ClineIDE

Wazuh (SIEM) MCP Server

Bring Siem
to Cline

Name: Wazuh (SIEM) MCP Server
Price: 29 USD
Availability: InStock
Rating: 5.0 (1 reviews)
Author: Vinkius

Learn how to connect Wazuh (SIEM) to Cline and start using 21 AI agent tools in minutes. Fully managed, enterprise secure, and ready to use without writing a single line of code.

GDPR Free for Subscribers

Create AgentCreate Security RoleDelete AgentsGet LogtestGet Manager LogsGet Manager StatusGet MitreGet RootcheckGet ScaGet SyscheckGet SyscollectorList AgentsList Cluster NodesList DecodersList RulesList Security UsersRestart AgentsRestart ClusterUpdate Rule FileUpdate Security ConfigUpgrade Agents

Unlock for AI Agents

Ask AI about this MCP Server ChatGPT Claude Perplexity

Compatible with every major AI agent and IDE

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

+ other MCP clients

What is the Wazuh (SIEM) MCP Server?

Connect your Wazuh SIEM to any AI agent to streamline security operations and endpoint monitoring through natural language.

What you can do

Agent Management — List all enrolled agents, create new ones, and perform bulk actions like restarts or upgrades using WQL filtering.
Manager & Cluster Health — Monitor manager daemon status, fetch logs, and inspect cluster nodes to ensure high availability.
Security Auditing — Query File Integrity Monitoring (Syscheck), Security Configuration Assessment (SCA), and Rootcheck results.
Threat Intelligence — Access MITRE ATT&CK mappings and test log decoders to validate your detection pipeline.
Rule Orchestration — List and update rules or decoders directly to fine-tune your security posture.

How it works

Subscribe to this server
Provide your Wazuh API URL, Username, and Password
Start auditing your security environment from Claude, Cursor, or any MCP client

Who is this for?

Security Analysts — quickly query agent status and FIM results without navigating the Wazuh dashboard
DevSecOps Engineers — automate agent upgrades and monitor cluster health directly from terminal-based AI tools
Incident Responders — fetch MITRE mappings and manager logs instantly during active investigations

Built-in capabilities (21)

create_agent

Enroll a new Wazuh agent

create_security_role

Create a new Wazuh security role

delete_agents

Use WQL to specify which agents to delete. Remove Wazuh agents

get_logtest

Test rules and decoders against logs

get_manager_logs

Retrieve Wazuh manager logs

get_manager_status

Get Wazuh manager daemon status

get_mitre

Supports WQL filtering. Get MITRE ATT&CK results

get_rootcheck

Supports WQL filtering. Get Rootcheck results

get_sca

Supports WQL filtering. Get Security Configuration Assessment (SCA) results

get_syscheck

Supports WQL filtering. Get File Integrity Monitoring (Syscheck) results

get_syscollector

Supports WQL filtering. Get Syscollector inventory

list_agents

Supports WQL filtering. List all Wazuh agents

list_cluster_nodes

List Wazuh cluster nodes

list_decoders

Supports WQL filtering. List loaded Wazuh decoders

list_rules

Supports WQL filtering. List loaded Wazuh rules

list_security_users

List Wazuh API users

restart_agents

Restart Wazuh agents

restart_cluster

Restart the Wazuh cluster

update_rule_file

Update a Wazuh rule file

update_security_config

Update Wazuh security configuration

upgrade_agents

Upgrade Wazuh agents

Why Cline?

Cline operates autonomously inside VS Code. it reads your codebase, plans a strategy, and executes multi-step tasks including Wazuh (SIEM) tool calls without waiting for prompts between steps. Connect 21 tools through Vinkius and Cline can fetch data, generate code, and commit changes in a single autonomous run.

—
Cline operates autonomously. it reads your codebase, plans a strategy, and executes multi-step tasks including MCP tool calls without step-by-step prompts
—
Runs inside VS Code, so you get MCP tool access alongside your existing extensions, terminal, and version control in a single window
—
Cline can create, edit, and delete files based on MCP tool responses, enabling end-to-end automation from data retrieval to code generation
—
Transparent execution: every tool call and file change is shown in Cline's activity log for full visibility and approval before committing

See it in action

Wazuh (SIEM) in Cline

AI Agent→Vinkius

High Security·Kill Switch·Plug and Play

Why Vinkius

Wazuh (SIEM) and 4,000+ other MCP servers. One platform. One governance layer.

Teams that connect Wazuh (SIEM) to Cline through Vinkius don't need to source, host, or maintain individual MCP servers. Every tool call runs inside a hardened runtime with credential isolation, DLP, and a signed audit chain.

4,000+MCP Servers ready

<40msCold start

60%Token savings

	Raw MCP	Vinkius
Server catalog	Find and host yourself	4,000+ managed
Infrastructure	Self-hosted	Sandboxed V8 isolates
Credential handling	Plaintext in config	Vault + runtime injection
Data loss prevention	None	Configurable DLP policies
Kill switch	None	Global instant shutdown
Financial circuit breakers	None	Per-server limits + alerts
Audit trail	None	Ed25519 signed logs
SIEM log streaming	None	Splunk, Datadog, Webhook
Honeytokens	None	Canary alerts on leak
Custom domains	Not applicable	DNS challenge verified
GDPR compliance	Manual effort	Automated purge + export

Unlock for AI Agents View step-by-step setup guide for Cline →

Enterprise Security

Why teams choose Vinkius for Wazuh (SIEM) in Cline

The Wazuh (SIEM) MCP Server runs on Vinkius-managed infrastructure inside AWS — a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts. All 21 tools execute in hardened sandboxes optimized for native MCP execution.

Your AI agents in Cline only access the data you authorize, with DLP that blocks sensitive information from ever reaching the model, kill switch for instant shutdown, and up to 60% token savings. Enterprise-grade infrastructure, zero maintenance.

Unlock for AI Agents View full Wazuh (SIEM) details →

Fully ManagedVinkius Servers

60%Token savings

High SecurityEnterprise-grade

IAMAccess control

EU AI ActCompliant

DLPData protection

V8 IsolateSandboxed

Ed25519Audit chain

<40msKill switch

Stream every event to Splunk, Datadog, or your own webhook in real-time

* Every MCP server runs on Vinkius-managed infrastructure inside AWS - a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts optimized for native MCP execution. See our infrastructure

The Vinkius Advantage

How Vinkius secures
Wazuh (SIEM) for Cline

Every tool call from Cline to the Wazuh (SIEM) MCP Server is protected by DLP redaction, cryptographic audit chains, V8 sandbox isolation, kill switch, and financial circuit breakers.

< 40msCold start

Ed25519Signed audit chain

60%Token savings

FAQ

Frequently asked questions

Can I filter agents by specific operating systems or versions?

Yes! The list_agents tool supports WQL (Wazuh Query Language). You can use queries like os.name=ubuntu;os.version>18 to find specific endpoints.

How do I check for unauthorized file changes on my servers?

You can use the get_syscheck tool. It retrieves File Integrity Monitoring (FIM) results, allowing you to audit file modifications, deletions, or additions across your agents.

Is it possible to check the health of the Wazuh manager cluster?

Absolutely. Use get_manager_status to check daemon health or list_cluster_nodes to see the status of all nodes in your Wazuh cluster.

How does Cline connect to MCP servers?

Cline reads MCP server configurations from its settings panel in VS Code. Add the server URL and Cline discovers all available tools on initialization.