Loading...

Wazuh - AI Tool Review & Alternatives | Flaex AI

Back to Database

Wazuh

VERIFIED

Wazuh

Safety: 75/100

0.0(0)

The Wazuh MCP Server provides a secure interface to query Wazuh SIEM data using natural language, enabling AI assistants to access security alerts, agent data, and more.

MCP ServersFreemium

Boost this tool

Subscribe to listing upgrades or segmented pushes.

Log in to purchase

Overview

The Wazuh MCP Server provides a secure interface to query Wazuh SIEM data using natural language, enabling AI assistants to access security alerts, agent data, and more.

The Wazuh MCP Server is generally safe for read-only operations, such as querying alerts and agent information. However, caution should be exercised when using tools that modify Wazuh configurations, and proper access controls should be enforced on the Wazuh API to mitigate risks.

Performance depends on the Wazuh API's responsiveness and the complexity of the queries. Optimize Wazuh API queries for better performance.

Cost is primarily related to the resources consumed by the server and the Wazuh API. High query frequency may impact Wazuh performance.

HybridRust171 starsMITReleased 12/12/2025CI/CD

Connections & Capabilities

Connects To

GitHubDocker

Capabilities

ReadWrite

Client Compatibility

Claude Desktop

full

Cursor

untested

Windsurf

untested

VS Code (Copilot)

untested

Quickstart

Claude Desktop Config

{
  "mcpServers": {
    "wazuh": {
      "command": "/path/to/mcp-server-wazuh",
      "args": [],
      "env": {
        "WAZUH_API_HOST": "your_wazuh_manager_api_host",
        "WAZUH_API_PORT": "55000",
        "WAZUH_API_USERNAME": "your_wazuh_api_user",
        "WAZUH_API_PASSWORD": "your_wazuh_api_password",
        "WAZUH_INDEXER_HOST": "your_wazuh_indexer_host",
        "WAZUH_INDEXER_PORT": "9200",
        "WAZUH_INDEXER_USERNAME": "your_wazuh_indexer_user",
        "WAZUH_INDEXER_PASSWORD": "your_wazuh_indexer_password",
        "WAZUH_VERIFY_SSL": "false",
        "WAZUH_TEST_PROTOCOL": "https",
        "RUST_LOG": "info"
      }
    }
  }
}

Environment Variables

VERIFY_SSLRUST_LOG

Tools (14)

safe

get_wazuh_alert_summary

Retrieves a summary of recent security alerts from Wazuh.

Read-only operation, no modification of data.

safe

get_wazuh_vulnerability_summary

Provides a summary of vulnerabilities detected on Wazuh agents.

Read-only operation, no modification of data.

safe

get_wazuh_critical_vulnerabilities

Lists critical vulnerabilities found on Wazuh agents.

Read-only operation, no modification of data.

safe

get_wazuh_agent_processes

Lists running processes on a specific Wazuh agent.

Read-only operation, no modification of data.

safe

get_wazuh_agent_ports

Lists open ports on a specific Wazuh agent.

Read-only operation, no modification of data.

safe

get_wazuh_running_agents

Lists currently running Wazuh agents.

Read-only operation, no modification of data.

safe

get_wazuh_rules_summary

Provides a summary of the Wazuh detection rules.

Read-only operation, no modification of data.

safe

get_wazuh_weekly_stats

Retrieves weekly statistics from the Wazuh manager.

Read-only operation, no modification of data.

safe

get_wazuh_remoted_stats

Retrieves statistics from the Wazuh remoted service.

Read-only operation, no modification of data.

safe

get_wazuh_log_collector_stats

Retrieves statistics from the Wazuh log collector.

Read-only operation, no modification of data.

safe

get_wazuh_cluster_health

Retrieves the health status of the Wazuh cluster.

Read-only operation, no modification of data.

safe

get_wazuh_cluster_nodes

Lists the nodes in the Wazuh cluster.

Read-only operation, no modification of data.

safe

search_wazuh_manager_logs

Searches the Wazuh manager logs for specific events.

Read-only operation, no modification of data.

safe

get_wazuh_manager_error_logs

Retrieves error logs from the Wazuh manager.

Read-only operation, no modification of data.

Security

Auth Method

Environment Variable

Data Locality

hybrid

Known Risks

!Exposure of sensitive Wazuh data if the LLM client is compromised.
!Potential for unauthorized access if Wazuh API credentials are leaked.
!Risk of denial-of-service if the server is flooded with requests.
!Vulnerabilities in the Wazuh API could be exploited through the server.

Safety Score

75

moderate risk

The Wazuh MCP Server is generally safe for read-only operations, such as querying alerts and agent information. However, caution should be exercised when using tools that modify Wazuh configurations, and proper access controls should be enforced on the Wazuh API to mitigate risks.

Positive

+Read-only access to Wazuh data for most operations.
+Configuration managed through environment variables, limiting runtime modifications.
+Access to Wazuh API is controlled by Wazuh's own authentication mechanisms.
+No direct shell execution or filesystem access.

Risks

-Improperly configured Wazuh API credentials could lead to unauthorized data access.
-Exposure of Wazuh data to an LLM client introduces a potential data leak risk.
-Some tools might allow modification of Wazuh configurations, if the Wazuh API user has sufficient permissions.
-Reliance on Wazuh's security posture; vulnerabilities in Wazuh could be exploited.

Use Cases

Security Monitoring

-Real-time security alert analysis
-Vulnerability assessment and prioritization
-System and network monitoring

Incident Response

-Log analysis and forensics
-Agent-specific investigation
-Threat intelligence gathering

Compliance

-Compliance monitoring and gap analysis
-Automated reporting
-Rule effectiveness analysis

Operational Efficiency

-Automated security reporting
-Cross-component analysis
-Natural language security queries

Who Is This For?

Best For

Security analysts needing quick access to Wazuh data.
Compliance teams assessing security posture.
Incident responders investigating security events.
Security operations center (SOC) analysts triaging alerts.

Not Ideal For

Environments with strict data isolation requirements.
Automated workflows requiring high-volume data ingestion.
Situations where Wazuh API access is not available.

Autonomy & Execution

Default ModeRead-only

Sandboxed

Autonomy is limited by the read-only nature of most tools. Ensure Wazuh API user permissions are appropriately restricted to prevent unintended modifications.

StatelessYes

Retry LogicNot documented

ConcurrencySingle-threaded

Production Tip

Monitor the server's resource usage and Wazuh API response times to ensure optimal performance.

FAQ

What Wazuh versions are supported?

Wazuh v4.12 or later is recommended.

How do I configure the server to connect to my Wazuh instance?

Set the WAZUH_API_HOST, WAZUH_API_PORT, WAZUH_API_USERNAME, and WAZUH_API_PASSWORD environment variables.

What kind of data can I access through this server?

You can access security alerts, agent information, vulnerability data, and more.

Is the communication between the server and the Wazuh API encrypted?

Yes, HTTPS is used by default. You can configure SSL verification using the WAZUH_VERIFY_SSL variable.

How do I enable debug logging?

Set the RUST_LOG environment variable to 'debug'.

Can I use this server with other SIEM systems besides Wazuh?

No, this server is specifically designed to interface with the Wazuh API.

What are the minimum system requirements for running this server?

The server has minimal resource requirements and can run on most modern systems. Memory usage will depend on the number of concurrent requests.

Metrics

Discovered2/14/2026

Reviews0

Saved By0 users

Related Tools