Wazuh Security Data Conduit (Local AI Interface) v2.1.0

A high-reliability FastMCP orchestrator designed to bridge Wazuh SIEM outputs directly with Claude Desktop AI via STDIO messaging protocol exclusively.

Enterprise Remote Access: For distributed architectures requiring remote connectivity, explore v3.0.0 Remote Agent Edition, which introduces HTTP/SSE transit, Docker orchestration, and JWT authorization.

✨ Core Capabilities

• 🔍 Extensive Toolset: Access to 29 distinct FastMCP utility functions for comprehensive Wazuh interaction.
• 🧠 Automated Intelligence: Enables AI-driven threat scoring, compliance posture evaluation, and narrative risk summaries.
• 💬 Conversational Analysis: Allows natural language prompts to Claude, e.g., "Display all high-severity system alerts."
• 📡 Local Channel Focus: Utilizes secure, low-latency STDIO for binding to local Claude Desktop instances—no external networking required.
• ⚡ Dual-Path Retrieval: Smart dispatching between the Wazuh Manager API and the Indexer API for optimized data retrieval.
• 🛡️ Operational Resilience: Implements thorough self-diagnostics, robust exception management, and security safeguards.

🚀 Initialization Sequence

Deployment

bash

Obtain source repository

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git cd Wazuh-MCP-Server

Install package (editable mode)

pip install -e .

Configure credentials/endpoints

cp .env.example .env

Modify settings within the .env file

Verification step

wazuh-mcp-server --check

⚙️ Configuration Parameters

Mandatory Wazuh Credentials

Populate .env with connection parameters:

bash

Wazuh API Connectivity

WAZUH_HOST=your-wazuh-manager.corp WAZUH_PORT=55000 WAZUH_USER=api_service_account WAZUH_PASS=secure_token_here

Wazuh Indexer Access (Required for newer versions)

WAZUH_INDEXER_HOST=your-wazuh-manager.corp WAZUH_INDEXER_PORT=9200 WAZUH_INDEXER_USER=indexer_read_only WAZUH_INDEXER_PASS=indexer_secret

Certificate Handling

VERIFY_SSL=true # Enforce certificate chain validation WAZUH_ALLOW_SELF_SIGNED=true # Permit locally signed certificates

SSL Validation Matrix

Operational Mode	Verification Setting	Self-Signed Allowance	Appropriate For
Production	VERIFY_SSL=true	false	Trusted CAs
Internal Use	VERIFY_SSL=true	true	Internal PKI
Dev/Testing	VERIFY_SSL=false	N/A	HTTP or Unknown

🖥️ Integration with Claude Desktop

Configuration Snippet

Inject the following structure into the Claude Desktop configuration file:

• Windows Path: %APPDATA%\Claude\claude_desktop_config.json
• Unix Path: ~/.config/claude/claude_desktop_config.json

{ "mcpServers": { "wazuh_local": { "command": "wazuh-mcp-server", "args": [] } } }

Sample Interaction Prompts

Execute these queries via the Claude interface after setup:

🔍 "Summarize all P1 alerts from the last 12 hours." 🚨 "Identify the top five risk vectors currently present." 🛡️ "Verify adherence to SOC 2 Type II controls." 📊 "Generate a trend analysis report for endpoint anomalies." 🔧 "Assess the operational status of remote host-alpha-44." 🌐 "Review the baseline vulnerability posture for the last fiscal quarter."

📚 Full Utility Function Index

Alert Interpretation (4 Functions)

• get_wazuh_alerts - Fetch filtered security findings.
• get_wazuh_alert_summary - Produce aggregated alert statistics.
• analyze_alert_patterns - Leverage AI for underlying pattern recognition.
• search_security_events - Execute complex, raw event queries.

Asset & Endpoint Management (6 Functions)

• get_wazuh_agents - Retrieve status and metadata for all monitored endpoints.
• get_wazuh_running_agents - Snapshot of presently active agents.
• check_agent_health - Validate agent subsystem integrity.
• get_agent_processes - List active processes on a specified endpoint.
• get_agent_ports - Inventory listening ports and services.
• get_agent_configuration - Dump detailed configuration files for an agent.

Risk & Defect Management (3 Functions)

• get_wazuh_vulnerabilities - Full scan result retrieval.
• get_wazuh_critical_vulnerabilities - Focus only on high-severity defects.
• get_wazuh_vulnerability_summary - Statistical overview of defect remediation progress.

