How to Use the Wazuh (SIEM) MCP in LangChain

Q: Does Wazuh (SIEM) support advanced querying with LangChain?

Absolutely. Many of these MCP Server tools, including listagents, explicitly support WQL filtering, meaning your agent can narrow down massive datasets to specific criteria.

Build multi-step security chains for Wazuh investigation using LangChain.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Wazuh (SIEM) MCP to LangChain

Create your Vinkius account to connect Wazuh (SIEM) to LangChain and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Wazuh (SIEM) with LangChain

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Automated Agent Lifecycle Management via MCP Server

You can run `create_agent` to enroll a new endpoint into the SIEM. After that, you'll use `delete_agents` with WQL to specify exactly which agents need removing. This sequence lets your AI agent handle the entire agent lifecycle—from onboarding to decommissioning—all within one reasoning chain.

Deep Log and Rule Validation

Testing rules against real-world data is critical. Start by calling `get_logtest` to validate your decoder and rule set against sample logs. Then, check the manager's health using `get_manager_status`. Your agent can chain these calls together: test a log, get its status, and then if it fails, automatically pull `get_manager_logs` for debugging.

Security Configuration Auditing

Need to audit system settings? Use the `get_sca` tool to fetch Security Configuration Assessment results. If you need a broader view of endpoints, run `list_agents` with WQL filters. Combine these two calls in your chain: get the current list of agents, then use that data context to narrow down which specific hosts require an SCA check.

Setup guide

Set up Wazuh (SIEM) MCP in LangChain

Prerequisites

Python 3.10+ installed
langchain-mcp-adapters + langgraph packages
Active Vinkius subscription with a valid endpoint token

1

Install dependencies
Run pip install langchain-mcp-adapters langgraph langchain-openai. The MCP adapters package converts MCP tools into native LangChain BaseTool objects.
2

Connect via HTTP transport
Use MultiServerMCPClient with "transport": "http" pointing to your Vinkius endpoint. Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.
3

Create a ReAct agent
Pass the discovered tools to create_react_agent() from LangGraph. The agent automatically routes Wazuh (SIEM) tool calls through the MCP protocol.
4

Run with any LLM
Swap ChatOpenAI for ChatAnthropic, ChatGoogleGenerativeAI, or any LangChain-compatible model. The MCP tools work identically across all providers.

agent.py

from langchain_mcp_adapters.client import MultiServerMCPClient
from langgraph.prebuilt import create_react_agent
from langchain_openai import ChatOpenAI

async with MultiServerMCPClient({
    "wazuh-siem-mcp": {
        "transport": "http",
        "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp",
    }
}) as client:
    tools = client.get_tools()

    agent = create_react_agent(
        ChatOpenAI(model="gpt-4o"),
        tools,
    )
    result = await agent.ainvoke({
        "messages": "List recent Wazuh (SIEM) transactions"
    })
    print(result["messages"][-1].content)

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Wazuh. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Wazuh (SIEM) now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Wazuh (SIEM) MCP in LangChain

LangChain treats the MCP Server as a callable tool. Your agent doesn't just query data; it executes specific commands like `list_rules` or `update_security_config` to change state and gather evidence.

Yes. Because the MCP Server is stateless by default, your agent can chain commands across different tools—for instance, first upgrading agents with `upgrade_agents`, then verifying the change via `list_cluster_nodes`.

The server exposes configuration data, agent lists, and various security assessment results. This includes the raw output from tools like `get_syscheck` or `list_decoders`.

Absolutely. Many of these MCP Server tools, including `list_agents`, explicitly support WQL filtering, meaning your agent can narrow down massive datasets to specific criteria.

This server manages configuration settings and agent status. You're dealing with structured data like security roles, rule definitions, and cluster node lists.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript