- Home
- MCP servers
- Wazuh MCP Remote Server
Wazuh MCP Remote Server
- python
112
GitHub Stars
python
Language
6 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
You deploy and run a production-ready MCP-compliant remote server that securely connects Wazuh SIEM with external clients using a modern Streamable HTTP transport. It supports multiple MCP protocol versions, JWT authentication, high availability, and containerized deployment across platforms, making it suitable for enterprise-scale security operations.
How to use
You will connect to the MCP remote server from an MCP client using the Streamable HTTP endpoint at /mcp for modern interactions, while keeping backward compatibility with the legacy /sse endpoint for older clients. Start by starting the server in a Docker environment, obtain an API key on startup, exchange it for a JWT token, and then perform authenticated requests to interact with Wazuh as part of your security operations. Use the /health and /metrics endpoints to monitor status and observability.
How to install
Prerequisites you need before installation: Docker 20.10+ with Compose v2.20+, Python 3.9+ (optional for the OS-agnostic deployment script), and a Wazuh deployment version 4.8.0 to 4.14.1 with API access.
Step-by-step installation flow you can follow exactly:
# 1. Clone the project
git clone <your-repository-url>
cd Wazuh-MCP-Server
# 2. Configure environment
cp .env.example .env
# Edit .env to set essential values
# 3. Deploy with Docker (OS-agnostic)
# Option 1: Python deployment script (recommended)
python deploy.py
# Option 2: Platform-specific scripts
./deploy-production.sh
# or use Docker Compose directly
docker compose up -d --wait
# 4. Get authentication token (generated on startup)
docker compose logs wazuh-mcp-remote-server | grep "API key"
# 5. Exchange API key for JWT token
curl -X POST http://localhost:3000/auth/token \
-H "Content-Type: application/json" \
-d '{"api_key": "wazuh_your-generated-api-key"}'
# 6. Verify MCP endpoint
curl -H "Authorization: Bearer your-jwt-token" \
-H "Origin: http://localhost" \
-H "Accept: text/event-stream" \
http://localhost:3000/sse
docker compose ps
curl http://localhost:3000/health
Additional configuration and notes
Configuration and environment details are essential for proper operation and security. The system uses environment variables to connect to Wazuh, configure the MCP server, and manage authentication and CORS. You can customize these values in the .env file prior to deployment.
Configuration and security
Key configuration areas you should know about include the Wazuh connection, MCP server binding, authentication mode, and CORS settings. The setup supports Bearer JWT authentication, OAuth-based flows, or a development-friendly authless mode for local testing. TLS/HTTPS is supported for secure communication, and rate limiting plus input validation protect the service from abuse.
Common environment variables you will encounter include WAZUH_HOST, WAZUH_USER, WAZUH_PASS, MCP_HOST, MCP_PORT, AUTH_SECRET_KEY, and ALLOWED_ORIGINS. You configure these in the .env file to tailor the deployment to your environment.
For serverless scenarios, you can enable Redis-based session storage with a Redis URL and a session TTL to support horizontal scaling and multi-instance deployments.
Troubleshooting
If you encounter connection issues, verify that the service is running, ports are accessible, and the server logs indicate a valid API key is generated on startup. Check the health endpoint and ensure TLS/HTTPS is correctly configured for production use. If the SSE endpoint returns unauthorized, re-authenticate to obtain a fresh JWT token and include it in requests.
Typical commands to diagnose problems include examining docker compose status, checking container logs, and inspecting network availability. You can also verify CORS configuration and ensure the server is reachable via the expected URL.
Notes
This server is designed to be deployed in Docker with multi-platform support, providing Prometheus metrics and health checks for operability and observability. It includes 29 specialized tools and integrates with Claude Desktop through a Connector interface for a smooth, enterprise-grade experience.
Available tools
get_wazuh_alerts
Retrieve security alerts with filtering
get_wazuh_alert_summary
Alert summaries grouped by field
analyze_alert_patterns
Pattern analysis and anomaly detection
search_security_events
Advanced security event search
get_wazuh_agents
Agent information and status
get_wazuh_running_agents
Active agent monitoring
check_agent_health
Agent health status checks
get_agent_processes
Running process inventory
get_agent_ports
Open port monitoring
get_agent_configuration
Agent configuration details
get_wazuh_vulnerabilities
Vulnerability assessments
get_wazuh_critical_vulnerabilities
Critical vulnerability focus
get_wazuh_vulnerability_summary
Vulnerability statistics
analyze_security_threat
AI-powered threat analysis
check_ioc_reputation
IoC reputation checking
perform_risk_assessment
Comprehensive risk analysis
get_top_security_threats
Top threat identification
generate_security_report
Automated security reporting
run_compliance_check
Framework compliance validation
get_wazuh_statistics
Comprehensive system metrics
get_wazuh_weekly_stats
Weekly trend analysis
get_wazuh_cluster_health
Cluster health monitoring
get_wazuh_cluster_nodes
Node status and information
get_wazuh_rules_summary
Rule effectiveness analysis
get_wazuh_remoted_stats
Agent communication statistics
get_wazuh_log_collector_stats
Log collection metrics
search_wazuh_manager_logs
Manager log search
get_wazuh_manager_error_logs
Error log analysis
validate_wazuh_connection
Connection validation