drio
Open app

Wazuh MCP Server

Source

An open-source MCP server for integrating Wazuh security data with LLMs (such as the Claude Desktop App). This service authenticates with the Wazuh RESTful API, retrieves alerts from Elasticsearch indices, transforms events into an MCP-compliant JSON format, and exposes an HTTP endpoint for Claude Desktop to fetch real-time security context.

Catalog onlyCatalog onlySTDIO

Overview

Wazuh MCP Server is an open-source server designed to integrate Wazuh security data with large language models (LLMs) like the Claude Desktop App. It authenticates with the Wazuh RESTful API, retrieves alerts from Elasticsearch, transforms events into an MCP-compliant JSON format, and provides an HTTP endpoint for real-time security context.

To use the Wazuh MCP Server, clone the repository, set up a virtual environment, install dependencies, configure environment variables for Wazuh API access, and run the server. Integration with Claude Desktop requires updating its configuration file to include the MCP server details.

  • JWT-Based Authentication for secure access to Wazuh. - Alert Retrieval from Elasticsearch indices. - Transformation of security events into standardized MCP messages. - Flask HTTP Server exposing an /mcp endpoint for integration. - Robust error handling for various issues like token expiration and network timeouts. - Configurable via environment variables for easy setup.
  1. Integrating Wazuh security alerts with AI applications.
  2. Providing real-time security context to LLMs for enhanced decision-making.
  3. Automating security monitoring and alerting processes.

Add to your AI client

Use these steps to connect Wazuh MCP Server in Cursor, Claude, VS Code, and other MCP-compatible apps. The same JSON appears in the Use with menu above for one-click copy.

Cursor

Add this to your .cursor/mcp.json file in your project root, then restart Cursor.

.cursor/mcp.json

{
  "mcpServers": {
    "wazuh-mcp-server-unmuktoai": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-wazuh-mcp-server-unmuktoai"
      ]
    }
  }
}

Claude Desktop

Add this server entry to the mcpServers object in your Claude Desktop config, then restart the app.

~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows)

{
  "mcpServers": {
    "wazuh-mcp-server-unmuktoai": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-wazuh-mcp-server-unmuktoai"
      ]
    }
  }
}

Claude Code

Add this to your project's .mcp.json file. Claude Code will detect it automatically.

.mcp.json (project root)

{
  "mcpServers": {
    "wazuh-mcp-server-unmuktoai": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-wazuh-mcp-server-unmuktoai"
      ]
    }
  }
}

VS Code (Copilot)

Add this to your .vscode/mcp.json file. Requires the GitHub Copilot extension with MCP support enabled.

.vscode/mcp.json

{
  "servers": {
    "wazuh-mcp-server-unmuktoai": {
      "type": "stdio",
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-wazuh-mcp-server-unmuktoai"
      ]
    }
  }
}

Windsurf

Add this to your Windsurf MCP config file, then restart Windsurf.

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "wazuh-mcp-server-unmuktoai": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-wazuh-mcp-server-unmuktoai"
      ]
    }
  }
}

Cline

Open Cline settings, navigate to MCP Servers, and add this server configuration.

Cline MCP Settings (via UI)

{
  "mcpServers": {
    "wazuh-mcp-server-unmuktoai": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-wazuh-mcp-server-unmuktoai"
      ]
    }
  }
}
Research and data