loading…
Spring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
автор: Community
0.00
Search for a command to run...
loading…
An MCP server for the Wazuh SIEM/XDR platform that enables users to query agents, security alerts, detection rules, and decoders through Claude or other MCP cli
An MCP server for the Wazuh SIEM/XDR platform that enables users to query agents, security alerts, detection rules, and decoders through Claude or other MCP clients. It provides specialized tools and prompts for investigating security alerts, performing agent health checks, and generating environmental security overviews.
TypeScript Node.js MCP License: MIT
A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.
git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build
Set the following environment variables:
| Variable | Required | Default | Description |
|---|---|---|---|
WAZUH_URL |
Yes | - | Wazuh API URL (e.g., https://10.0.0.2:55000) |
WAZUH_USERNAME |
Yes | - | API username |
WAZUH_PASSWORD |
Yes | - | API password |
WAZUH_VERIFY_SSL |
No | false |
Set to true to verify SSL certificates |
Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.
Wazuh 4.x stores alerts in the Wazuh Indexer (OpenSearch), not the REST API. To enable alert tools (get_alerts, get_alert, search_alerts) and the wazuh://alerts/recent resource, configure the indexer connection:
| Variable | Required | Default | Description |
|---|---|---|---|
WAZUH_INDEXER_URL |
No | - | Wazuh Indexer URL (e.g., https://10.0.0.2:9200) |
WAZUH_INDEXER_USERNAME |
No | admin |
Indexer username |
WAZUH_INDEXER_PASSWORD |
No | - | Indexer password |
WAZUH_INDEXER_VERIFY_SSL |
No | false |
Set to true to verify SSL certificates |
If WAZUH_INDEXER_URL is not set, alert tools will return a helpful configuration message. All other tools (agents, rules, decoders, version) work without the indexer.
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"wazuh": {
"command": "wazuh-mcp",
"env": {
"WAZUH_URL": "https://your-wazuh-manager:55000",
"WAZUH_USERNAME": "wazuh-wui",
"WAZUH_PASSWORD": "your-password",
"WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
"WAZUH_INDEXER_USERNAME": "admin",
"WAZUH_INDEXER_PASSWORD": "your-indexer-password"
}
}
}
}
claude mcp add wazuh \
--env WAZUH_URL=https://your-wazuh-manager:55000 \
--env WAZUH_USERNAME=wazuh-wui \
--env WAZUH_PASSWORD=your-password \
--env WAZUH_INDEXER_URL=https://your-wazuh-indexer:9200 \
--env WAZUH_INDEXER_USERNAME=admin \
--env WAZUH_INDEXER_PASSWORD=your-indexer-password \
-- wazuh-mcp
Add --scope user to make it available from any directory instead of only the current project.
If you're running from a source checkout instead of the npm-installed binary, point command/args at the built dist/index.js:
openclaw mcp set wazuh '{
"command": "node",
"args": ["/absolute/path/to/wazuh-mcp/dist/index.js"],
"env": {
"WAZUH_URL": "https://your-wazuh-manager:55000",
"WAZUH_USERNAME": "wazuh-wui",
"WAZUH_PASSWORD": "your-password",
"WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
"WAZUH_INDEXER_USERNAME": "admin",
"WAZUH_INDEXER_PASSWORD": "your-indexer-password"
}
}'
Or, with the global npm install:
openclaw mcp set wazuh '{
"command": "wazuh-mcp",
"env": {
"WAZUH_URL": "https://your-wazuh-manager:55000",
"WAZUH_USERNAME": "wazuh-wui",
"WAZUH_PASSWORD": "your-password",
"WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
"WAZUH_INDEXER_USERNAME": "admin",
"WAZUH_INDEXER_PASSWORD": "your-indexer-password"
}
}'
Then restart the OpenClaw gateway so the new server is picked up:
systemctl --user restart openclaw-gateway
openclaw mcp list # confirm "wazuh" is registered
Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:
mcp_servers:
wazuh:
command: "wazuh-mcp"
env:
WAZUH_URL: "https://your-wazuh-manager:55000"
WAZUH_USERNAME: "wazuh-wui"
WAZUH_PASSWORD: "your-password"
WAZUH_INDEXER_URL: "https://your-wazuh-indexer:9200"
WAZUH_INDEXER_USERNAME: "admin"
WAZUH_INDEXER_PASSWORD: "your-indexer-password"
Or, when running from a source checkout instead of the global npm install:
mcp_servers:
wazuh:
command: "node"
args: ["/absolute/path/to/wazuh-mcp/dist/index.js"]
env:
WAZUH_URL: "https://your-wazuh-manager:55000"
WAZUH_USERNAME: "wazuh-wui"
WAZUH_PASSWORD: "your-password"
WAZUH_INDEXER_URL: "https://your-wazuh-indexer:9200"
WAZUH_INDEXER_USERNAME: "admin"
WAZUH_INDEXER_PASSWORD: "your-indexer-password"
Then reload MCP from inside a Hermes session:
/reload-mcp
Codex CLI registers MCP servers via codex mcp add:
codex mcp add wazuh \
--env WAZUH_URL=https://your-wazuh-manager:55000 \
--env WAZUH_USERNAME=wazuh-wui \
--env WAZUH_PASSWORD=your-password \
