### Multi-Tenant Wazuh MCP Server Setup Example Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/configuration.md An example `.env.tenant1` file illustrating configuration for a multi-tenant environment, specifying tenant-specific WAZUH host, credentials, server name, and log file. ```bash # .env.tenant1 WAZUH_HOST=tenant1-wazuh.company.com WAZUH_USER=tenant1-mcp WAZUH_PASS=tenant1-password MCP_SERVER_NAME=Tenant1 Wazuh MCP LOG_FILE=logs/tenant1-wazuh-mcp.log ``` -------------------------------- ### High Availability Wazuh MCP Server Setup Example Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/configuration.md An example `.env` file for a high availability setup, including WAZUH cluster details, indexer configuration, security hardening, and performance tuning parameters. ```bash # .env WAZUH_HOST=wazuh-cluster.company.com WAZUH_PORT=55000 WAZUH_USER=mcp-service WAZUH_PASS=complex-password # Indexer for performance WAZUH_INDEXER_HOST=wazuh-indexer.company.com WAZUH_INDEXER_PORT=9200 USE_INDEXER_FOR_ALERTS=true # Security hardening VERIFY_SSL=true MIN_TLS_VERSION=TLSv1.3 CA_BUNDLE_PATH=/etc/ssl/company-ca.crt # Performance tuning MAX_CONNECTIONS=500 CACHE_TTL=900 RATE_LIMIT_REQUESTS=2000 ``` -------------------------------- ### Basic Wazuh MCP Server Setup Example Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/configuration.md An example `.env` file demonstrating a basic configuration for the Wazuh MCP server, including WAZUH host, port, credentials, SSL verification, transport protocol, and log level. ```bash # .env WAZUH_HOST=192.168.1.100 WAZUH_PORT=55000 WAZUH_USER=wazuh-api WAZUH_PASS=secure-password VERIFY_SSL=false MCP_TRANSPORT=streamable-http LOG_LEVEL=INFO ``` -------------------------------- ### Development Setup for Wazuh MCP Server Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/CONTRIBUTING.md This snippet shows the steps to set up the development environment for the Wazuh MCP Server. It includes cloning the repository, creating and activating a Python virtual environment, installing dependencies, and setting up the environment using Docker Compose. ```bash git clone https://github.com/your-username/Wazuh-MCP-Server.git cd Wazuh-MCP-Server python -m venv venv source venv/bin/activate # Windows: venv\Scripts\activate pip install -r requirements.txt docker compose -f compose.dev.yml up -d --build ``` -------------------------------- ### Programmatic Access - SSE Endpoint Example Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/CLAUDE_INTEGRATION.md Python example demonstrating how to connect to the Wazuh MCP Server's SSE endpoint programmatically using httpx. ```APIDOC ## Programmatic Access via SSE ### Description This Python script shows how to authenticate with the Wazuh MCP Server using an API key, obtain a JWT token, and then connect to the SSE endpoint to receive data streams. ### Language Python ### Code ```python import httpx import asyncio async def connect_to_mcp_sse(): """Connect to MCP server using SSE endpoint.""" async with httpx.AsyncClient() as client: # Get authentication token first auth_response = await client.post( "http://localhost:3000/auth/token", json={"api_key": "your-api-key"} ) auth_response.raise_for_status() # Raise an exception for bad status codes token = auth_response.json()["access_token"] # Connect to SSE endpoint async with client.stream( "GET", "http://localhost:3000/sse", headers={ "Authorization": f"Bearer {token}", "Accept": "text/event-stream", "Origin": "http://localhost" } ) as response: response.raise_for_status() # Raise an exception for bad status codes async for chunk in response.aiter_text(): print(f"Received: {chunk}") if __name__ == "__main__": asyncio.run(connect_to_mcp_sse()) ``` ### Environment Variables - `API_KEY`: Your Wazuh MCP Server API key. ``` -------------------------------- ### Local LLM Deployment with mcphost for Wazuh MCP Source: https://context7.com/gensecaihq/wazuh-mcp-server/llms.txt Connect to the Wazuh MCP server using mcphost for local LLM deployment with Ollama. This involves installing mcphost, configuring it to point to the MCP server, and then running a local model for conversational interaction. It requires Go for installation and environment variables for API keys. ```bash # Install mcphost go install github.com/mark3labs/mcphost@latest # Configure mcphost cat > ~/.mcphost.yml << 'EOF' mcpServers: wazuh: type: remote url: http://localhost:3000/mcp headers: ["Authorization: Bearer ${env://MCP_API_KEY}"] EOF # Start chat with local model export MCP_API_KEY="wazuh_your-api-key" mcphost --model ollama/qwen2.5:7b # Example conversation: # You: Show me critical alerts from the last hour # AI: [calls get_wazuh_alerts] Found 3 critical alerts... ``` -------------------------------- ### Interact with API