Wazuh MCP server for AI agents

The Wazuh MCP Server integrates Wazuh SIEM with Claude Desktop to provide AI-powered security operations. This server acts as a bridge between your Wazuh security platform and Claude's AI capabilities using the STDIO transport method for secure local connections.

Installation Options

Package Installation (Recommended)

# Install the package
pip install wazuh-mcp-server

# Create configuration file
cp .env.example .env
# Edit .env with your Wazuh server details

# Validate configuration
wazuh-mcp-server --check

Development Installation

# Clone the repository
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server

# Install in development mode
pip install -e .

# Configure environment
cp .env.example .env
# Edit .env with your settings

# Validate setup
wazuh-mcp-server --check

Configuration

Wazuh Connection Settings

Edit your .env file with the following details:

# Wazuh Server API Configuration
WAZUH_HOST=your-wazuh-server.com
WAZUH_PORT=55000
WAZUH_USER=your-api-username
WAZUH_PASS=your-secure-password

# Wazuh Indexer Configuration (for 4.8.0+)
WAZUH_INDEXER_HOST=your-wazuh-server.com
WAZUH_INDEXER_PORT=9200
WAZUH_INDEXER_USER=your-indexer-username
WAZUH_INDEXER_PASS=your-indexer-password

# SSL Configuration (Production Ready Defaults)
VERIFY_SSL=true                    # Enable SSL verification
WAZUH_ALLOW_SELF_SIGNED=true      # Allow self-signed certificates

SSL Configuration Options

Scenario	Configuration	Use Case
Production	`VERIFY_SSL=true` + `WAZUH_ALLOW_SELF_SIGNED=false`	Valid CA certificates
Self-Signed	`VERIFY_SSL=true` + `WAZUH_ALLOW_SELF_SIGNED=true`	Self-signed certificates
Development	`VERIFY_SSL=false`	HTTP-only or invalid certificates

Claude Desktop Integration

Setting Up Claude Desktop

Add the following to Claude Desktop configuration file:

Windows: %APPDATA%\\Claude\\claude_desktop_config.json
macOS/Linux: ~/.config/claude/claude_desktop_config.json

{
  "mcpServers": {
    "wazuh": {
      "command": "wazuh-mcp-server",
      "args": []
    }
  }
}

Example Queries

Once configured, you can interact with Wazuh through Claude Desktop using natural language:

"Show me all critical security alerts from the last 24 hours"
"What are the top 5 security threats in my environment?"
"Run a PCI-DSS compliance check"
"Generate a weekly security report"
"Check the health of agent web-server-01"
"Show me vulnerability summary for the last week"

Available Tools

Alert Management

Get security alerts with filtering
Generate alert summaries and statistics
Analyze alert patterns with AI
Search security events

Agent Management

View agent information and status
Monitor active agents
Check agent health
View running processes per agent
List open ports and services
Access agent configuration

Vulnerability Management

Comprehensive vulnerability scanning
Critical vulnerability filtering
Vulnerability statistics and trends

Security Analysis

AI-powered threat analysis
IOC reputation checking
Risk assessment
Top threat identification
Security reporting
Compliance validation

System Monitoring

System statistics
Performance trends
Cluster health monitoring
Rule effectiveness analysis
Log collection metrics
Connection validation

Command Line Options

# Start the MCP server (default)
wazuh-mcp-server

# Validate configuration and connectivity
wazuh-mcp-server --check

# Show version information
wazuh-mcp-server --version

# Show help information
wazuh-mcp-server --help

System Requirements

Minimum Requirements

OS: Windows 10+, macOS 10.15+, Linux (any modern distribution)
Python: 3.11 or higher
RAM: 512MB available memory
Network: HTTPS access to Wazuh server

Recommended Requirements

Python: 3.12 or higher
RAM: 2GB available memory
SSL: Valid SSL certificates for production use
Monitoring: Centralized logging and monitoring setup

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "wazuh" '{"command":"python","args":["-m","wazuh_mcp_server.app"]}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "wazuh": {
            "command": "python",
            "args": [
                "-m",
                "wazuh_mcp_server.app"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "wazuh": {
            "command": "python",
            "args": [
                "-m",
                "wazuh_mcp_server.app"
            ]
        }
    }
}

3. Restart Claude Desktop for the changes to take effect