--env WAZUH_INDEXER_URL=https://your-wazuh-indexer:9200 \
--env WAZUH_INDEXER_USERNAME=admin \
--env WAZUH_INDEXER_PASSWORD=your-indexer-password \
-- wazuh-mcp
Or, when running from a source checkout:
codex mcp add wazuh \
--env WAZUH_URL=https://your-wazuh-manager:55000 \
--env WAZUH_USERNAME=wazuh-wui \
--env WAZUH_PASSWORD=your-password \
-- node /absolute/path/to/wazuh-mcp/dist/index.js
Codex writes the entry to ~/.codex/config.toml under [mcp_servers.wazuh]. Verify with:
codex mcp list
export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start
npm run dev # Watch mode with tsx
npm run lint # Type checking
npm test # Run tests
| Tool | Description |
|---|---|
list_agents |
List all agents with optional status filtering (active, disconnected, never_connected, pending) |
get_agent |
Get detailed info for a specific agent by ID |
get_agent_stats |
Get CPU, memory, and disk statistics for an agent |
| Tool | Description |
|---|---|
get_alerts |
Retrieve recent alerts with filtering by level, agent, rule, and text search |
get_alert |
Retrieve a single alert by ID |
search_alerts |
Full-text search across all alerts |
| Tool | Description |
|---|---|
list_rules |
List detection rules with level and group filtering |
get_rule |
Get full rule details including compliance mappings |
search_rules |
Search rules by description text |
| Tool | Description |
|---|---|
get_sca_policies |
List SCA policies and scores for an agent (CIS benchmarks, etc.) |
get_sca_checks |
Get individual check results with remediation steps and compliance mappings |
| Tool | Description |
|---|---|
get_agent_os |
Get OS information (name, version, architecture, hostname) |
get_agent_packages |
List installed software packages with versions |
get_agent_processes |
List running processes with PIDs and command lines |
get_agent_ports |
List open network ports with associated processes |
get_agent_network |
List network interfaces and IP addresses |
get_agent_hotfixes |
List installed Windows hotfixes/patches |
| Tool | Description |
|---|---|
get_fim_files |
Get File Integrity Monitoring results (files, registry keys, hashes) |
get_rootcheck |
Get rootkit detection scan findings |
| Tool | Description |
|---|---|
get_manager_logs |
Get Wazuh manager logs filtered by level and module |
get_manager_config |
Get active manager configuration by section |
| Tool | Description |
|---|---|
list_groups |
List all agent groups |
get_group_agents |
List agents in a specific group |
| Tool | Description |
|---|---|
list_decoders |
List log decoders with optional name filtering |
get_wazuh_version |
Get Wazuh manager version and API info |
| Resource URI | Description |
|---|---|
wazuh://agents |
All registered agents and their status |
wazuh://alerts/recent |
25 most recent security alerts |
wazuh://rules/summary |
Detection rules sorted by severity |
| Prompt | Description |
|---|---|
investigate-alert |
Step-by-step alert investigation with MITRE mapping and remediation |
agent-health-check |
Comprehensive agent health assessment (status, resources, alerts) |
security-overview |
Full environment security summary with compliance coverage |
Use list_agents with status "active" to see all connected agents.
Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.
Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.
List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.
npm test # Run all tests
npm run test:watch # Watch mode
Tests use mocked Wazuh API responses - no live Wazuh instance needed.
wazuh-mcp/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── config.ts # Environment configuration
│ ├── client.ts # Wazuh REST API client (JWT auth)
│ ├── indexer-client.ts # Wazuh Indexer (OpenSearch) client
│ ├── types.ts # TypeScript type definitions
│ ├── resources.ts # MCP resource handlers
│ ├── prompts.ts # MCP prompt templates
│ └── tools/
│ ├── agents.ts # Agent management tools
│ ├── alerts.ts # Alert query tools
│ ├── rules.ts # Rule query tools
│ ├── decoders.ts # Decoder listing tool
│ ├── version.ts # Version info tool
│ ├── sca.ts # Security Configuration Assessment
│ ├── syscollector.ts # System inventory (OS, packages, ports, etc.)
│ ├── syscheck.ts # File Integrity Monitoring
│ ├── rootcheck.ts # Rootkit detection
│ ├── manager.ts # Manager logs and configuration
│ └── groups.ts # Agent group management
├── tests/
│ ├── client.test.ts # API client unit tests
│ └── tools.test.ts # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts
MIT
Добавь это в claude_desktop_config.json и перезапусти Claude Desktop.
{
"mcpServers": {
"wazuh-mcp": {
"command": "npx",
"args": []
}
}
}