Get the FREE Ultimate OpenClaw Setup Guide →

Wazuh

AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational SOC workflows.

Installation
Run this command in your terminal to add the MCP server to Claude Code.
Run in terminal:
View docs
Command
claude mcp add --transport stdio gensecaihq-wazuh-mcp-server python -m wazuh_mcp_server.server \
  --env MCP_HOST="Server bind address (default 0.0.0.0)" \
  --env MCP_PORT="Server port (default 3000)" \
  --env AUTH_MODE="Authentication mode: oauth | bearer | none" \
  --env REDIS_URL="Redis URL for serverless mode (optional)" \
  --env WAZUH_HOST="Wazuh API URL" \
  --env WAZUH_PASS="Wazuh API password" \
  --env WAZUH_USER="Wazuh API username" \
  --env ALLOWED_ORIGINS="CORS origins (comma-separated if multiple)" \
  --env AUTH_SECRET_KEY="JWT signing key or secret for bearer/oauth" \
  --env WAZUH_INDEXER_HOST="Indexer hostname (if using Wazuh indexer)" \
  --env WAZUH_INDEXER_PORT="Indexer port (default 9200)"

How to use

This MCP server exposes a conversational interface that bridges AI assistants with your Wazuh SIEM. It provides 48 tools grouped into Alerts, Agents, Vulnerabilities, Security Analysis, System, Active Response, Verification, and Rollback to query alerts, check agent health, inspect vulnerabilities, run security analyses, and perform automated responses via the MCP protocol. You can interact with the server using natural language prompts; for example, ask for critical alerts in the last 24 hours or inquire which agents have unpatched critical vulnerabilities. The server supports both streamable HTTP and legacy SSE, enabling real-time tool outputs to your assistant. To connect Claude Desktop or other clients, point the connector to your MCP endpoint (for example, https://your-server-domain.com/mcp) and configure the appropriate authentication method as described in the Claude Integration guide.

How to install

Prerequisites:

  • Python 3.13+ installed on the host
  • Optional: Docker and Docker Compose if you prefer containerized deployment
  • Access to the Wazuh API (host, user, password) and, if used, Wazuh Indexer

Step 1: Clone the repository

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server

Step 2: Create and populate environment variables

cp .env.example .env

Edit .env to include:

  • WAZUH_HOST=<Wazuh API URL>
  • WAZUH_USER=<API user>
  • WAZUH_PASS=<API password>
  • Optional: WAZUH_INDEXER_HOST, WAZUH_INDEXER_PORT, MCP_HOST, MCP_PORT, AUTH_MODE, AUTH_SECRET_KEY, ALLOWED_ORIGINS, REDIS_URL

Step 3: Install dependencies (Python)

pip install -r requirements.txt


Step 4: Run the MCP server

python -m wazuh_mcp_server.server


Step 5: Verify the server is up

curl http://localhost:3000/health


Alternative containerized deployment (Docker):

docker compose up -d

Additional notes

Tips and notes:

  • The server adheres to MCP 2025-11-25 spec and supports both streamable HTTP and SSE endpoints. Use /mcp for conversational interactions and /docs for OpenAPI docs.
  • If you enable REDIS_URL for serverless mode, ensure Redis is reachable from the MCP server.
  • For authentication, choose oauth, bearer, or none via AUTH_MODE. If using oauth, ensure the DCR and related OAuth endpoints are configured.
  • The Wazuh Indexer variables are only required when using vulnerabilities features that rely on the indexer.
  • Common issues often involve API connectivity to Wazuh; ensure WAZUH_HOST, WAZUH_USER, and WAZUH_PASS are correct and that the server can reach the Wazuh API from its network location.
  • When running in production, enable Prometheus metrics and rate limiting as described in the security features documentation.

Related MCP Servers

gaianet-node

5.0k

Install, run and deploy your own decentralized AI agent service

claude-code-guide

3.5k

Claude Code Guide - Setup, Commands, workflows, agents, skills & tips-n-tricks

iterm

530

A Model Context Protocol server that executes commands in the current iTerm session - useful for REPL and CLI assistance

sugar

53

🍰 Sugar - The autonomous layer for AI coding agents

mcp-tasks

39

A comprehensive and efficient MCP server for task management with multi-format support (Markdown, JSON, YAML)

vibe-check

20

Stop AI coding disasters before they cost you weeks. Real-time anti-pattern detection for vibe coders who love AI tools but need a safety net to avoid expensive overengineering traps.

Sponsor this space

Reach thousands of developers