WindsurfIDE

Wazuh (SIEM) MCP Server

Bring Siem
to Windsurf

Name: Wazuh (SIEM) MCP Server
Price: 29 USD
Availability: InStock
Rating: 5.0 (1 reviews)
Author: Vinkius

Learn how to connect Wazuh (SIEM) to Windsurf and start using 21 AI agent tools in minutes. Fully managed, enterprise secure, and ready to use without writing a single line of code.

GDPR Free for Subscribers

Create AgentCreate Security RoleDelete AgentsGet LogtestGet Manager LogsGet Manager StatusGet MitreGet RootcheckGet ScaGet SyscheckGet SyscollectorList AgentsList Cluster NodesList DecodersList RulesList Security UsersRestart AgentsRestart ClusterUpdate Rule FileUpdate Security ConfigUpgrade Agents

Unlock for AI Agents

Ask AI about this MCP Server ChatGPT Claude Perplexity

Compatible with every major AI agent and IDE

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

+ other MCP clients

What is the Wazuh (SIEM) MCP Server?

Connect your Wazuh SIEM to any AI agent to streamline security operations and endpoint monitoring through natural language.

What you can do

Agent Management — List all enrolled agents, create new ones, and perform bulk actions like restarts or upgrades using WQL filtering.
Manager & Cluster Health — Monitor manager daemon status, fetch logs, and inspect cluster nodes to ensure high availability.
Security Auditing — Query File Integrity Monitoring (Syscheck), Security Configuration Assessment (SCA), and Rootcheck results.
Threat Intelligence — Access MITRE ATT&CK mappings and test log decoders to validate your detection pipeline.
Rule Orchestration — List and update rules or decoders directly to fine-tune your security posture.

How it works

Subscribe to this server
Provide your Wazuh API URL, Username, and Password
Start auditing your security environment from Claude, Cursor, or any MCP client

Who is this for?

Security Analysts — quickly query agent status and FIM results without navigating the Wazuh dashboard
DevSecOps Engineers — automate agent upgrades and monitor cluster health directly from terminal-based AI tools
Incident Responders — fetch MITRE mappings and manager logs instantly during active investigations

Built-in capabilities (21)

create_agent

Enroll a new Wazuh agent

create_security_role

Create a new Wazuh security role

delete_agents

Use WQL to specify which agents to delete. Remove Wazuh agents

get_logtest

Test rules and decoders against logs

get_manager_logs

Retrieve Wazuh manager logs

get_manager_status

Get Wazuh manager daemon status

get_mitre

Supports WQL filtering. Get MITRE ATT&CK results

get_rootcheck

Supports WQL filtering. Get Rootcheck results

get_sca

Supports WQL filtering. Get Security Configuration Assessment (SCA) results

get_syscheck

Supports WQL filtering. Get File Integrity Monitoring (Syscheck) results

get_syscollector

Supports WQL filtering. Get Syscollector inventory

list_agents

Supports WQL filtering. List all Wazuh agents

list_cluster_nodes

List Wazuh cluster nodes

list_decoders

Supports WQL filtering. List loaded Wazuh decoders

list_rules

Supports WQL filtering. List loaded Wazuh rules

list_security_users

List Wazuh API users

restart_agents

Restart Wazuh agents

restart_cluster

Restart the Wazuh cluster

update_rule_file

Update a Wazuh rule file

update_security_config

Update Wazuh security configuration

upgrade_agents

Upgrade Wazuh agents

Why Windsurf?

Windsurf's Cascade agent chains multiple Wazuh (SIEM) tool calls autonomously. query data, analyze results, and generate code in a single agentic session. Paste Vinkius Edge URL, reload, and all 21 tools are immediately available. Real-time tool feedback appears inline, so you see API responses directly in your editor.

