Wazuh MCP Server: Security-to-LLM Bridge & Real-Time JSON API

Wazuh MCP Server bridges security data from Wazuh to LLMs like Claude Desktop, transforming Elasticsearch alerts into MCP-ready JSON via RESTful API for real-time context delivery.

Visit Repository

✨ Research And Data

4.4(64 reviews)

96 saves

44 comments

Users create an average of 30 projects per month with this tool

About Wazuh MCP Server

What is Wazuh MCP Server: Security-to-LLM Bridge & Real-Time JSON API?

Imagine a bridge between your security data and AI-powered tools like Claude Desktop—this is exactly what the Wazuh MCP Server does! It acts as a translator, fetching alerts from Wazuh’s Elasticsearch, converting them into a format AI can understand (MCP JSON), and serving them via an HTTP endpoint. Think of it as the middleman that keeps your security workflows talking to cutting-edge LLMs without breaking a sweat.

How to use Wazuh MCP Server: Security-to-LLM Bridge & Real-Time JSON API?

Let’s break it down step by step:

Setup the foundation: Clone the GitHub repo, spin up a Python 3.8+ environment, and install dependencies.
Configure like a pro: Set environment variables (e.g., WAZUH_API_URL, CLAUDE_TOKEN) and tweak JSON formatting rules if needed.
Launch and watch it go: Run the server, then point your AI tool to its endpoint. Real-time security data? Instantly available.

Pro tip: Test with a simple curl request first to ensure everything’s connected smoothly!

Wazuh MCP Server Features

Key Features of Wazuh MCP Server: Security-to-LLM Bridge & Real-Time JSON API

Here’s why this tool stands out:

Seamless authentication: Uses JWT to secure data transfers—no messy API keys exposed.
Zero-data-loss conversion: Transforms raw Wazuh alerts into standardized JSON without losing context.
Fall-back resilience: Built-in error handling retries failed requests automatically.
Plug-and-play AI compatibility: Outputs are pre-formatted for tools like Claude, saving you hours of custom scripting.

Use Cases for Wazuh MCP Server: Security-to-LLM Bridge & Real-Time JSON API

Picture this scenario: Your security team needs to analyze a spike in alerts at 3 AM. Instead of manually parsing logs, the MCP Server feeds real-time data to an LLM. The AI instantly generates a summarized report, highlights critical threats, and even suggests mitigation steps. This isn’t sci-fi—it’s what this tool enables every day for teams focused on:

Automated incident response workflows
Threat hunting with AI assistance
Compliance reporting acceleration

Wazuh MCP Server FAQ

FAQ: Wazuh MCP Server – Common Questions Answered

Still have questions? Here’s what you need to know:

Q: Does this require a Wazuh license?
A: Yep, you’ll need access to a Wazuh instance (free Community Edition works too).
Q: Can I customize the JSON output?
A: Absolutely! Modify the schema files to include/exclude specific alert fields.
Q: What if my network blocks outgoing requests?
A: Configure proxy settings in the environment variables to bypass restrictions.

Content

Wazuh MCP Server

A production-grade, open-source MCP server for integrating Wazuh security data with LLMs (such as the Claude Desktop App). This service authenticates with the Wazuh RESTful API, retrieves alerts from Elasticsearch indices, transforms events into an MCP-compliant JSON format, and exposes an HTTP endpoint for Claude Desktop to fetch real-time security context.

Features

JWT-Based Authentication: Securely authenticate with Wazuh using JWT tokens.
Alert Retrieval: Query Elasticsearch indices for Wazuh alert data.
MCP Message Transformation: Convert security events into standardized MCP messages.
Flask HTTP Server: Exposes an /mcp endpoint for Claude Desktop integration.
Robust Error Handling: Handles token expiration, network timeouts, and malformed data.
Configurable: Easily configure via environment variables and integrate with Claude Desktop via its config file.

Prerequisites

Python 3.8+
Access to a Wazuh API instance.
(Optional) Claude Desktop configured to call the MCP server.

Installation

Clone the Repository:

git clone https://github.com/unmuktoai/Wazuh-MCP-Server.git

cd Wazuh-MCP-Server

Create and Activate a Virtual Environment:

python3 -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

Install Dependencies:

pip install -r requirements.txt

Configuration Set the following environment variables to configure the MCP server:

WAZUH_HOST: Wazuh server hostname or IP.
WAZUH_PORT: Port for the Wazuh API (default: 55000).
WAZUH_USER: Wazuh API username.
WAZUH_PASS: Wazuh API password.
VERIFY_SSL: Set to "true" or "false" (default: false).
MCP_SERVER_PORT: Port on which the MCP server will run (default: 8000).

Example (MacOS):

export WAZUH_HOST="your_wazuh_server"
export WAZUH_PORT="55000"
export WAZUH_USER="your_username"
export WAZUH_PASS="your_password"
export VERIFY_SSL="false"
export MCP_SERVER_PORT="8000"

Running the Server Start the MCP server with:

python wazuh_mcp_server.py

The server will listen on all interfaces at the port specified by

MCP_SERVER_PORT.

Integration with Claude Desktop To integrate with Claude Desktop, update its configuration file:

MacOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%/Claude/claude_desktop_config.json Add the following entry under mcpServers:

{
"mcpServers": {
  "mcp-server-wazuh": {
    "command": "python3 /path/to/Wazuh-MCP-Server/wazuh_mcp_server.py",
    "env": {
      "WAZUH_HOST": "your_wazuh_server",
      "WAZUH_PORT": "55000",
      "WAZUH_USER": "your_username",
      "WAZUH_PASS": "your_password",
      "MCP_SERVER_PORT": "8000",
      "VERIFY_SSL": "false"
    }
  }
}
}

License This project is licensed under the MIT License.

Contributing Contributions are welcome! Please open issues or submit pull requests for improvements or bug fixes.