npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

wazuh-mcp

v1.0.0

Published

Model Context Protocol server for the Wazuh SIEM/XDR platform

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

solomonneassolomonneas

Keywords

wazuhmcpsiemxdrsecuritymodel-context-protocol

Readme

wazuh-mcp

TypeScript Node.js MCP License: MIT

A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.

Features

  • 25 MCP Tools - Agents, alerts, rules, decoders, SCA, syscollector, FIM, rootcheck, groups, and manager
  • 3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
  • 3 MCP Prompts - Alert investigation, agent health checks, and security overviews
  • JWT Authentication - Automatic token management with refresh on expiry
  • Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
  • Pagination - All list endpoints support limit/offset pagination
  • Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

  • Node.js 20+
  • A running Wazuh manager with API access (default port 55000)
  • Wazuh API credentials (username/password)
  • (Optional) Wazuh Indexer (OpenSearch) access for alert queries

Installation

git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build

Configuration

Set the following environment variables:

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | WAZUH_URL | Yes | - | Wazuh API URL (e.g., https://10.0.0.2:55000) | | WAZUH_USERNAME | Yes | - | API username | | WAZUH_PASSWORD | Yes | - | API password | | WAZUH_VERIFY_SSL | No | false | Set to true to verify SSL certificates |

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Wazuh Indexer (OpenSearch) - Required for Alerts

Wazuh 4.x stores alerts in the Wazuh Indexer (OpenSearch), not the REST API. To enable alert tools (get_alerts, get_alert, search_alerts) and the wazuh://alerts/recent resource, configure the indexer connection:

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | WAZUH_INDEXER_URL | No | - | Wazuh Indexer URL (e.g., https://10.0.0.2:9200) | | WAZUH_INDEXER_USERNAME | No | admin | Indexer username | | WAZUH_INDEXER_PASSWORD | No | - | Indexer password | | WAZUH_INDEXER_VERIFY_SSL | No | false | Set to true to verify SSL certificates |

If WAZUH_INDEXER_URL is not set, alert tools will return a helpful configuration message. All other tools (agents, rules, decoders, version) work without the indexer.

Usage

Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "wazuh": {
      "command": "node",
      "args": ["/path/to/wazuh-mcp/dist/index.js"],
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
      }
    }
  }
}

OpenClaw

Add to your openclaw.json:

{
  "mcp": {
    "servers": {
      "wazuh": {
        "type": "stdio",
        "command": "node",
        "args": ["/path/to/wazuh-mcp/dist/index.js"],
        "env": {
          "WAZUH_URL": "https://your-wazuh-manager:55000",
          "WAZUH_USERNAME": "wazuh-wui",
          "WAZUH_PASSWORD": "your-password",
          "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
          "WAZUH_INDEXER_USERNAME": "admin",
          "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
        }
      }
    }
  }
}

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start

Development

npm run dev    # Watch mode with tsx
npm run lint   # Type checking
npm test       # Run tests

MCP Tools

Agent Tools

| Tool | Description | |------|-------------| | list_agents | List all agents with optional status filtering (active, disconnected, never_connected, pending) | | get_agent | Get detailed info for a specific agent by ID | | get_agent_stats | Get CPU, memory, and disk statistics for an agent |

Alert Tools

| Tool | Description | |------|-------------| | get_alerts | Retrieve recent alerts with filtering by level, agent, rule, and text search | | get_alert | Retrieve a single alert by ID | | search_alerts | Full-text search across all alerts |

Rule Tools

| Tool | Description | |------|-------------| | list_rules | List detection rules with level and group filtering | | get_rule | Get full rule details including compliance mappings | | search_rules | Search rules by description text |

SCA Tools (Security Configuration Assessment)

| Tool | Description | |------|-------------| | get_sca_policies | List SCA policies and scores for an agent (CIS benchmarks, etc.) | | get_sca_checks | Get individual check results with remediation steps and compliance mappings |

Syscollector Tools (System Inventory)

| Tool | Description | |------|-------------| | get_agent_os | Get OS information (name, version, architecture, hostname) | | get_agent_packages | List installed software packages with versions | | get_agent_processes | List running processes with PIDs and command lines | | get_agent_ports | List open network ports with associated processes | | get_agent_network | List network interfaces and IP addresses | | get_agent_hotfixes | List installed Windows hotfixes/patches |

FIM & Rootcheck Tools

| Tool | Description | |------|-------------| | get_fim_files | Get File Integrity Monitoring results (files, registry keys, hashes) | | get_rootcheck | Get rootkit detection scan findings |

Manager Tools

| Tool | Description | |------|-------------| | get_manager_logs | Get Wazuh manager logs filtered by level and module | | get_manager_config | Get active manager configuration by section |

Group Tools

| Tool | Description | |------|-------------| | list_groups | List all agent groups | | get_group_agents | List agents in a specific group |

Other Tools

| Tool | Description | |------|-------------| | list_decoders | List log decoders with optional name filtering | | get_wazuh_version | Get Wazuh manager version and API info |

MCP Resources

| Resource URI | Description | |-------------|-------------| | wazuh://agents | All registered agents and their status | | wazuh://alerts/recent | 25 most recent security alerts | | wazuh://rules/summary | Detection rules sorted by severity |

MCP Prompts

| Prompt | Description | |--------|-------------| | investigate-alert | Step-by-step alert investigation with MITRE mapping and remediation | | agent-health-check | Comprehensive agent health assessment (status, resources, alerts) | | security-overview | Full environment security summary with compliance coverage |

Examples

List active agents

Use list_agents with status "active" to see all connected agents.

Investigate a brute force attempt

Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.

Check agent health

Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.

Find high-severity rules

List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode

Tests use mocked Wazuh API responses - no live Wazuh instance needed.

Project Structure

wazuh-mcp/
├── src/
│   ├── index.ts           # MCP server entry point
│   ├── config.ts          # Environment configuration
│   ├── client.ts          # Wazuh REST API client (JWT auth)
│   ├── indexer-client.ts  # Wazuh Indexer (OpenSearch) client
│   ├── types.ts           # TypeScript type definitions
│   ├── resources.ts       # MCP resource handlers
│   ├── prompts.ts         # MCP prompt templates
│   └── tools/
│       ├── agents.ts      # Agent management tools
│       ├── alerts.ts      # Alert query tools
│       ├── rules.ts       # Rule query tools
│       ├── decoders.ts    # Decoder listing tool
│       ├── version.ts     # Version info tool
│       ├── sca.ts         # Security Configuration Assessment
│       ├── syscollector.ts # System inventory (OS, packages, ports, etc.)
│       ├── syscheck.ts    # File Integrity Monitoring
│       ├── rootcheck.ts   # Rootkit detection
│       ├── manager.ts     # Manager logs and configuration
│       └── groups.ts      # Agent group management
├── tests/
│   ├── client.test.ts     # API client unit tests
│   └── tools.test.ts      # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts

License

MIT