—
Windsurf's Cascade agent autonomously chains multiple tool calls in sequence, solving complex multi-step tasks without manual intervention
—
Purpose-built for agentic workflows. Cascade understands context across your entire codebase and integrates MCP tools natively
—
JSON-based configuration means zero code changes: paste a URL, reload, and all 21 tools are immediately available
—
Real-time tool feedback is displayed inline, so you see API responses directly in your editor without switching contexts

See it in action

Wazuh (SIEM) in Windsurf

AI Agent→Vinkius

High Security·Kill Switch·Plug and Play

Why Vinkius

Wazuh (SIEM) and 4,000+ other MCP servers. One platform. One governance layer.

Teams that connect Wazuh (SIEM) to Windsurf through Vinkius don't need to source, host, or maintain individual MCP servers. Every tool call runs inside a hardened runtime with credential isolation, DLP, and a signed audit chain.

4,000+MCP Servers ready

<40msCold start

60%Token savings

	Raw MCP	Vinkius
Server catalog	Find and host yourself	4,000+ managed
Infrastructure	Self-hosted	Sandboxed V8 isolates
Credential handling	Plaintext in config	Vault + runtime injection
Data loss prevention	None	Configurable DLP policies
Kill switch	None	Global instant shutdown
Financial circuit breakers	None	Per-server limits + alerts
Audit trail	None	Ed25519 signed logs
SIEM log streaming	None	Splunk, Datadog, Webhook
Honeytokens	None	Canary alerts on leak
Custom domains	Not applicable	DNS challenge verified
GDPR compliance	Manual effort	Automated purge + export

Unlock for AI Agents View step-by-step setup guide for Windsurf →

Enterprise Security

Why teams choose Vinkius for Wazuh (SIEM) in Windsurf

The Wazuh (SIEM) MCP Server runs on Vinkius-managed infrastructure inside AWS — a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts. All 21 tools execute in hardened sandboxes optimized for native MCP execution.

Your AI agents in Windsurf only access the data you authorize, with DLP that blocks sensitive information from ever reaching the model, kill switch for instant shutdown, and up to 60% token savings. Enterprise-grade infrastructure, zero maintenance.

Unlock for AI Agents View full Wazuh (SIEM) details →

Fully ManagedVinkius Servers

60%Token savings

High SecurityEnterprise-grade

IAMAccess control

EU AI ActCompliant

DLPData protection

V8 IsolateSandboxed

Ed25519Audit chain

<40msKill switch

Stream every event to Splunk, Datadog, or your own webhook in real-time

* Every MCP server runs on Vinkius-managed infrastructure inside AWS - a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts optimized for native MCP execution. See our infrastructure

The Vinkius Advantage

How Vinkius secures
Wazuh (SIEM) for Windsurf

Every tool call from Windsurf to the Wazuh (SIEM) MCP Server is protected by DLP redaction, cryptographic audit chains, V8 sandbox isolation, kill switch, and financial circuit breakers.

< 40msCold start

Ed25519Signed audit chain

60%Token savings

FAQ

Frequently asked questions

Can I filter agents by specific operating systems or versions?

Yes! The list_agents tool supports WQL (Wazuh Query Language). You can use queries like os.name=ubuntu;os.version>18 to find specific endpoints.

How do I check for unauthorized file changes on my servers?

You can use the get_syscheck tool. It retrieves File Integrity Monitoring (FIM) results, allowing you to audit file modifications, deletions, or additions across your agents.

Is it possible to check the health of the Wazuh manager cluster?

Absolutely. Use get_manager_status to check daemon health or list_cluster_nodes to see the status of all nodes in your Wazuh cluster.

How does Windsurf discover MCP tools?

Windsurf reads the mcp_config.json file on startup and connects to each configured server via Streamable HTTP. Tools are listed in the MCP panel and available to Cascade automatically.

Can Cascade chain multiple MCP tool calls?

Yes. Cascade is an agentic system. it can plan and execute multi-step workflows, calling several tools in sequence to accomplish complex tasks without manual prompting between steps.

Does Windsurf support multiple MCP servers?

Yes. Add as many servers as needed in mcp_config.json. Each server's tools appear in the MCP panel and Cascade can use tools from different servers in a single flow.