Wazuh MCP Server
@unmuktoai
About Wazuh MCP Server
AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational S
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"Wazuh-MCP-Server": {
"command": "docker",
"args": [
"compose",
"up",
"-d"
]
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Wazuh MCP Server?
A Model Context Protocol server that turns Wazuh SIEM workflows into natural conversation with any AI assistant. It provides 54 security tools for querying alerts, hunting threats, checking vulnerabilities, triggering active responses, and running compliance checks — through cloud LLMs like Claude or fully local LLMs via Ollama.
How to use Wazuh MCP Server?
Deploy with Docker Compose, configure WAZUH_HOST, WAZUH_USER, and WAZUH_PASS in .env, then connect any MCP-compliant client (Claude Desktop, Open WebUI, mcphost) to the /mcp endpoint. Quick start: git clone, cp .env.example .env, edit, docker compose up -d. For local LLMs, use mcphost with --model ollama/qwen2.5:7b. For multi-user SOC, add as an MCP tool server in Open WebUI Admin Settings.
Key features of Wazuh MCP Server
- 54 security tools across alerts, agents, vulnerabilities, compliance, and active response
- Works with cloud LLMs (Claude, GPT) and local LLMs (Llama, Qwen)
- Fully air-gappable — data never leaves your network with local mode
- RBAC with opt-in
wazuh:writescope for state‑changing tools - Audit logging for every destructive action
- Rate limiting, circuit breakers, and input validation
Use cases of Wazuh MCP Server
- SOC analyst queries critical alerts from the last hour and blocks a malicious IP
- Threat hunter searches for rootkit detections and isolates infected agents
- Compliance officer runs ISO 27001 gap analysis and retrieves control details
- Security engineer checks agent health, open ports, and running processes via chat
- Team investigates vulnerabilities by agent and packages, then generates a security report
FAQ from Wazuh MCP Server
What are the prerequisites?
Docker 20.10+ with Compose v2, and a Wazuh deployment version 4.8.0–4.14.4 with API access enabled.
Can it run fully offline without sending data to the cloud?
Yes. Use a local LLM via Ollama with Open WebUI or mcphost. In this mode no SIEM data leaves your network — fully air-gappable.
How does security work?
RBAC enforces per‑tool scopes (fail‑closed), all destructive actions are audit‑logged, output is sanitized to prevent credential leakage, inputs are validated (regex, shell metacharacter blocking, Elasticsearch DSL), rate limiting uses a sliding window, circuit breakers auto‑recover, and the container runs with non‑root user, read‑only filesystem, and dropped capabilities.
What authentication modes are supported?
Bearer token (default), OAuth 2.0 with Dynamic Client Registration, or authless mode (read‑only unless AUTHLESS_ALLOW_WRITE=true). API keys can be scoped to wazuh:read or wazuh:write.
What Wazuh versions are supported?
Wazuh 4.8.0 through 4.14.4.
More Developer Tools MCP servers
nuxt-mcp / vite-plugin-mcp
antfuMCP server helping models to understand your Vite/Nuxt app better.
Burp Suite MCP Server Extension
PortSwiggerMCP Server for Burp
Unity MCP (Server + Plugin)
IvanMurzakAI Skills, MCP Tools, and CLI for Unity Engine. Full AI develop and test loop. Use cli for quick setup. Efficient token usage, advanced tools. Any C# method may be turned into a tool by a single line. Works with Claude Code, Gemini, Copilot, Cursor and any other absolutely for fr
Huoshan Test
volcengineGolf
golf-mcpProduction-Ready MCP Server Framework • Build, deploy & scale secure AI agent infrastructure • Includes Auth, Observability, Debugger, Telemetry & Runtime • Run real-world MCPs powering AI Agents
Comments