A production-ready FastMCP server that connects Wazuh SIEM with Claude Desktop for AI-powered security operations using STDIO transport only.
π Remote Server Edition: Looking for enterprise remote access? Check out v3.0.0 Remote Server Edition with HTTP/SSE transport, Docker deployment, and JWT authentication.
- π 29 Security Tools: Complete FastMCP tool suite for Wazuh integration
- π§ AI-Powered Analysis: Threat analysis, risk assessment, and compliance reporting
- π¬ Natural Language Queries: Ask Claude "Show me critical vulnerabilities"
- π‘ STDIO Only: Secure local connection to Claude Desktop - no network setup
- β‘ Dual API Support: Intelligent routing between Wazuh Server API and Indexer API
- π‘οΈ Production Ready: Comprehensive health checks, error handling, and security
# Clone the repository
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
# Install in development mode
pip install -e .
# Configure environment
cp .env.example .env
# Edit .env with your settings
# Validate setup
wazuh-mcp-server --checkEdit .env with your Wazuh server details:
# Wazuh Server API Configuration
WAZUH_HOST=your-wazuh-server.com
WAZUH_PORT=55000
WAZUH_USER=your-api-username
WAZUH_PASS=your-secure-password
# Wazuh Indexer Configuration (for 4.8.0+)
WAZUH_INDEXER_HOST=your-wazuh-server.com
WAZUH_INDEXER_PORT=9200
WAZUH_INDEXER_USER=your-indexer-username
WAZUH_INDEXER_PASS=your-indexer-password
# SSL Configuration (Production Ready Defaults)
VERIFY_SSL=true # Enable SSL verification
WAZUH_ALLOW_SELF_SIGNED=true # Allow self-signed certificates| Scenario | Configuration | Use Case |
|---|---|---|
| Production | VERIFY_SSL=true + WAZUH_ALLOW_SELF_SIGNED=false |
Valid CA certificates |
| Self-Signed | VERIFY_SSL=true + WAZUH_ALLOW_SELF_SIGNED=true |
Self-signed certificates |
| Development | VERIFY_SSL=false |
HTTP-only or invalid certificates |
Add to Claude Desktop config:
- Windows:
%APPDATA%\\Claude\\claude_desktop_config.json - macOS/Linux:
~/.config/claude/claude_desktop_config.json
{
"mcpServers": {
"wazuh": {
"command": "wazuh-mcp-server",
"args": []
}
}
}Once configured, you can interact with Wazuh through Claude Desktop:
π "Show me all critical security alerts from the last 24 hours"
π¨ "What are the top 5 security threats in my environment?"
π‘οΈ "Run a PCI-DSS compliance check"
π "Generate a weekly security report"
π§ "Check the health of agent web-server-01"
π "Show me vulnerability summary for the last week"
get_wazuh_alerts- Retrieve security alerts with filteringget_wazuh_alert_summary- Alert summaries and statisticsanalyze_alert_patterns- AI-powered pattern analysissearch_security_events- Advanced security event search
get_wazuh_agents- Agent information and statusget_wazuh_running_agents- Active agents overviewcheck_agent_health- Comprehensive agent health validationget_agent_processes- Running processes per agentget_agent_ports- Open ports and services per agentget_agent_configuration- Detailed agent configuration
get_wazuh_vulnerabilities- Comprehensive vulnerability scanningget_wazuh_critical_vulnerabilities- Critical vulnerabilities onlyget_wazuh_vulnerability_summary- Vulnerability statistics and trends
analyze_security_threat- AI-powered threat indicator analysischeck_ioc_reputation- IOC reputation checking against threat feedsperform_risk_assessment- Comprehensive security risk analysisget_top_security_threats- Top threats by severity and frequencygenerate_security_report- Automated security reportingrun_compliance_check- Multi-framework compliance validation
get_wazuh_statistics- Comprehensive system statisticsget_wazuh_weekly_stats- Weekly performance and security trendsget_wazuh_cluster_health- Cluster health and status monitoringget_wazuh_cluster_nodes- Individual cluster node informationget_wazuh_rules_summary- Rule effectiveness and performanceget_wazuh_remoted_stats- Agent communication statisticsget_wazuh_log_collector_stats- Log collection performance metricssearch_wazuh_manager_logs- Manager log search and analysisget_wazuh_manager_error_logs- Error log retrieval and analysisvalidate_wazuh_connection- Connection validation and diagnostics