Security Intelligence & Assessment (6 Functions)

• analyze_security_threat - AI assessment of specific threat indicators.
• check_ioc_reputation - Cross-reference Indicators of Compromise against threat intelligence feeds.
• perform_risk_assessment - Quantitative security risk scoring.
• get_top_security_threats - Ranking of threats by impact and occurrence.
• generate_security_report - On-demand creation of formal security documentation.
• run_compliance_check - Execute targeted framework audits (e.g., NIST, CIS).

Infrastructure & Telemetry (10 Functions)

• get_wazuh_statistics - Obtain core system operational metrics.
• get_wazuh_weekly_stats - Weekly aggregated performance data.
• get_wazuh_cluster_health - Status check for distributed cluster components.
• get_wazuh_cluster_nodes - Detailed status of each cluster member.
• get_wazuh_rules_summary - Analysis of rule efficiency and detection coverage.
• get_wazuh_remoted_stats - Data flow metrics for agent communications.
• get_wazuh_log_collector_stats - Performance metrics for log ingestion subsystems.
• search_wazuh_manager_logs - Perform targeted searches within Manager operational logs.
• get_wazuh_manager_error_logs - Isolate and retrieve error/failure entries.
• validate_wazuh_connection - Verify endpoint connectivity and authentication handshake.

📖 Detailed References

Comprehensive API Documentation

• Alert Orchestration API
• Endpoint Administration API
• Defect Prioritization API
• Threat Modeling API
• Infrastructure Monitoring API
• Governance & Reporting API
• System Log Search API

Operational Guides

• Initial Deployment Manual
• Environment Variable Tuning
• Troubleshooting Handbook
• Security Hardening Directives

🔧 Command Line Utility

bash

Execute the integration server (default transport)

wazuh-mcp-server

Verify configuration integrity and connectivity status

wazuh-mcp-server --check

Display the current installed version number

wazuh-mcp-server --version

Display command-line arguments reference

wazuh-mcp-server --help

🏗️ Architectural Blueprint

┌─────────────────┐ STDIO (Local IPC) ┌─────────────────┐ (REST/TLS) ┌─────────────────┐ │ │◄───────────────────────►│ │◄───────────────►│ │ │ Claude Desktop │ │ Wazuh MCP Server│ │ Wazuh Manager │ │ │ │ │ │ │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │ │ │ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ │ │ │ │ │ FastMCP Engine │ │ Wazuh Indexer │ │ (29 Interfacing Tools) │ (Data Store) │ │ │ │ │ └─────────────────┘ └─────────────────┘

🛡️ Security Posture

• 🔐 Default Secured: TLS/SSL verification is mandated for external API interactions.
• 🚫 Air-Gapped Logic: Transport confined strictly to STDIO; no exposed network listeners.
• 🔑 Credential Integrity: Input validation for API keys and secrets.
• 📝 Operational Logging: Detailed audit trail generation for all security-relevant actions.
• ⚡ Flow Control: Integrated request throttling and efficient connection management.
• 🛠️ Fault Tolerance: Mechanisms for non-disruptive error recovery.

🧪 Quality Assurance

bash

Install development dependencies

pip install -e ".[dev]"

Execute unit and integration tests

pytest tests/

Run security and configuration validation

wazuh-mcp-server --check

Post-configuration test: Run conversational queries via Claude Desktop

📊 Resource Specifications

Minimum Requirements

• Operating System: Windows 10+, macOS 10.15+, Current Linux distributions
• Runtime: Python version 3.11 or newer
• Memory: Minimum 512MB free RAM
• Connectivity: Network access (HTTPS) to the upstream Wazuh manager endpoints

Optimal Requirements

• Runtime: Python 3.12 or newer
• Memory: 2GB+ available RAM
• Certificates: Valid, institutionally recognized SSL certificates
• Observability: Integration with an external log aggregation service

🤝 Collaboration Guidelines

1. Duplicate the repository (Fork).
2. Establish a dedicated feature branch (git checkout -b feature/new-functionality).
3. Commit finalized changes (git commit -m 'feat: Implemented X capability').
4. Push changes to the fork (git push origin feature/new-functionality).
5. Submit a formal Pull Request.

📄 Licensing Framework

This software is released under the permissive MIT License (see the accompanying [LICENSE] file).