Endpoints Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/OPERATIONS.md Examples for testing API connectivity, retrieving authentication tokens, and listing available tools via JSON-RPC. ```bash # Get token curl -X POST http://localhost:3000/auth/token \ -H "Content-Type: application/json" \ -d '{"api_key": "your-api-key"}' # List tools curl -X POST http://localhost:3000/ \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":"1","method":"tools/list"}' ``` -------------------------------- ### Reset and Clean Deployment Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/TROUBLESHOOTING.md Commands to stop, remove, and rebuild the Docker environment for a clean start. ```bash docker compose down docker compose down --volumes docker compose build --no-cache docker compose up -d ``` -------------------------------- ### Deploy Wazuh MCP Server with Docker Source: https://context7.com/gensecaihq/wazuh-mcp-server/llms.txt Instructions for cloning the repository, configuring the environment variables, and starting the server using Docker Compose. ```bash git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git cd Wazuh-MCP-Server cp .env.example .env docker compose up -d curl http://localhost:3000/health ``` -------------------------------- ### Conventional Commit Message Examples Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/CONTRIBUTING.md Examples of commit messages following the Conventional Commits specification for project consistency. ```text feat: add new vulnerability scanning tool fix: resolve connection timeout in Wazuh client docs: update installation instructions test: add unit tests for alert filtering chore: update dependencies ``` -------------------------------- ### GET /sse Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/MCP_COMPLIANCE_VERIFICATION.md Establishes a Server-Sent Events (SSE) stream for legacy client support. ```APIDOC ## GET /sse ### Description Establishes a persistent SSE connection for real-time communication, maintained for backwards compatibility. ### Method GET ### Endpoint /sse ### Parameters #### Headers - **Authorization** (string) - Required - Bearer - **Accept** (string) - Required - Must be 'text/event-stream' ### Response #### Success Response (200) - Returns a stream of events. ``` -------------------------------- ### Streamable HTTP Tests Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/MCP_COMPLIANCE_VERIFICATION.md Example `curl` commands to test the Streamable HTTP functionality of the MCP server. ```APIDOC ## Streamable HTTP Tests (2025-11-25) ### Test MCP endpoint availability ```bash curl -I http://localhost:3000/mcp # Expected: 401 Unauthorized (authentication required) ``` ### Test GET without SSE Accept header ```bash curl -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "Accept: application/json" \ http://localhost:3000/mcp # Expected: 405 Method Not Allowed (per 2025-11-25 spec) ``` ### Test POST with JSON-RPC request (initialize) ```bash curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2025-11-25","clientInfo":{"name":"test","version":"1.0"},"capabilities":{}},"id":"1"}' # Expected: JSON-RPC response with MCP-Session-Id header ``` ### Test invalid protocol version (strict mode) ```bash curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -H "MCP-Protocol-Version: 2020-01-01" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"initialize","id":"1"}' # Expected: 400 Bad Request (unsupported protocol version) ``` ### Test POST with JSON-RPC request (tools/list) ```bash curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "MCP-Session-Id: " \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"tools/list","id":"2"}' # Expected: JSON-RPC response with 48 tools ``` ### Test GET with SSE (requires Accept header) ```bash curl -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "MCP-Session-Id: " \ -H "Accept: text/event-stream" \ http://localhost:3000/mcp # Expected: 200 OK with SSE stream (priming event first) ``` ``` -------------------------------- ### HashiCorp Vault Integration for Secrets (Bash) Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/security/README.md Steps to install the Vault agent and retrieve secrets from HashiCorp Vault, setting them as environment variables for application use. ```bash # Install Vault agent curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" sudo apt-get update && sudo apt-get install vault # Retrieve secret export WAZUH_PASS="$(vault kv get -field=password secret/wazuh/mcp-service)" ``` -------------------------------- ### GET /vulnerability/agents Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/WAZUH_COMPATIBILITY.md Retrieves vulnerability information for agents. This endpoint replaced the legacy /vulnerability endpoint starting from Wazuh 4.8.x. ```APIDOC ## GET /vulnerability/agents ### Description Returns a list of vulnerabilities detected on managed agents. This is the recommended replacement for the deprecated /vulnerability endpoint. ### Method GET ### Endpoint /vulnerability/agents ### Parameters #### Query Parameters - **agent_id** (string) - Optional - Filter results by specific agent ID. ### Response #### Success Response (200) - **vulnerabilities** (array) - List of vulnerability objects found on the agents. #### Response Example { "items": [ { "agent_id": "001", "vulnerability_id": "CVE-2023-0001", "status": "detected" } ] } ``` -------------------------------- ### Get Wazuh Vulnerability Summary with Time Range Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/vulnerabilities.md This example shows how to retrieve a statistical summary and trends for vulnerability management reporting using the Wazuh MCP Server. The `time_range` parameter allows for analysis over different periods, such as daily, weekly, monthly, or quarterly. ```natural language Ask Claude: "Give me a vulnerability summary for the last week" This queries: - `time_range`: "7d" - Includes trend analysis and new discoveries ``` ```natural language Ask Claude: "Generate a monthly vulnerability trend report" This queries: - `time_range`: "30d" - Focus on compliance metrics and remediation progress ``` ```natural language Ask Claude: "Show me vulnerability trends for the last quarter" This queries: - `time_range`: "90d" - Comprehensive trend analysis ``` -------------------------------- ### GET /agents/running Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/agents.md Get a quick list of currently active and running Wazuh agents, including their basic information and uptime. ```APIDOC ## GET /agents/running ### Description Get a quick list of currently active and running Wazuh agents. ### Method GET ### Endpoint /agents/running ### Parameters None ### Request Example ```json { "query": "Show me all running agents" } ``` ### Response #### Success Response (200) - **running_agents** (array) - List of active agent objects. - **summary** (object) - Summary statistics for running agents. #### Response Example ```json { "running_agents": [ { "id": "001", "name": "web-server-01", "ip": "192.168.1.100", "last_keep_alive": "2024-01-01T14:58:30Z", "uptime": "72h 15m", "status": "active" }, { "id": "003", "name": "db-server-01", "ip": "192.168.1.103", "last_keep_alive": "2024-01-01T14:58:45Z", "uptime": "168h 22m", "status": "active" } ], "summary": { "total_running": 142, "average_uptime": "96h 30m", "oldest_uptime": "720h 15m", "newest_connection": "2h 15m" } } ``` ``` -------------------------------- ### Configure and Run Wazuh MCP Server with mcphost Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/README.md This snippet demonstrates how to start the Wazuh MCP server using Docker Compose and configure the mcphost client to interact with the server via a local LLM. ```bash docker compose up -d go install github.com/mark3labs/mcphost@latest cat > ~/.mcphost.yml << 'EOF' mcpServers: wazuh: type: remote url: http://localhost:3000/mcp headers: ["Authorization: Bearer ${env://MCP_API_KEY}"] EOF export MCP_API_KEY="your-key-from-server-logs" mcphost --model ollama/qwen2.5:7b ``` -------------------------------- ### MCP Server Configuration (JSON) Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/MCP_COMPLIANCE_VERIFICATION.md Configuration examples for integrating with the MCP server using both streamable HTTP and legacy SSE connections. Includes server URL and authentication headers. ```json { "mcpServers": { "wazuh": { "url": "https://your-server.com/mcp", "headers": { "Authorization": "Bearer your-jwt-token", "MCP-Protocol-Version": "2025-11-25" } } } } ``` ```json { "mcpServers": { "wazuh": { "url": "https://your-server.com/sse", "headers": { "Authorization": "Bearer your-jwt-token" } } } } ``` -------------------------------- ### GET get_wazuh_alert_summary Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/alerts.md Get statistical summaries of alerts grouped by specified criteria such as rule level, agent, or log decoder. ```APIDOC ## GET get_wazuh_alert_summary ### Description Get statistical summaries of alerts grouped by specified criteria. ### Method GET ### Endpoint get_wazuh_alert_summary ### Parameters #### Query Parameters - **time_range** (string) - Optional - Time range for analysis: 1h, 6h, 24h, 7d, 30d. Default: "24h" - **group_by** (string) - Optional - Field to group alerts by (rule.level, rule.id, agent.name, agent.id, decoder.name, location). Default: "rule.level" ### Request Example { "time_range": "7d", "group_by": "agent.name" } ### Response #### Success Response (200) - **summary** (object) - Key-value pairs of the grouped field and alert counts #### Response