How to Use the Wazuh (SIEM) MCP in Claude

Q: How do I test rules with Wazuh (SIEM) in Claude Desktop?

Use the getlogtest tool. You pass it sample logs, and the server runs those against your current rules and decoders to show you exactly what they catch.

Q: Can I list all Wazuh agents from Claude Desktop?

Yes, running listagents gives you a comprehensive list of every active agent registered with the manager. It’s fast and simple to check inventory status.

Q: What if I need to see old Wazuh (SIEM) logs in Claude Desktop?

You can pull historical data by calling getmanagerlogs. This retrieves the main manager daemon's activity, letting you trace back issues that occurred hours ago.

Q: Does this MCP Server support WQL filtering for Wazuh (SIEM) in Claude Desktop?

Most of the read tools—like getmitre, listagents, and getrootcheck—support WQL, so you can narrow down results to specific time ranges or hosts.

See all your Wazuh security data and infrastructure logs right here in Claude Desktop.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Wazuh (SIEM) MCP to Claude Desktop

Create your Vinkius account to connect Wazuh (SIEM) to Claude Desktop and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Wazuh (SIEM) with Claude Desktop

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Manage Agent Lifecycle

You can enroll new endpoints with `create_agent` or quickly remove agents using `delete_agents`. This lets you control which devices are reporting data to your Wazuh (SIEM) system. You'll also see the full status of every connected machine by running `list_agents`, letting you confirm coverage across your network.

Run Security Audits via MCP Server

Need to know if a system is compromised? Run deep checks like `get_rootcheck` or assess configurations with `get_syscheck`. You just pass the parameters and get back actionable security results. The tool also lets you run MITRE ATT&CK lookups using `get_mitre`, giving context on specific attack vectors.

Inspect Wazuh Rules

Got a rule that isn't firing right? List every loaded decoder or check the syntax of rules with `list_decoders` and `list_rules`. This gives you visibility into what’s actually being processed. You can update files directly using `update_rule_file`, so you don't have to log into the management console just to tweak a regex.

Setup guide

Set up Wazuh (SIEM) MCP in Claude Web or Desktop

1

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
2

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL: https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.
3

Start a conversation

Open a new chat. The Wazuh (SIEM) MCP tools are available immediately — no restart needed.

Endpoint URL

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

No configuration file needed — paste the URL directly in the Claude web interface.

Available on Free (1 connector), Pro, Max, Team, and Enterprise plans.

Prerequisites

Claude Desktop installed (macOS or Windows)
Active Vinkius subscription with a valid endpoint token

1

Open Claude Desktop Settings

Click the menu icon at the top-left corner, go to Settings → Developer → Edit Config. This opens claude_desktop_config.json in your default text editor.
2

Paste the Wazuh (SIEM) MCP configuration

Copy the JSON snippet on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Desktop

Close and reopen the application. Claude needs a full restart to load new MCPs — refreshing a conversation is not enough.
4

Verify the connection

Open a new conversation. Click the 🔌 icon at the bottom of the message input. You should see tools listed under wazuh-siem-mcp.

json

{
  "mcpServers": {
    "wazuh-siem-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Wazuh. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Wazuh (SIEM) now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Wazuh (SIEM) MCP in Claude Desktop

Use the `get_logtest` tool. You pass it sample logs, and the server runs those against your current rules and decoders to show you exactly what they catch.

Yes, running `list_agents` gives you a comprehensive list of every active agent registered with the manager. It’s fast and simple to check inventory status.

You can pull historical data by calling `get_manager_logs`. This retrieves the main manager daemon's activity, letting you trace back issues that occurred hours ago.

Most of the read tools—like `get_mitre`, `list_agents`, and `get_rootcheck`—support WQL, so you can narrow down results to specific time ranges or hosts.

It handles agent configuration details and raw security event logs. These are highly sensitive operational records that need careful management.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python