mcp -wazuh

The Wazuh MCP Server acts as a bridge between your Wazuh SIEM environment and applications that consume Model Context Protocol (MCP) data. It exposes a range of natural-language friendly endpoints that translate security-centric queries into structured MCP responses, enabling Claude and other MCP-based assistants to request real-time security context from Wazuh. Typical capabilities include querying security alerts and events, inspecting agent health and processes, evaluating vulnerabilities, reviewing rules and configurations, and assessing cluster health and logging compliance. Users can ask for targeted insights such as the latest critical vulnerabilities affecting specific agents, which processes are running on a host, or whether logging coverage meets PCI-DSS requirements, and receive concise, actionable MCP responses.

To interact, you can leverage the predefined MCP commands exposed by the server, such as get_wazuh_alert_summary, get_wazuh_agent_processes, get_wazuh_vulnerability_summary, get_wazuh_cluster_health, and get_wazuh_rules_summary. The system supports cross-component queries (e.g., correlating alerts with agent status and rule effectiveness) and provides structured data suitable for downstream automation, reporting, and audit workflows.

Prerequisites:

• Docker installed and running on the host
• Access to a Wazuh deployment (Indexer/Manager) or a reachable Wazuh API

Option A: Run via Docker (recommended for quick setup)

1. Pull and run the Wazuh MCP Server image: docker run -d --name wazuh-mcp-server -i gbrigandi/mcp-wazuh:latest

2. Expose necessary ports if your MCP clients require it (adjust as needed): docker run -d -p 8080:8080 --name wazuh-mcp-server -i gbrigandi/mcp-wazuh:latest

3. Configure environment variables if needed (see Additional Notes below) and verify the server is healthy via logs: docker logs -f wazuh-mcp-server

Option B: Build from source (if you prefer compiling locally)

1. Ensure Rust toolchain is installed (msrv stable): rustup update stable

2. Clone the repository and build: git clone https://github.com/gbrigandi/mcp-server-wazuh.git cd mcp-server-wazuh cargo build --release

3. Run the binary with any required arguments or environment settings: ./target/release/mcp-server-wazuh

Note: The repository’s exact build and run instructions may vary; adapt commands to match your local setup.

Environment variables and configuration tips:

• If using Docker, you can pass Wazuh connection details via environment variables (e.g., WAZUH_API_URL, WAZUH_API_TOKEN) depending on how the image is built. Check the image documentation for the exact variable names.
• Ensure network access between the MCP server container and your Wazuh deployment (Indexer/Manager/API endpoints).
• For large datasets or high query load, consider enabling paging or query timeouts in the MCP client to avoid long-running requests.
• If you encounter authentication or permissions errors with Wazuh, verify API credentials and role-based access requirements.
• When upgrading the MCP server image, re-check compatibility with your existing MCP clients, as response schemas may evolve.