Example { "summary": { "web-server-01": 15, "db-server-02": 7 } } ``` -------------------------------- ### Clone and Configure Wazuh MCP Server Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/README.md Clones the Wazuh MCP Server repository, navigates into the directory, and copies the example environment file. It then instructs to edit the .env file with Wazuh API credentials. ```bash git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git cd Wazuh-MCP-Server cp .env.example .env ``` ```env WAZUH_HOST=your-wazuh-server WAZUH_USER=your-api-user WAZUH_PASS=your-api-password ``` -------------------------------- ### Audit Log JSON Format Example Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/security/README.md An example of the JSON structure for audit log entries, detailing the fields included for each security event. ```json { "timestamp": "2024-01-01T12:00:00Z", "event_type": "authentication", "result": "success", "user": "mcp-service", "source_ip": "127.0.0.1", "tool": "get_wazuh_alerts", "parameters": {"limit": 100, "level": "12+"}, "response_time": 0.25 } ``` -------------------------------- ### Toggle Compact Output Mode for MCP Tools Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/ADVANCED_FEATURES.md Demonstrates how to call MCP tools using either the default compact mode to save tokens or full mode for detailed data. ```bash # Compact mode (default) - minimal JSON, essential fields only curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"get_wazuh_alerts","arguments":{"limit":10}},"id":"1"}' # Full mode - complete data with pretty-printing curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"get_wazuh_alerts","arguments":{"limit":10,"compact":false}},"id":"1"}' ``` -------------------------------- ### Testing Environment Configuration (.env.testing) Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/configuration.md Sets up environment variables for the testing environment, including WAZUH server details, testing-specific flags, and reduced timeouts for faster test cycles. ```bash # .env.testing WAZUH_HOST=test-wazuh-server.internal WAZUH_PORT=55000 WAZUH_USER=test-user WAZUH_PASS=test-password # Testing settings TEST_MODE=true MOCK_WAZUH_RESPONSES=false LOG_LEVEL=DEBUG # Reduced timeouts for faster tests CONNECTION_TIMEOUT=10 READ_TIMEOUT=20 ``` -------------------------------- ### GET get_wazuh_critical_vulnerabilities Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/vulnerabilities.md Retrieve only critical vulnerabilities requiring immediate attention. ```APIDOC ## GET get_wazuh_critical_vulnerabilities ### Description Retrieve only critical vulnerabilities requiring immediate attention. This endpoint is a specialized filter for the vulnerability management system. ### Method GET ### Endpoint get_wazuh_critical_vulnerabilities ### Response #### Success Response (200) - **vulnerabilities** (array) - List of vulnerabilities where severity is 'critical'. ``` -------------------------------- ### GET /health Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/configuration.md Checks the operational status of the Wazuh MCP server. ```APIDOC ## GET /health ### Description Returns the current health status of the server to verify it is running and reachable. ### Method GET ### Endpoint /health ### Response #### Success Response (200) - **status** (string) - The health status (e.g., "ok"). #### Response Example { "status": "ok" } ``` -------------------------------- ### MCP Streamable HTTP Connection Process (Bash) Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/MCP_COMPLIANCE_VERIFICATION.md Demonstrates the connection process for streamable HTTP, including required headers and request types for different operations like POST and GET. ```bash # Test MCP endpoint availability curl -I http://localhost:3000/mcp # Expected: 401 Unauthorized (authentication required) # Test GET without SSE Accept header curl -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "Accept: application/json" \ http://localhost:3000/mcp # Expected: 405 Method Not Allowed (per 2025-11-25 spec) # Test POST with JSON-RPC request (initialize) curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2025-11-25","clientInfo":{"name":"test","version":"1.0"},"capabilities":{}},"id":"1"}' # Expected: JSON-RPC response with MCP-Session-Id header # Test invalid protocol version (strict mode) curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -H "MCP-Protocol-Version: 2020-01-01" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"initialize","id":"1"}' # Expected: 400 Bad Request (unsupported protocol version) # Test POST with JSON-RPC request (tools/list) curl -X POST http://localhost:3000/mcp \ -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "MCP-Session-Id: " \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"tools/list","id":"2"}' # Expected: JSON-RPC response with 48 tools # Test GET with SSE (requires Accept header) curl -H "Authorization: Bearer " \ -H "Origin: http://localhost" \ -H "MCP-Protocol-Version: 2025-11-25" \ -H "MCP-Session-Id: " \ -H "Accept: text/event-stream" \ http://localhost:3000/mcp # Expected: 200 OK with SSE stream (priming event first) ``` -------------------------------- ### GET get_agent_processes Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/agents.md Monitor and list running processes on a specific Wazuh agent. ```APIDOC ## GET get_agent_processes ### Description Retrieve a list of currently running processes on the specified Wazuh agent for monitoring or security auditing purposes. ### Method GET ### Endpoint get_agent_processes ### Parameters #### Query Parameters - **agent_id** (string) - Required - ID of the agent. - **limit** (integer) - Optional - Maximum number of processes to retrieve (default: 100). ### Response #### Success Response (200) - **processes** (array) - A list of objects representing running processes on the agent. ``` -------------------------------- ### Configure Client Certificate Authentication (Bash) Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/security/README.md Sets the file paths for client certificate and private key used for mutual TLS authentication. ```bash # Client certificate authentication CLIENT_CERT_PATH=/etc/wazuh-mcp/client.crt CLIENT_KEY_PATH=/etc/wazuh-mcp/client.key ``` -------------------------------- ### GET get_agent_configuration Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/agents.md Retrieve detailed configuration information for a specific Wazuh agent. ```APIDOC ## GET get_agent_configuration ### Description Retrieve detailed configuration information for a specific Wazuh agent, including client settings, rootcheck, sca, and localfile configurations. ### Method GET ### Endpoint get_agent_configuration ### Parameters #### Query Parameters - **agent_id** (string) - Required - ID of the agent to query. ### Response #### Success Response (200) - **agent_configuration** (object) - The configuration object containing client settings, rootcheck, sca, and metadata. #### Response Example { "agent_configuration": { "agent_id": "001", "agent_name": "web-server-01", "configuration": { "client": { "server": [ { "address": "192.168.1.10", "port": 1514, "protocol": "tcp" } ] }, "metadata": { "config_hash": "ab12cd34ef56", "last_updated": "2024-01-01T10:00:00Z" } } } } ``` -------------------------------- ### GET /get_wazuh_log_collector_stats Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/system-monitoring.md Retrieves comprehensive log collector service statistics and performance metrics. ```APIDOC ## GET /get_wazuh_log_collector_stats ### Description Monitor log collector service statistics and performance to ensure log ingestion health. ### Method GET ### Endpoint /get_wazuh_log_collector_stats ### Parameters None ### Response #### Success Response (200) - **log_collector_statistics** (object) - Contains performance metrics, ingestion rates, and service status for the log collector component. ``` -------------------------------- ### Secure Credential Storage Methods (Bash) Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/security/README.md Demonstrates secure practices for storing credentials, contrasting insecure file storage with secure methods using environment variables sourced from files or secrets management tools. ```bash # ❌ DON'T: Store credentials in files WAZUH_PASS=my-password # ✅ DO: Use secure credential sources WAZUH_PASS="$(cat /run/secrets/wazuh-password)" WAZUH_PASS="$(vault kv get -field=password secret/wazuh)" WAZUH_PASS="$(/usr/local/bin/get-credential wazuh-password)" ``` -------------------------------- ### GET /wazuh/cluster/nodes Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/system-monitoring.md Retrieves detailed information about each individual node within the Wazuh cluster. ```APIDOC ## GET /wazuh/cluster/nodes ### Description Get detailed information about individual Wazuh cluster nodes. This endpoint provides insights into the status, resource utilization, and configuration of each node in the cluster. ### Method GET ### Endpoint /wazuh/cluster/nodes ### Parameters None ### Request Example None ### Response #### Success Response (200) - **nodes** (array) - A list of objects, where each object represents a cluster node and contains its details. - **node_id** (string) - Unique identifier for the node. - **node_name** (string) - Name of the node. - **ip_address** (string) - IP address of the node. - **role** (string) - Role of the node in the cluster (e.g., 'master', 'worker'). - **status** (string) - Current status of the node (e.g., 'active', 'inactive', 