- Alert Management API - Comprehensive alert management tools
- Agent Management API - Agent monitoring and health tools
- Vulnerability Management API - Vulnerability assessment tools
- Security Analysis API - AI-powered security analysis tools
- System Monitoring API - Infrastructure monitoring tools
- Compliance & Reporting API - Compliance and reporting tools
- Log Management API - Advanced log search and analysis
- Installation Guide - Comprehensive installation instructions
- Configuration Guide - Detailed configuration options
- Troubleshooting Guide - Common issues and solutions
- Security Guide - Security best practices and hardening
# Start the MCP server (default)
wazuh-mcp-server
# Validate configuration and connectivity
wazuh-mcp-server --check
# Show version information
wazuh-mcp-server --version
# Show help information
wazuh-mcp-server --helpβββββββββββββββββββ STDIO βββββββββββββββββββ HTTPS βββββββββββββββββββ
β βββββββββββββΊ β ββββββββββββΊ β β
β Claude Desktop β β Wazuh MCP Serverβ β Wazuh SIEM β
β β β β β β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β β
β β
βΌ βΌ
βββββββββββββββββββ βββββββββββββββββββ
β β β β
β FastMCP Runtime β β Wazuh Indexer β
β (29 Tools) β β (OpenSearch) β
β β β β
βββββββββββββββββββ βββββββββββββββββββ
- π Secure by Default: SSL/TLS verification enabled by default
- π« No Network Exposure: STDIO transport only - no HTTP server
- π Credential Validation: Strong password requirements and validation
- π Audit Logging: Comprehensive security event logging
- β‘ Rate Limiting: Built-in API rate limiting and connection pooling
- π οΈ Error Handling: Graceful error handling and recovery mechanisms
# Install development dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/
# Run security validation
wazuh-mcp-server --check
# Test Claude Desktop integration
# (Configure Claude Desktop and test with natural language queries)- OS: Windows 10+, macOS 10.15+, Linux (any modern distribution)
- Python: 3.11 or higher
- RAM: 512MB available memory
- Network: HTTPS access to Wazuh server
- Python: 3.12 or higher
- RAM: 2GB available memory
- SSL: Valid SSL certificates for production use
- Monitoring: Centralized logging and monitoring setup
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Documentation: Complete documentation
- Issues: GitHub Issues
- Discussions: GitHub Discussions
This software has been designed for enterprise production use with:
- β Comprehensive error handling and recovery
- β Production-grade logging and monitoring
- β Security hardening and validation
- β Cross-platform compatibility
- β Extensive documentation and support
- β Full test coverage and validation
For enterprise deployments requiring remote access, check out our Remote Server Edition:
- π Remote Access: HTTP/SSE transport for cloud and distributed environments
- π JWT Authentication: Enterprise-grade Bearer token authentication
- π³ Docker Native: Multi-platform container deployment
- π Full Monitoring: Prometheus metrics, health checks, and observability
- β‘ High Availability: Circuit breakers, retry logic, and load balancing ready
- π’ Enterprise Ready: Perfect for corporate and cloud deployments
β View Remote Server Edition
| Feature | v2.1.0 (STDIO) | v3.0.0 (Remote) |
|---|---|---|
| Transport | STDIO (local) | HTTP/SSE (remote) |
| Deployment | Source install | Docker containers |
| Authentication | Local integration | JWT Bearer tokens |
| Best For | Direct Claude Desktop | Enterprise/Cloud |
Made with β€οΈ for the cybersecurity community
![@deepsource-io[bot]](https://avatars.githubusercontent.com/in/16372?s=64&v=4){kind=small}
![@google-labs-jules[bot]](https://avatars.githubusercontent.com/in/842251?s=64&v=4){kind=small}