How to Use the Wazuh (SIEM) MCP in Claude Code

Q: How do I use Wazuh (SIEM) with Claude Code to list all agents in a cron job?

You run listagents and pipe the JSON output into your logging system. This allows you to confirm agent status every hour without needing a GUI or manual interaction.

Q: Can Wazuh (SIEM) help me validate security roles before deploying code with Claude Code?

Yes. Use listsecurityusers to script out the current user list and compare it against your deployment manifest, ensuring no unauthorized accounts exist.

Q: What is the best way to test Wazuh (SIEM) rules in a headless CI/CD environment with Claude Code?

Run getlogtest as a dedicated stage in your pipeline. This tool validates detection logic using sample logs, providing immediate pass/fail exit codes that stop deployment if issues surface.

Q: Does the MCP Server support checking cluster health for Wazuh (SIEM) with Claude Code?

Absolutely. Use listclusternodes to verify node connectivity. If a critical node is missing, your script can automatically trigger alerts or halt the pipeline.

Q: What data types does the Wazuh (SIEM) MCP Server touch regarding rules and decoders?

This server manages detection logic. You use listrules to dump all active rules or listdecoders to check parsing capabilities, which is essential for scripting rule validation.

Run Wazuh SIEM Audits in CI/CD Pipelines with Claude Code: Script security checks from the terminal.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Wazuh (SIEM) MCP to Claude Code

Create your Vinkius account to connect Wazuh (SIEM) to Claude Code and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Wazuh (SIEM) with Claude Code

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Automate Agent Lifecycle Management via MCP Server

Integrate agent management directly into your pipeline script. Before deployment, run `list_agents` to confirm all required endpoints are online. If not, the script fails immediately. Need to clean up old credentials? Use `delete_agents` with WQL to remove stale entries in bulk before running the build.

Enforce Compliance Checks using Claude Code

Build a non-interactive compliance gate. Run `get_rootcheck` or `get_sca` and pipe the exit code into your CI/CD system. The script passes if no high-severity findings are returned. This makes security audits part of your mandatory build steps, not optional tasks.

Manage Wazuh (SIEM) Infrastructure State

Your pipelines need stability. Use the MCP Server to manage the cluster state; run `restart_cluster` if a node fails mid-build. You can also update rules using `update_rule_file` before testing, ensuring your deployment uses the latest detection logic. This keeps your SIEM environment reliable for automated testing.

Setup guide

Set up Wazuh (SIEM) MCP in Claude Code

Prerequisites

Claude Code CLI installed (npm install -g @anthropic-ai/claude-code)
Active Vinkius subscription with a valid endpoint token

1

Run the add command

Open your terminal and run the command shown on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com. Use --scope user to make it available across all projects.
2

Verify the connection

Start a Claude Code session and type /mcp to list connected servers. You should see wazuh-siem-mcp with a green status indicator.
3

Start using tools

Ask Claude Code something like "Check my latest Wazuh (SIEM) transactions." It will automatically discover and invoke the available Wazuh (SIEM) tools.

Terminal

claude mcp add --transport http wazuh-siem-mcp https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Get your connection token →

Prerequisites

Claude Code CLI installed
Active Vinkius subscription with a valid endpoint token

1

Open the config file

Create or edit .mcp.json in your project root for project-level scope, or ~/.claude.json for user-level scope.
2

Add the Wazuh (SIEM) MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Code

Start a new Claude Code session. Type /mcp to confirm the server is connected. The tools will be automatically available in your conversation.

.mcp.json

{
  "mcpServers": {
    "wazuh-siem-mcp": {
      "type": "url",
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Wazuh. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Wazuh (SIEM) now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Wazuh (SIEM) MCP in Claude Code

You run `list_agents` and pipe the JSON output into your logging system. This allows you to confirm agent status every hour without needing a GUI or manual interaction.

Yes. Use `list_security_users` to script out the current user list and compare it against your deployment manifest, ensuring no unauthorized accounts exist.

Run `get_logtest` as a dedicated stage in your pipeline. This tool validates detection logic using sample logs, providing immediate pass/fail exit codes that stop deployment if issues surface.

Absolutely. Use `list_cluster_nodes` to verify node connectivity. If a critical node is missing, your script can automatically trigger alerts or halt the pipeline.

This server manages detection logic. You use `list_rules` to dump all active rules or `list_decoders` to check parsing capabilities, which is essential for scripting rule validation.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript