This MCP server provides a straightforward way to query and analyze Wazuh security logs stored in OpenSearch, offering tools for searching alerts, retrieving details, generating statistics, and visualizing trends.
You can run this tool directly using npx without cloning the repository:
# Run the latest version from GitHub
npx github:jetbalsa/mcp-opensearch-js
# Run with debug mode enabled
npx github:jetbalsa/mcp-opensearch-js --debug
# You can also specify a specific branch or commit
npx github:jetbalsa/mcp-opensearch-js#main
git clone https://github.com/jetbalsa/mcp-opensearch-js.git
cd mcp-opensearch-js
npm install
cp .env.example .env
.env file with your OpenSearch connection details:OPENSEARCH_URL=https://your-opensearch-endpoint:9200
OPENSEARCH_USERNAME=your-username
OPENSEARCH_PASSWORD=your-password
DEBUG=false
To start the server in stdio mode:
npm start
For detailed debugging information:
npm run stdio:debug
For interactive testing with the FastMCP CLI tool:
npm run dev
For visual debugging with the MCP Inspector:
npm run inspect
The server provides several tools for working with Wazuh security logs:
Search for security alerts in Wazuh data.
Parameters:
query: The search query texttimeRange: Time range (e.g., 1h, 24h, 7d)maxResults: Maximum number of results to returnindex: Index pattern to searchGet detailed information about a specific alert by ID.
Parameters:
id: The alert IDindex: Index patternGet statistics about security alerts.
Parameters:
timeRange: Time range (e.g., 1h, 24h, 7d)field: Field to aggregate by (e.g., rule.level, agent.name)index: Index patternVisualize alert trends over time.
Parameters:
timeRange: Time range (e.g., 1h, 24h, 7d)interval: Time interval for grouping (e.g., 1h, 1d)query: Query to filter alertsindex: Index pattern> tools
Available tools:
- searchAlerts: Search for security alerts in Wazuh data
- getAlertDetails: Get detailed information about a specific alert by ID
- alertStatistics: Get statistics about security alerts
- visualizeAlertTrend: Visualize alert trends over time
> tools.searchAlerts(query: "rule.level:>10", timeRange: "12h", maxResults: 5)
import { Client } from "@modelcontextprotocol/sdk";
import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
const client = new Client(
{
name: "example-client",
version: "1.0.0",
},
{
capabilities: {},
},
);
const transport = new SSEClientTransport(new URL(`http://localhost:3000/sse`));
await client.connect(transport);
// Use tools
const result = await client.executeTool("searchAlerts", {
query: "rule.level:>10",
timeRange: "24h",
maxResults: 10
});
console.log(result);
There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.
If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.
To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".
When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:
{
"mcpServers": {
"cursor-rules-mcp": {
"command": "npx",
"args": [
"-y",
"cursor-rules-mcp"
]
}
}
}
To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.
Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.
The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.
You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.