home / mcp / wazuh mcp remote server
Provides a production MCP remote server integrating Wazuh with Streamable HTTP transport for secure, scalable access.
Configuration
View docs{
"mcpServers": {
"gensecaihq-wazuh-mcp-server": {
"url": "http://localhost:3000/mcp",
"headers": {
"MCP_HOST": "0.0.0.0",
"MCP_PORT": "3000",
"AUTH_MODE": "bearer",
"LOG_LEVEL": "INFO",
"WAZUH_HOST": "https://your-wazuh-server.com",
"WAZUH_PASS": "your-api-password",
"WAZUH_PORT": "55000",
"WAZUH_USER": "your-api-user",
"ALLOWED_ORIGINS": "https://claude.ai",
"AUTH_SECRET_KEY": "your-secret-key-here",
"OAUTH_ENABLE_DCR": "true",
"WAZUH_VERIFY_SSL": "false",
"WAZUH_INDEXER_HOST": "localhost",
"WAZUH_INDEXER_PASS": "indexer-pass",
"WAZUH_INDEXER_PORT": "9200",
"WAZUH_INDEXER_USER": "indexer-user"
}
}
}
}You deploy and run a production-ready MCP-compliant remote server that securely connects Wazuh SIEM with external clients using a modern Streamable HTTP transport. It supports multiple MCP protocol versions, JWT authentication, high availability, and containerized deployment across platforms, making it suitable for enterprise-scale security operations.
You will connect to the MCP remote server from an MCP client using the Streamable HTTP endpoint at /mcp for modern interactions, while keeping backward compatibility with the legacy /sse endpoint for older clients. Start by starting the server in a Docker environment, obtain an API key on startup, exchange it for a JWT token, and then perform authenticated requests to interact with Wazuh as part of your security operations. Use the /health and /metrics endpoints to monitor status and observability.
Prerequisites you need before installation: Docker 20.10+ with Compose v2.20+, Python 3.9+ (optional for the OS-agnostic deployment script), and a Wazuh deployment version 4.8.0 to 4.14.1 with API access.
Step-by-step installation flow you can follow exactly:
# 1. Clone the project
git clone <your-repository-url>
cd Wazuh-MCP-Server
# 2. Configure environment
cp .env.example .env
# Edit .env to set essential values
```
```bash
# 3. Deploy with Docker (OS-agnostic)
# Option 1: Python deployment script (recommended)
python deploy.py
# Option 2: Platform-specific scripts
./deploy-production.sh
# or use Docker Compose directly
docker compose up -d --wait
```
```bash
# 4. Get authentication token (generated on startup)
docker compose logs wazuh-mcp-remote-server | grep "API key"
```
```bash
# 5. Exchange API key for JWT token
curl -X POST http://localhost:3000/auth/token \
-H "Content-Type: application/json" \
-d '{"api_key": "wazuh_your-generated-api-key"}'
```
```bash
# 6. Verify MCP endpoint
curl -H "Authorization: Bearer your-jwt-token" \
-H "Origin: http://localhost" \
-H "Accept: text/event-stream" \
http://localhost:3000/sse
docker compose ps
curl http://localhost:3000/healthConfiguration and environment details are essential for proper operation and security. The system uses environment variables to connect to Wazuh, configure the MCP server, and manage authentication and CORS. You can customize these values in the .env file prior to deployment.
Key configuration areas you should know about include the Wazuh connection, MCP server binding, authentication mode, and CORS settings. The setup supports Bearer JWT authentication, OAuth-based flows, or a development-friendly authless mode for local testing. TLS/HTTPS is supported for secure communication, and rate limiting plus input validation protect the service from abuse.
Common environment variables you will encounter include WAZUH_HOST, WAZUH_USER, WAZUH_PASS, MCP_HOST, MCP_PORT, AUTH_SECRET_KEY, and ALLOWED_ORIGINS. You configure these in the .env file to tailor the deployment to your environment.
For serverless scenarios, you can enable Redis-based session storage with a Redis URL and a session TTL to support horizontal scaling and multi-instance deployments.
If you encounter connection issues, verify that the service is running, ports are accessible, and the server logs indicate a valid API key is generated on startup. Check the health endpoint and ensure TLS/HTTPS is correctly configured for production use. If the SSE endpoint returns unauthorized, re-authenticate to obtain a fresh JWT token and include it in requests.
Typical commands to diagnose problems include examining docker compose status, checking container logs, and inspecting network availability. You can also verify CORS configuration and ensure the server is reachable via the expected URL.
This server is designed to be deployed in Docker with multi-platform support, providing Prometheus metrics and health checks for operability and observability. It includes 29 specialized tools and integrates with Claude Desktop through a Connector interface for a smooth, enterprise-grade experience.
Retrieve security alerts with filtering
Alert summaries grouped by field
Pattern analysis and anomaly detection
Advanced security event search
Agent information and status
Active agent monitoring
Agent health status checks
Running process inventory
Open port monitoring
Agent configuration details
Vulnerability assessments
Critical vulnerability focus
Vulnerability statistics
AI-powered threat analysis
IoC reputation checking
Comprehensive risk analysis
Top threat identification
Automated security reporting
Framework compliance validation
Comprehensive system metrics
Weekly trend analysis
Cluster health monitoring
Node status and information
Rule effectiveness analysis
Agent communication statistics
Log collection metrics
Manager log search
Error log analysis
Connection validation