Wazuh MCP Server: Query and Act on Your SIEM with Claude AI

The Wazuh MCP Server is an open-source server that exposes the Wazuh API as tools that Claude can invoke directly through the Model Context Protocol (MCP). With it you can ask "what critical alerts do I have today?" or "isolate this server" in natural language from Claude Code, without remembering API commands or opening the Wazuh dashboard.

What is the Wazuh MCP Server?

The Model Context Protocol (MCP) is the standard that tools like Claude use to connect with external services. The Wazuh MCP Server is an open-source server that exposes the Wazuh API as tools that Claude can invoke directly.

The result: you can open Claude Code and query and act on your infrastructure in natural language. No need to remember API commands, no need to open the dashboard. Real examples:

• "What critical alerts do I have today?"
• "What critical unpatched vulnerabilities are there?"
• "Isolate this server from the network"
• "Kill the SSH process on all Apache servers"

Claude queries Wazuh in real time and can run active responses directly. It's not just monitoring — it's AI-assisted incident response.

How do you clone the Wazuh MCP Server repository?

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server

How do you get the Wazuh credentials for the MCP Server?

The credentials are generated automatically during the Wazuh installation. Run this command from the directory where you installed Wazuh:

cat wazuh-install-files/wazuh-passwords.txt

You will need four values:

• wazuh-api-user and wazuh-api-pass → credentials for the Wazuh REST API (port 55000)
• wazuh-indexer-user and wazuh-indexer-pass → credentials for the OpenSearch indexer (port 9200)

How do you configure the .env file of the Wazuh MCP Server?

cp .env-example .env

Edit the .env with your data:

WAZUH_HOST=https://YOUR_WAZUH_IP
WAZUH_USER=wazuh
WAZUH_PASS=YOUR_WAZUH_API_PASS
WAZUH_PORT=55000

WAZUH_INDEXER_HOST=YOUR_WAZUH_IP
WAZUH_INDEXER_PORT=9200
WAZUH_INDEXER_USER=admin
WAZUH_INDEXER_PASS=YOUR_INDEXER_PASS

AUTH_MODE=bearer
WAZUH_VERIFY_SSL=false

When should you use AUTH_MODE bearer or none in the Wazuh MCP Server?

• bearer: The server generates JWT tokens with expiration. Always recommended, even in local environments.
• none: No authentication. Only acceptable for tests on a fully isolated network. Never in production.

What does WAZUH_VERIFY_SSL do and when should you disable it?

Wazuh installs a self-signed SSL certificate by default, which makes verification fail. With false we disable that verification so we can connect. If your environment has a valid certificate (signed by a CA), change it to true.

How do you start the Wazuh MCP Server?

docker compose up -d

How do you get the Wazuh MCP Server API Key?

Check the container logs to find the API key generated at startup:

docker compose logs

Look for a line in the format:

wazuh_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

How do you get the Wazuh Access Token to authenticate the MCP Server?

With the API key, request a JWT access token:

curl -s -X POST http://YOUR_IP:3000/auth/token \
    -H "Content-Type: application/json" \
    -d '{"api_key": "wazuh_YOUR_API_KEY"}'

The response will include the access_token you will use in the next step.

How do you register the Wazuh MCP Server in Claude Code?

claude mcp add --transport http wazuh http://YOUR_IP:3000/mcp \
    -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

From here, Claude has full access to your Wazuh. You can ask it in natural language about the status of your agents, recent alerts, detected vulnerabilities and much more, without needing to remember any API command.

What can you do with the Wazuh MCP Server integrated into Claude?

What are the next steps after installing the Wazuh MCP Server?

This integration is part of the Integrations area of our Wazuh expertise. If you want to master Wazuh from installation to advanced use cases like this one, learn more about our Wazuh services at aisecurity.es.