npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@tocharian/mcp-server-elasticsearch-sl

v0.3.0

Published

Enhanced Elasticsearch MCP Server with full API support

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tochariantocharian

Keywords

elasticsearchsearchmcpmcp-server

Readme

Elasticsearch MCP Server Solution

npm version Downloads Ask DeepWiki

Enhanced Elasticsearch MCP Server Solution - Security & Threat Analysis Focused

This is a professional security-focused solution maintained by TocharianOU. It enables comprehensive interaction with all Elasticsearch APIs, specifically optimized for security analysis, threat detection, and incident investigation. Features include advanced security monitoring, anomaly detection, threat hunting, root cause analysis, and comprehensive audit capabilities.

Key Security Features:

  • Real-time threat detection and security monitoring
  • Advanced machine learning for anomaly detection
  • Root cause analysis and attack chain tracking
  • Security incident investigation and forensics
  • Compliance monitoring and audit reporting

Note: This solution requires a valid Elasticsearch license (trial, platinum, or enterprise) and is designed for security professionals, SOC teams, and threat analysts.

Connect to your Elasticsearch data directly from any MCP Client (such as Claude Desktop) using the Model Context Protocol (MCP). Interact with your Elasticsearch security data through natural language queries for advanced threat analysis and incident response.

Prerequisites

  • An Elasticsearch instance
  • A valid Elasticsearch license (trial, platinum, enterprise) is required.
  • Elasticsearch authentication credentials (API key or username/password)
  • MCP Client (e.g. Claude Desktop) or HTTP client for remote access

⚠️ This project requires your Elasticsearch cluster to have a valid license. If you do not have a license, you can activate a trial license as shown below.

SSL/TLS Connection

To connect to Elasticsearch with a self-signed certificate or in a test environment, you can set the following environment variable:

NODE_TLS_REJECT_UNAUTHORIZED=0

⚠️ This disables Node.js SSL certificate validation. Use only in development or testing environments. For production, always use a trusted CA certificate.

Installation & Setup

  1. Start a Conversation
    • Open a new conversation in your MCP Client
    • The MCP server should connect automatically
    • You can now ask questions about your Elasticsearch data

Configuration Options

The Elasticsearch MCP Server supports the following configuration options:

Elasticsearch Configuration

| Environment Variable | Description | Required | |-------------------------------|----------------------------------------------------------|----------| | ES_URL | Your Elasticsearch instance URL | Yes | | ES_API_KEY | Elasticsearch API key for authentication | No | | ES_USERNAME | Elasticsearch username for basic authentication | No | | ES_PASSWORD | Elasticsearch password for basic authentication | No | | ES_CA_CERT | Path to custom CA certificate for Elasticsearch SSL/TLS | No | | NODE_TLS_REJECT_UNAUTHORIZED| Set to 0 to disable SSL certificate validation | No |

Transport Mode Configuration (NEW in v0.3.0)

| Environment Variable | Description | Default | Values | |---------------------|--------------------------------------------------|-----------|-----------------| | MCP_TRANSPORT | Transport mode selection | stdio | stdio, http | | MCP_HTTP_PORT | HTTP server port (when using HTTP transport) | 3000 | 1-65535 | | MCP_HTTP_HOST | HTTP server host (when using HTTP transport) | localhost | Any valid host |

Transport Mode Details:

  • Stdio mode (default): For Claude Desktop and local MCP clients
  • HTTP Streamable mode: Runs as a standalone HTTP server for remote access, API integration, and web applications

Quick Start

Option 1: NPM Installation (Recommended)

  1. Install globally via NPM

    npm install -g @tocharian/mcp-server-elasticsearch-sl

  2. Run directly

    npx @tocharian/mcp-server-elasticsearch-sl

Option 2: Source Installation

  1. Clone the repository

    git clone https://github.com/TocharianOU/mcp-server-elasticsearch-sl.git
cd mcp-server-elasticsearch-sl

  2. Install Dependencies

    npm install

  3. Build the Project

    npm run build

  4. Configure Claude Desktop App

    • Open Claude Desktop App
    • Go to Settings > Developer > MCP Servers
    • Click Edit Config and add a new MCP Server with the following configuration:

    For NPM Installation:

    {
  "mcpServers": {
    "elasticsearch-mcp-server": {
      "command": "npx",
      "args": [
        "@tocharian/mcp-server-elasticsearch-sl"
      ],
      "env": {
        "ES_URL": "your-elasticsearch-url",
        "ES_USERNAME": "elastic",
        "ES_PASSWORD": "your_pass",
        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
      }
    }
  }
}

    For Source Installation:

    {
  "mcpServers": {
    "elasticsearch-mcp-server-local": {
      "command": "node",
      "args": [
        "/path/to/your/mcp-server-elasticsearch-sl/dist/index.js"
      ],
      "env": {
        "ES_URL": "your-elasticsearch-url",
        "ES_USERNAME": "elastic",
        "ES_PASSWORD": "your_pass",
        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
      }
    }
  }
}

  5. Debugging with MCP Inspector

    ES_URL=your-elasticsearch-url ES_USERNAME=elastic ES_PASSWORD=your_pass npm run inspector

    This will start the MCP Inspector, allowing you to debug and analyze requests. You should see:

    Starting MCP inspector...
Proxy server listening on port 3000

🔍 MCP Inspector is up and running at http://localhost:5173 🚀

Method 3: HTTP Streamable Mode (NEW in v0.3.0)

Run the server as a standalone HTTP service for remote access and API integration:

# Start HTTP server (default port 3000)
MCP_TRANSPORT=http \
ES_URL=your-elasticsearch-url \
ES_USERNAME=elastic \
ES_PASSWORD=your_pass \
npx @tocharian/mcp-server-elasticsearch-sl

# Or with custom port and host
MCP_TRANSPORT=http \
MCP_HTTP_PORT=9000 \
MCP_HTTP_HOST=0.0.0.0 \
ES_URL=your-elasticsearch-url \
ES_USERNAME=elastic \
ES_PASSWORD=your_pass \
npx @tocharian/mcp-server-elasticsearch-sl

HTTP Streamable Mode Features:

  • Exposes MCP server at http://host:port/mcp endpoint
  • Health check available at http://host:port/health
  • Session-based connection management
  • Supports both POST (JSON-RPC requests) and GET (SSE streams)
  • Compatible with any HTTP client or MCP SDK

Example HTTP client usage:

// Initialize connection
const response = await fetch('http://localhost:3000/mcp', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    jsonrpc: '2.0',
    method: 'initialize',
    params: {
      protocolVersion: '2024-11-05',
      capabilities: {},
      clientInfo: { name: 'my-client', version: '1.0.0' }
    },
    id: 1
  })
});

const sessionId = response.headers.get('mcp-session-id');

// Subsequent requests include session ID
const toolsResponse = await fetch('http://localhost:3000/mcp', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'mcp-session-id': sessionId
  },
  body: JSON.stringify({
    jsonrpc: '2.0',
    method: 'tools/list',
    params: {},
    id: 2
  })
});

// Call a tool (e.g., list_indices)
const indicesResponse = await fetch('http://localhost:3000/mcp', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'mcp-session-id': sessionId
  },
  body: JSON.stringify({
    jsonrpc: '2.0',
    method: 'tools/call',
    params: {
      name: 'list_indices',
      arguments: {}
    },
    id: 3
  })
});

Contributing

We welcome contributions from the community! For details on how to contribute, please see Contributing Guidelines.

How It Works

  1. The MCP Client analyzes your request and determines which Elasticsearch operations are needed.
  2. The MCP server comunicate with ES.
  3. The MCP Client processes the results and presents them in a user-friendly format, including highlights, aggregation summaries, and anomaly insights.

Security Analysis Examples

[!TIP] Here are security-focused queries you can try with your MCP Client.

Threat Detection:

  • "Analyze brute force attack attempts in the past 24 hours"
  • "Detect abnormal login behavior and suspicious IP addresses in the system"
  • "Identify potential SQL injection attack patterns and malicious requests"
  • "Discover DDoS attack signatures and traffic anomalies in network flows"

Root Cause Analysis:

  • "Trace the complete attack chain and impact scope for specific security incidents"
  • "Analyze root causes and propagation paths of system failures"
  • "Identify data breach sources and involved sensitive information"
  • "Investigate user privilege abuse incidents with timeline and operation records"

Threat Intelligence:

  • "Create machine learning models to detect zero-day attacks and unknown threats"
  • "Establish behavioral baselines and identify activities deviating from normal patterns"
  • "Analyze threat levels and attack history of malicious domains and IP addresses"
  • "Detect behavioral characteristics and attack patterns of Advanced Persistent Threats (APT)"

Real-time Monitoring:

  • "Monitor active threats and ongoing attacks in the current system"
  • "Detect abnormal data access patterns and privilege escalation behaviors"
  • "Discover suspicious network communications and data exfiltration activities"
  • "Identify security causes of abnormal system resource consumption and performance degradation"

Security Best Practices

[!WARNING] Avoid using cluster-admin privileges. Create dedicated API keys with limited scope and apply fine-grained access control at the index level to prevent unauthorized data access.

You can create a dedicated Elasticsearch API key with minimal permissions to control access to your data:

{
  "name": "es-mcp-server-access",
  "role_descriptors": {
    "mcp_server_role": {
      "cluster": [
        "monitor"
      ],
      "indices": [
        {
          "names": [
            "index-1",
            "index-2",
            "index-pattern-*"
          ],
          "privileges": [
            "read",
            "view_index_metadata"
          ]
        }
      ]
    }
  }
}

License

This project is licensed under the Apache License 2.0.

Troubleshooting

  • Ensure your MCP configuration is correct.
  • Verify that your Elasticsearch URL is accessible from your machine.
  • Check that your authentication credentials (API key or username/password) have the necessary permissions.
  • If using SSL/TLS with a custom CA, verify that the certificate path is correct and the file is readable.
  • Look at the terminal output for error messages.

If you encounter issues, feel free to open an issue on the GitHub repository.

Running with a Trial License

If your Elasticsearch cluster does not have a valid license, you can activate a 30-day trial license with the following command:

curl -X POST -u elastic:your_password \
  -k "https://your-es-host:9200/_license/start_trial?acknowledge=true"
  • Replace your_password and your-es-host with your actual credentials and host.
  • This will enable all features for 30 days.

Note: This project will not start if your cluster does not have a valid license (trial, platinum, enterprice etc.).