wazuh

This MCP server provides a production-ready integration between a Wazuh SIEM instance and large language models via the MCP (Model Context Protocol). It exposes tools to authenticate with Wazuh, list and filter agents, and fetch port information from specific agents, enabling LLM-assisted security analysis and orchestration. You can connect to the server using an MCP client (for example, LangChain MCP adapters) over HTTP/2, and leverage the included tools to query agents, their statuses, and network ports. The server supports environment-based configuration, CLI overrides, and tool filtering to tailor the available capabilities to your environment. The fastest path is to run the server locally or in your CI/CD environment and wire it into your LangChain workflow to create autonomous agents that can reason about your Wazuh data. The documented tools include AuthenticateTool for token refresh, GetAgentsTool for agent discovery with filtering, and GetAgentPortsTool for per-agent port information, which can be combined with your LLM prompts to build security queries, incident triage, and inventory tasks.

Prerequisites:\n- Python 3.11+\n- Access to a Wazuh Manager instance (network reachable)\n- Git (optional, for cloning)\n\nInstallation steps:\n1) Clone the repository (or install from PyPI if available):\nbash\ngit clone https://github.com/socfortress/wazuh-mcp-server.git\ncd wazuh-mcp-server\n\n2) (Recommended) Create and activate a virtual environment:\nbash\npython -m venv .venv\nsource .venv/bin/activate # On Windows: .\venv\Scripts\activate\n\n3) Install in development mode (editable) with dependencies:\nbash\npip install -e ".[dev]"\n\n4) Run the server locally (defaults):\nbash\nwazuh-mcp-server\n# or (alternate):\n# python -m wazuh_mcp_server\n\n5) Optional: configure environment variables in a .env file or your deployment environment as described in the configuration section.

Environment and configuration tips:\n- Ensure WAZUH_PROD_URL, WAZUH_PROD_USERNAME, and WAZUH_PROD_PASSWORD are set with valid Wazuh Manager credentials.\n- Use WAZUH_PROD_SSL_VERIFY=false only in trusted, internal environments or with proper risk assessment.\n- You can override defaults at runtime via CLI options like --host, --port, and --log-level to adapt to your deployment.\n- The MCP configuration supports per-environment filtering by settings WAZUH_DISABLED_TOOLS and WAZUH_DISABLED_CATEGORIES to reduce surface area.\n- For production deployments, consider enabling TLS for the API, configuring proper JWT management, and using a reverse proxy for TLS termination.\n- When integrating with LangChain, use the provided example to build an agent that can invoke GetAgentsTool and GetAgentPortsTool to fetch data for reasoning tasks.\n- If you encounter connectivity issues, verify network access from the MCP server host to the Wazuh Manager and confirm correct host/port settings.