'unassigned'). - **os** (object) - Operating system information. - **name** (string) - OS name. - **version** (string) - OS version. - **architecture** (string) - OS architecture. - **cpu_usage** (integer) - Current CPU utilization percentage. - **memory_usage** (integer) - Current memory utilization percentage. - **disk_usage** (integer) - Current disk utilization percentage. - **uptime** (string) - Duration the node has been running. - **last_heartbeat** (string) - Timestamp of the last received heartbeat. #### Response Example ```json { "nodes": [ { "node_id": "node-01", "node_name": "wazuh-master-01", "ip_address": "192.168.1.10", "role": "master", "status": "active", "os": { "name": "Linux", "version": "5.4.0-generic", "architecture": "x86_64" }, "cpu_usage": 35, "memory_usage": 60, "disk_usage": 25, "uptime": "7d 12h 30m", "last_heartbeat": "2024-01-16T15:05:00Z" }, { "node_id": "node-02", "node_name": "wazuh-worker-01", "ip_address": "192.168.1.11", "role": "worker", "status": "active", "os": { "name": "Linux", "version": "5.4.0-generic", "architecture": "x86_64" }, "cpu_usage": 40, "memory_usage": 55, "disk_usage": 30, "uptime": "7d 12h 25m", "last_heartbeat": "2024-01-16T15:04:55Z" } ] } ``` ``` -------------------------------- ### Configure Wazuh Server Authentication (Bash) Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/security/README.md Demonstrates how to configure Wazuh server authentication using either Basic Authentication or JWT Token Authentication by setting environment variables in a .env file. It highlights the security requirements for each method. ```bash # .env WAZUH_AUTH_TYPE=basic WAZUH_USER=secure-service-account WAZUH_PASS=complex-password-123!@# ``` ```bash # .env WAZUH_AUTH_TYPE=jwt WAZUH_JWT_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ``` -------------------------------- ### Configure Wazuh MCP Server Environment Variables Source: https://context7.com/gensecaihq/wazuh-mcp-server/llms.txt Configuration settings for connecting to the Wazuh manager and indexer, setting up authentication, and defining network parameters. ```bash WAZUH_HOST=your-wazuh-server.com WAZUH_PORT=55000 WAZUH_USER=your-api-user WAZUH_PASS=your-api-password WAZUH_INDEXER_HOST=your-indexer-host.com WAZUH_INDEXER_PORT=9200 WAZUH_INDEXER_USER=admin WAZUH_INDEXER_PASS=admin MCP_HOST=0.0.0.0 MCP_PORT=3000 AUTH_MODE=bearer AUTH_SECRET_KEY=your-secure-secret-key ALLOWED_ORIGINS=https://claude.ai,https://*.anthropic.com WAZUH_VERIFY_SSL=true ``` -------------------------------- ### GET /get_wazuh_alerts Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/README.md Retrieves security alerts from the Wazuh manager with optional filtering parameters. ```APIDOC ## GET /get_wazuh_alerts ### Description Retrieve security alerts from Wazuh with filtering options such as rule ID, severity level, and time range. ### Method GET ### Endpoint /get_wazuh_alerts ### Parameters #### Query Parameters - **limit** (integer) - Optional - Number of alerts to return (1-1000) - **rule_id** (string) - Optional - Filter by specific rule ID - **level** (string) - Optional - Filter by alert severity level - **agent_id** (string) - Optional - Filter by specific agent ID - **timestamp_start** (string) - Optional - Start time for the query - **timestamp_end** (string) - Optional - End time for the query ### Request Example { "limit": 50, "level": "12" } ### Response #### Success Response (200) - **alerts** (array) - List of security alert objects #### Response Example { "alerts": [ {"id": "12345", "rule": "1002", "description": "Authentication success"} ] } ``` -------------------------------- ### Configure Resource and Connection Limits Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/OPERATIONS.md Configuration snippets for tuning container resource allocation and API rate limiting. ```yaml deploy: resources: limits: cpus: '2.0' memory: 1024M reservations: cpus: '0.5' memory: 256M ``` ```env RATE_LIMIT_REQUESTS=200 RATE_LIMIT_WINDOW=60 ``` -------------------------------- ### GET /metrics Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/ADVANCED_FEATURES.md Exposes Prometheus-compatible metrics for monitoring server performance and request statistics. ```APIDOC ## GET /metrics ### Description Provides Prometheus metrics including request counts, active connections, and response durations. ### Method GET ### Endpoint /metrics ### Response #### Success Response (200) - **text/plain** - Prometheus metric format data. ``` -------------------------------- ### Sample Metrics for Wazuh MCP Server Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/PRODUCTION_READINESS.md This snippet outlines sample metrics collected and exposed by the Wazuh MCP Server, including runtime information, resource usage, and session counts. ```text - Python 3.13.9 runtime - Memory: 48MB resident - CPU: 0.26% average - Active sessions: 0 - Request count: Tracked per endpoint ``` -------------------------------- ### Configuration Reloading via Server Restart Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/configuration.md Explains that configuration changes in files like `.env` require a server restart to take effect, providing a `docker compose restart` command example. ```bash # After changing .env file docker compose restart wazuh-mcp-remote-server ``` -------------------------------- ### GET /search_wazuh_manager_logs Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/log-management.md Search through Wazuh manager logs using advanced pattern matching and filtering. ```APIDOC ## GET /search_wazuh_manager_logs ### Description Search through Wazuh manager logs with advanced pattern matching and filtering capabilities to troubleshoot and monitor system health. ### Method GET ### Endpoint /search_wazuh_manager_logs ### Parameters #### Query Parameters - **query** (string) - Required - The search query or pattern to match. - **limit** (integer) - Optional - Maximum number of log entries to return (default: 100, range: 1-1000). ### Request Example GET /search_wazuh_manager_logs?query=error&limit=50 ### Response #### Success Response (200) - **logs** (array) - A list of log entries matching the provided query. #### Response Example { "logs": [ { "timestamp": "2023-10-27T10:00:00Z", "message": "Error: connection timeout" } ] } ``` -------------------------------- ### Client Integration - Legacy SSE Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/MCP_COMPLIANCE_VERIFICATION.md Guidelines for integrating with the MCP server using the legacy Server-Sent Events (SSE) only connection method. ```APIDOC ## Client Integration - Legacy SSE (Backwards Compatibility) ### Description This section provides instructions for clients that need to use the older SSE-only connection method. ### Configuration Example ```json { "mcpServers": { "wazuh": { "url": "https://your-server.com/sse", "headers": { "Authorization": "Bearer your-jwt-token" } } } } ``` ### Connection Process: 1. **Client connects to**: `https://server.com/sse` 2. **Headers sent**: `Authorization: Bearer `, `Origin: https://client.com` 3. **GET requests**: Used exclusively to receive the SSE stream. 4. **JSON-RPC requests**: Must be sent to the root endpoint (`/`) via POST. ``` -------------------------------- ### GET /agents/{agent_id}/health Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/agents.md Perform a comprehensive health check on a specific Wazuh agent. ```APIDOC ## GET /agents/{agent_id}/health ### Description Perform comprehensive health check on a specific Wazuh agent. ### Method GET ### Endpoint /agents/{agent_id}/health ### Parameters #### Path Parameters - **agent_id** (string) - Required - ID of the agent to check (3-8 alphanumeric characters) ### Request Example ```json { "query": "Check the health of agent 001" } ``` ### Response #### Success Response (200) - The response body will contain the health status details of the specified agent. (Specific fields depend on the health check implementation). #### Response Example ```json { "agent_id": "001", "health_status": "ok", "checks": { "connection": "established", "last_data_received": "2024-01-01T14:58:30Z", "configuration_sync": "synced", "disk_space": "sufficient" }, "last_check_time": "2024-01-01T15:05:00Z" } ``` ``` -------------------------------- ### Environment Configuration Files Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/PRODUCTION_AUDIT_20251124.md These files define the environment variables and Docker Compose setup for the Wazuh MCP Server. They include a template for environment variables (.env.example), a production Docker Compose configuration (compose.yml), and a multi-stage Dockerfile for a secure build. ```env WAZUH_HOST="" WAZUH_USER="" WAZUH_PASS="" WAZUH_PORT=55000 MCP_HOST=127.0.0.1 MCP_PORT=3000 AUTH_SECRET_KEY="" LOG_LEVEL=INFO WAZUH_VERIFY_SSL=false ALLOWED_ORIGINS="" REDIS_URL="" SESSION_TTL_SECONDS=1800 ``` ```yaml version: "2.0" services: wazuh-mcp-remote-server: build: context: . dockerfile: Dockerfile ports: - "${MCP_PORT}:3000" environment: - WAZUH_HOST=${WAZUH_HOST} - WAZUH_USER=${WAZUH_USER} - WAZUH_PASS=${WAZUH_PASS} - WAZUH_PORT=${WAZUH_PORT} - MCP_HOST=${MCP_HOST} - MCP_PORT=${MCP_PORT} - AUTH_SECRET_KEY=${AUTH_SECRET_KEY} - LOG_LEVEL=${LOG_LEVEL} - WAZUH_VERIFY_SSL=${WAZUH_VERIFY_SSL} - ALLOWED_ORIGINS=${ALLOWED_ORIGINS} - REDIS_URL=${REDIS_URL} - SESSION_TTL_SECONDS=${SESSION_TTL_SECONDS} volumes: - ./:/app healthcheck: test: ["CMD", "curl", "http://localhost:3000/health"] ``` ```dockerfile # Build stage FROM python:3.10-slim as builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir --upgrade pip RUN pip wheel --no-cache-dir --wheel-dir /wheels -r requirements.txt # Production stage FROM python:3.10-slim ENV PYTHONUNBUFFERED=1 WORKDIR /app COPY --from=builder /wheels /wheels COPY requirements.txt . RUN pip install --no-cache-dir --upgrade pip RUN pip install --no-cache-dir --find-links=/wheels -r requirements.txt COPY . . EXPOSE 3000 CMD ["python", "app.py"] ``` -------------------------------- ### Client Integration - Streamable HTTP Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/MCP_COMPLIANCE_VERIFICATION.md Guidelines for integrating with the MCP server using the recommended Streamable HTTP connection method. ```APIDOC ## Client Integration - Streamable HTTP (Recommended) ### Description This section details how to connect and interact with the MCP server using the Streamable HTTP protocol. ### Configuration Example ```json { "mcpServers": { "wazuh": { "url": "https://your-server.com/mcp", "headers": { "Authorization": "Bearer your-jwt-token", "MCP-Protocol-Version": "2025-11-25" } } } } ``` ### Connection Process: 1. **Client connects to**: `https://server.com/mcp` 2. **Headers sent**: `Authorization: Bearer `, `MCP-Protocol-Version: 2025-11-25`, `Origin: https://client.com` 3. **POST requests**: Send JSON-RPC requests. Responses can be JSON or SSE. 4. **GET requests**: Establish an SSE stream. Requires `Accept: text/event-stream`. Returns 405 otherwise. 5. **DELETE requests**: Used to cleanly terminate the session. 6. **Session header**: The `MCP-Session-Id` header is returned in responses and must be included in subsequent requests for the same session. ``` -------------------------------- ### GET /vulnerability/summary Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/vulnerabilities.md Retrieves a comprehensive summary of vulnerabilities, including severity breakdown, remediation metrics, and compliance indicators. ```APIDOC ## GET /vulnerability/summary ### Description Retrieves a snapshot of the current vulnerability landscape, including severity counts, remediation performance, and compliance scores. ### Method GET ### Endpoint /vulnerability/summary ### Parameters #### Query Parameters - **time_range** (string) - Optional - The time window for the report (e.g., '7d', '30d'). ### Response #### Success Response (200) - **vulnerability_summary** (object) - The full vulnerability report object containing metrics, agent exposure, and compliance data. #### Response Example { "vulnerability_summary": { "total_vulnerabilities": 156, "severity_breakdown": { "critical": { "count": 12, "percentage": 7.69 }, "high": { "count": 34, "percentage": 21.79 } }, "remediation_metrics": { "fix_rate_percentage": 14.74, "mean_time_to_fix": "12.5_days" } } } ``` -------------------------------- ### Deploy Wazuh MCP Server with Docker Compose Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/ADVANCED_FEATURES.md Commands to launch the server in either default in-memory mode or production-ready Redis-backed mode. ```bash # Single-instance deployments (default) docker compose up -d ``` ```bash # Configure Redis in .env file REDIS_URL=redis://redis:6379/0 SESSION_TTL_SECONDS=1800 # 30 minutes # Deploy with Redis docker compose -f compose.yml -f compose.redis.yml up -d ``` -------------------------------- ### GET get_wazuh_vulnerabilities Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/docs/api/vulnerabilities.md Retrieve comprehensive vulnerability information from Wazuh with flexible filtering options for agents and severity levels. ```APIDOC ## GET get_wazuh_vulnerabilities ### Description Retrieve comprehensive vulnerability information from Wazuh with flexible filtering options. ### Method GET ### Endpoint get_wazuh_vulnerabilities ### Parameters #### Query Parameters - **agent_id** (string) - Optional - Filter by specific agent ID (3-8 alphanumeric characters) - **severity** (string) - Optional - Filter by severity level (critical, high, medium, low, informational) - **limit** (integer) - Optional - Maximum number of vulnerabilities to retrieve (1-500, default: 100) ### Response #### Success Response (200) - **vulnerabilities** (array) - List of vulnerability objects containing CVE details, affected packages, and agent info. - **summary** (object) - Statistical summary of vulnerabilities by severity and status. #### Response Example { "vulnerabilities": [ { "id": "CVE-2024-0001", "severity": "critical", "cvss_score": 9.8, "status": "open" } ], "summary": { "total_vulnerabilities": 156 } } ``` -------------------------------- ### Standard Deployment Command Source: https://github.com/gensecaihq/wazuh-mcp-server/blob/main/PRODUCTION_AUDIT_20251124.md Executes the Python script for a standard single-instance deployment of the Wazuh MCP Server. ```bash python deploy.py ```