never_connected, pending)
get_agent Get detailed info for a specific agent by ID
get_agent_stats Get CPU, memory, and disk statistics for an agent

Alert Tools

Tool Description
get_alerts Retrieve recent alerts with filtering by level, agent, rule, and text search
get_alert Retrieve a single alert by ID
search_alerts Full-text search across all alerts

Rule Tools

Tool Description
list_rules List detection rules with level and group filtering
get_rule Get full rule details including compliance mappings
search_rules Search rules by description text

SCA Tools (Security Configuration Assessment)

Tool Description
get_sca_policies List SCA policies and scores for an agent (CIS benchmarks, etc.)
get_sca_checks Get individual check results with remediation steps and compliance mappings

Syscollector Tools (System Inventory)

Tool Description
get_agent_os Get OS information (name, version, architecture, hostname)
get_agent_packages List installed software packages with versions
get_agent_processes List running processes with PIDs and command lines
get_agent_ports List open network ports with associated processes
get_agent_network List network interfaces and IP addresses
get_agent_hotfixes List installed Windows hotfixes/patches

FIM & Rootcheck Tools

Tool Description
get_fim_files Get File Integrity Monitoring results (files, registry keys, hashes)
get_rootcheck Get rootkit detection scan findings

Manager Tools

Tool Description
get_manager_logs Get Wazuh manager logs filtered by level and module
get_manager_config Get active manager configuration by section

Group Tools

Tool Description
list_groups List all agent groups
get_group_agents List agents in a specific group

Other Tools

Tool Description
list_decoders List log decoders with optional name filtering
get_wazuh_version Get Wazuh manager version and API info

MCP Resources

Resource URI Description
wazuh://agents All registered agents and their status
wazuh://alerts/recent 25 most recent security alerts
wazuh://rules/summary Detection rules sorted by severity

MCP Prompts

Prompt Description
investigate-alert Step-by-step alert investigation with MITRE mapping and remediation
agent-health-check Comprehensive agent health assessment (status, resources, alerts)
security-overview Full environment security summary with compliance coverage

Examples

List active agents

Use list_agents with status "active" to see all connected agents.

Investigate a brute force attempt

Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.

Check agent health

Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.

Find high-severity rules

List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode

Tests use mocked Wazuh API responses - no live Wazuh instance needed.

Project Structure

wazuh-mcp/
├── src/
│   ├── index.ts           # MCP server entry point
│   ├── config.ts          # Environment configuration
│   ├── client.ts          # Wazuh REST API client (JWT auth)
│   ├── indexer-client.ts  # Wazuh Indexer (OpenSearch) client
│   ├── types.ts           # TypeScript type definitions
│   ├── resources.ts       # MCP resource handlers
│   ├── prompts.ts         # MCP prompt templates
│   └── tools/
│       ├── agents.ts      # Agent management tools
│       ├── alerts.ts      # Alert query tools
│       ├── rules.ts       # Rule query tools
│       ├── decoders.ts    # Decoder listing tool
│       ├── version.ts     # Version info tool
│       ├── sca.ts         # Security Configuration Assessment
│       ├── syscollector.ts # System inventory (OS, packages, ports, etc.)
│       ├── syscheck.ts    # File Integrity Monitoring
│       ├── rootcheck.ts   # Rootkit detection
│       ├── manager.ts     # Manager logs and configuration
│       └── groups.ts      # Agent group management
├── tests/
│   ├── client.test.ts     # API client unit tests
│   └── tools.test.ts      # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts

License

MIT

About

MCP server for Wazuh SIEM platform integration (TypeScript)

Topics

security log-analysis monitoring mcp siem wazuh ai-agents model-context-protocol

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages