Wazuh MCP Server
Enables AI assistants to query Wazuh security alerts, investigate hosts, detect brute-force attempts, and generate security summaries by connecting to a Wazuh manager.
README
Wazuh MCP Server
A Python-based Model Context Protocol (MCP) server that exposes Wazuh security alerts and agent data to Claude Desktop and other AI assistants.
What This Does
This server connects to your Wazuh manager and provides Claude with 4 security tools:
| Tool | Purpose | Example |
|---|---|---|
| critical_alerts | Get critical security events | "Show all critical alerts from today" |
| investigate_host | Deep dive into a specific system | "Investigate host web-server-01" |
| brute_force_detection | Find login attack attempts | "Which user failed authentication 20 times?" |
| security_summary | High-level overview | "Give me a security summary" |
Quick Start (5 minutes)
1. Prerequisites
- Python 3.8+
- Wazuh manager running and accessible
- Claude Desktop installed
- Wazuh manager credentials (default:
wazuh/wazuh)
2. Setup
# Clone or download this project
cd wazuh-mcp-server
# Run setup script
chmod +x setup.sh
./setup.sh
# Edit configuration
nano .env
# Update WAZUH_HOST to your Wazuh manager IP
3. Test Connection
# Activate environment
source venv/bin/activate
# Run connection test
python3 test_connection.py
You should see:
✓ Connected successfully!
✓ Found 5 agent(s)
✓ Found 23 alert(s)
✅ All tests passed!
4. Connect to Claude Desktop
Edit ~/.claude/claude_desktop_config.json:
macOS/Linux:
nano ~/.claude/claude_desktop_config.json
Windows:
notepad %APPDATA%\Claude\claude_desktop_config.json
Add this configuration:
{
"mcpServers": {
"wazuh": {
"command": "/absolute/path/to/venv/bin/python",
"args": ["/absolute/path/to/wazuh_mcp_server/server.py"],
"env": {
"WAZUH_HOST": "YOUR_WAZUH_IP",
"WAZUH_USER": "wazuh",
"WAZUH_PASS": "wazuh"
}
}
}
}
Get absolute paths:
# Python path
which python3
# /Users/yourname/wazuh-mcp-server/venv/bin/python3
# Server path
pwd
# /Users/yourname/wazuh-mcp-server
5. Restart Claude Desktop
Close and reopen Claude Desktop. You should see "Wazuh Security Tools" in the Tools panel.
6. Try It Out
In Claude Desktop, try:
Show all critical alerts from the last 24 hours
Which hosts are experiencing high alert rates?
Investigate the database server
Detect any brute force attempts
Project Structure
wazuh-mcp-server/
├── server.py # Main MCP server (FastMCP)
├── wazuh_client.py # Wazuh API client
├── requirements.txt # Python dependencies
├── .env.example # Configuration template
├── setup.sh # Automated setup script
├── test_connection.py # Connection verification
└── README.md # This file
Configuration
Edit .env to customize:
WAZUH_HOST=192.168.1.100 # Your Wazuh manager IP
WAZUH_USER=wazuh # API username
WAZUH_PASS=wazuh # API password
Troubleshooting
"Connection refused" or "Network error"
# Check Wazuh manager is running
ssh user@wazuh-ip
sudo systemctl status wazuh-manager
# Verify API port is open
curl -k https://YOUR_WAZUH_IP:55000/security/user/authenticate \
-u wazuh:wazuh
Claude Desktop doesn't show the tools
-
Check config syntax:
python3 -c "import json; json.load(open(expanduser('~/.claude/claude_desktop_config.json')))" # Should return no errors -
Check absolute paths:
- Don't use
~/or.in the config - Use full paths like
/Users/name/...
- Don't use
-
Check logs:
tail -f ~/Library/Logs/Claude/mcp-server.log # macOS # or check Windows Event Viewer for Claude Desktop -
Restart Claude Desktop:
- Close completely
- Reopen
- Wait 5 seconds for MCP to connect
"Authentication failed"
# Verify credentials by testing directly
curl -k https://WAZUH_IP:55000/security/user/authenticate \
-u wazuh:wazuh -X GET
# If 401: wrong credentials
# If 404: endpoint doesn't exist (Wazuh version issue)
# If timeout: firewall blocking
Advanced
Custom Wazuh Queries
The wazuh_client.py supports arbitrary queries:
from wazuh_client import WazuhClient
wazuh = WazuhClient("192.168.1.100")
# Search by rule group
alerts = wazuh.search_logs("rule.group=auth_failure")
# Search by agent
alerts = wazuh.search_logs("agent.name=web-server")
# Search by source IP
alerts = wazuh.search_logs("data.srcip=192.168.1.50")
# Search by user
alerts = wazuh.search_logs("data.user=root")
Adding More Tools
Edit server.py and add a new @app.tool():
@app.tool()
async def my_new_tool(param1: str) -> str:
"""
Tool description shown to Claude.
Args:
param1: Parameter description
Returns:
JSON string with results
"""
# Your code here
return json.dumps({"result": "..."})
Production Considerations
- ✅ Use SSL certificates (not self-signed)
- ✅ Store credentials in HashiCorp Vault or AWS Secrets
- ✅ Rate limit MCP server to prevent abuse
- ✅ Enable audit logging on Wazuh API
- ✅ Create dedicated read-only API user
- ✅ Use network segmentation to isolate Wazuh
Security Notes
⚠️ For Development/Learning:
- Default credentials are
wazuh/wazuh - SSL verification disabled (dev mode)
- Credentials in plaintext in
.env
For Production:
- Change Wazuh credentials immediately
- Use proper SSL certificates
- Store credentials in secure vault
- Create read-only API user with minimal permissions
- Audit all API access
- Network firewall rules to restrict access
API Reference
WazuhClient Methods
# Get alerts
wazuh.get_alerts(level=7, hours=24, limit=100, agent_id=None)
# Get all agents
wazuh.get_agents()
# Get agent details
wazuh.get_agent_details(agent_id="001")
# Search alerts
wazuh.search_logs(query="rule.id=100001", hours=24, limit=50)
# Get alert groups
wazuh.get_alert_groups(hours=24)
Learning Resources
Support
For issues:
- Run
test_connection.pyto diagnose - Check Wazuh logs:
tail -f /var/ossec/logs/ossec.log - Review Claude Desktop logs
- Verify network connectivity between your machine and Wazuh manager
License
MIT
Changelog
v1.0.0 (2026-01-02)
- Initial release
- 4 core tools: critical_alerts, investigate_host, brute_force_detection, security_summary
- Full Wazuh API client
- Claude Desktop integration
- Comprehensive setup guide
Built for learning and security automation 🔍
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.