🆘 Support Channels

• Documentation Portal: View Full Docs
• Bug Reporting: Raise an Issue
• Community Q&A: Engage in Discussions

🏆 Enterprise Readiness Features

This software package is engineered for mission-critical deployment environments, featuring:

• ✅ Robust recovery protocols for transient failures
• ✅ High-fidelity logging tailored for security auditing
• ✅ Proactive security hardening across all I/O paths
• ✅ Guaranteed cross-platform binary compatibility
• ✅ Comprehensive documentation suite
• ✅ Full automated testing coverage

🚀 Alternative Distribution Channels

Wazuh MCP Remote Agent (v3.0.0)

For distributed or cloud-based security operations requiring external connectivity, consider the Remote Server Variant:

• 🌐 Network Transit: Leverages HTTP/SSE for wide-area communication.
• 🔐 Authorization: Implements JWT (JSON Web Token) validation for secure access.
• 🐳 Containerization: Optimized for immediate deployment via Docker.
• 📊 Advanced Metrics: Exports Prometheus-compatible metrics and health endpoints.
• ⚡ Resilience Layer: Includes advanced circuit breaking and automated retry logic.
• 🏢 Corporate Fit: Ideal for cloud-native or multi-site security operations centers.

→ Access Remote Server Edition Documentation

Feature Comparison

Characteristic	v2.1.0 (Local STDIO)	v3.0.0 (Remote Access)
Communication	Local Pipe (STDIO)	Web Protocol (HTTP/SSE)
Deployment Model	Source/Virtual Env	Containerized (Docker)
Access Control	Implicit/Local	Bearer JWT Tokens
Best Use Case	Direct Desktop AI Link	Distributed/Cloud SOC

---

Developed with commitment to the open security sector.

WIKIPEDIA: XMLHttpRequest (XHR) represents an Application Programming Interface, structured as a JavaScript object, whose methods facilitate the transmission of HTTP requests from a client (web browser) to a remote server. These methods enable browser-based applications to initiate server communications subsequent to initial page rendering, and subsequently receive data back. XMLHttpRequest forms a fundamental part of the Asynchronous JavaScript and XML (Ajax) programming paradigm. Before Ajax gained prominence, standard mechanisms for server engagement relied primarily on hyperlink navigation and form submissions, actions that typically necessitated a full page refresh.

== Historical Context == The underlying concept for XMLHttpRequest originated around the year 2000, conceived by the engineering team behind Microsoft Outlook. This concept was first realized within the Internet Explorer 5 browser release (1999). However, the initial implementation did not utilize the standardized XMLHttpRequest object identifier. Instead, developers employed constructor calls such as ActiveXObject("Msxml2.XMLHTTP") and ActiveXObject("Microsoft.XMLHTTP"). As of the release of Internet Explorer 7 (2006), universal support for the official XMLHttpRequest object name was achieved across all major browser platforms, including Mozilla's Gecko rendering engine (2002), Apple's Safari 1.2 (2004), and Opera 8.0 (2005).

=== Standardization Trajectory === The World Wide Web Consortium (W3C) formally issued a Working Draft specification for the XMLHttpRequest object on April 5, 2006. A subsequent Working Draft for Level 2 was published by the W3C on February 25, 2008. Level 2 introduced key enhancements such as progress monitoring methods, support for cross-origin resource sharing (CORS), and byte stream handling capabilities. By the close of 2011, the features defined in the Level 2 draft were successfully integrated back into the primary specification document. Subsequently, in late 2012, the development stewardship transitioned to the WHATWG group, which currently maintains the specification as a continuously evolving document defined using Web IDL syntax.

== Operational Use Cases == Initiating a network request using XMLHttpRequest typically involves a sequence of distinct programming actions.

1. Instantiation: A new XMLHttpRequest object is created by invoking its constructor method.
2. Configuration: The "open" method is invoked to define the request methodology (e.g., GET, POST), designate the target resource URI, and specify synchronous versus asynchronous execution mode.
3. Event Handling (Async Only): For asynchronous operations, a listener function must be configured to execute when the request's state transitions occur.
4. Transmission: The request is dispatched to the server via the "send" method, potentially carrying payload data.
5. Response Processing: The event listener monitors for state changes. Upon successful server response, data is typically populated within the "responseText" attribute. The object signals completion by transitioning to state 4 ("done"). Beyond these foundational steps, XMLHttpRequest provides numerous controls over request transmission and response parsing. Custom HTTP headers can be appended to tailor server behavior. Data can be uploaded by supplying it to the "send" call. Responses arriving in JSON format can be automatically parsed into native JavaScript objects, or processed iteratively as chunks arrive rather than waiting for the complete payload. Furthermore, operations can be terminated prematurely or configured with timeouts.

== Inter-Domain Communication ==

During the nascent period of the World Wide Web, it was observed that security policies prevented code from one domain from initiating requests to an entirely different domain, a restriction intended to prevent malicious code from exfiltrating user data. The introduction of XMLHttpRequest initially inherited these limitations, posing challenges for modern web applications requiring data from disparate sources.