mcpserver.so LogoMCPFly
Submit
Wazuh MCP Server logo

Wazuh MCP Server

by gbrigandi

SecurityWazuhSIEMClaudeSecurity AlertsRustAPIMiddleware

A Rust-based server that bridges Wazuh SIEM and applications needing contextual security data, specifically for Claude Desktop integration using the Model Context Protocol (MCP). It transforms Wazuh alerts into a standardized MCP JSON format.

View on GitHub

Last updated: N/A

What is Wazuh MCP Server?

The Wazuh MCP Server is a middleware application that connects to the Wazuh API, authenticates, fetches security alerts, transforms them into the standardized MCP JSON format, and exposes them via an HTTP endpoint for clients like Claude Desktop.

How to use Wazuh MCP Server?

To use the server, configure the necessary environment variables (Wazuh API credentials, server port, etc.), build the application using Rust's cargo build command, and run it. Alternatively, use Docker Compose for containerized deployment. Configure your MCP client (e.g., Claude Desktop) to poll the server's /mcp endpoint to receive transformed Wazuh alerts.

Key features of Wazuh MCP Server

  • Wazuh API Integration

  • JWT Authentication with Automatic Token Refresh

  • Alert Retrieval and Transformation to MCP v1.0

  • HTTP Server with /mcp and /health endpoints

  • Configurable via environment variables

  • Containerization with Docker

  • Logging with the tracing library

Use cases of Wazuh MCP Server

  • Providing real-time security context to AI assistants like Claude

  • Integrating Wazuh alerts into applications that require MCP format

  • Centralizing and standardizing security alert data for various consumers

  • Enabling security operations teams to leverage AI for incident response

FAQ from Wazuh MCP Server

What is MCP?

MCP stands for Model Context Protocol, a standardized format for exchanging contextual data between applications.

What Wazuh version is recommended?

Wazuh v4.x is recommended.

How do I configure the server?

Configuration is managed through environment variables, which can be set directly or via a .env file.

How do I run the server in Docker?

Use the provided Dockerfile and docker-compose.yml to build and run the server in a containerized environment.

What happens if the Wazuh API token expires?

The server automatically monitors the JWT validity and re-authenticates when the token expires or is close to expiring.