# Logz.io MCP

> Logz.io MCP lets your AI agent talk directly to your observability platform. Instead of logging into a dashboard and running complex queries, you simply ask your agent for insights into your logs, security rules, or triggered alerts. It handles advanced searches using Elasticsearch DSL so you can monitor critical events and manage system configurations—like creating new SIEM rules or adjusting alert status—all from a single chat interface.

## Overview
- **Category:** devops-cicd
- **Price:** Free
- **Tags:** logging, elasticsearch, siem, infrastructure-monitoring, alerting

## Description

You can analyze infrastructure logs, manage alerts, and check security compliance without ever leaving your AI client. This MCP connects directly to Logz.io, letting you interact with deep log data using natural language prompts. Need to find out why an API endpoint failed? Just ask your agent to search the error logs for a specific pattern. Want to adjust monitoring rules? You can tell it to list all configured alerts or even delete one that's no longer relevant. If you need to audit security events, your agent pulls up triggered alerts and shows you exactly what happened. It’s like having a specialized Ops team member available 24/7 inside your chat window. By connecting this MCP through Vinkius, you get immediate access to powerful log analysis tools, making incident response faster and way less click-heavy.

## Tools

### create_alert
Sets up a new monitoring alert that triggers when specific conditions are met in the logs.

### create_deployment_markers
Adds visual markers to graphs, helping you pinpoint where code deployments occurred within exception data.

### create_lookup_list
Builds a curated list of values (like blacklisted IPs) used for checking against SIEM security rules.

### create_metrics_account
Initializes a new dedicated account to track specific metrics within the logging platform.

### create_security_rule
Establishes a brand new security rule that automatically flags suspicious activity in your logs.

### create_siem_account
Sets up an entirely separate SIEM account linked to your main logging data store for segmented access and monitoring.

### create_snapshot
Takes a full, point-in-time snapshot of the Kibana dashboard view for later review or backup.

### create_user
Adds a new user account with defined permissions to the logging platform.

### delete_alert
Removes an existing alert definition from the system entirely.

### delete_security_rule
Permanently deletes a security rule that was previously active in your SIEM monitoring.

### delete_user
Removes a user account and associated access rights from the platform.

### disable_alert
Turns off an existing alert, preventing it from triggering further notifications while you troubleshoot.

### enable_alert
Reactivates a previously disabled alert, allowing monitoring to resume immediately.

### get_lookup_list
Retrieves the contents of an existing lookup list using its unique ID.

### get_snapshot
Fetches the saved state of a Kibana snapshot, allowing you to view historical dashboard data.

### list_alerts
Returns a comprehensive list of every alert currently configured in the system.

### list_insights
Retrieves automated insights, such as potential log exceptions or common public CI patterns detected by the platform.

### list_triggered_alerts
Fetches a paginated list of alerts that have recently fired and require attention.

### list_users_recursive
Lists all user accounts across the main account and any linked sub-accounts for a complete audit view.

### list_users
Retrieves all users associated with one specific, single account ID.

### scroll_logs
Handles very large search results by fetching the next chunk of data from a previous query result set.

### search_logs
Searches all account log data using powerful Elasticsearch DSL syntax, capable of handling up to 10,000 results at once.

### search_lookup_lists
Finds and filters available lookup lists by name or content for SIEM rule creation.

### search_security_event_logs
Narrows down the logs to show only the specific records that caused a security event to trigger.

### search_security_events
Queries and retrieves details about all security events triggered by any defined rule.

### search_security_rules
Searches the library of existing SIEM security rules to find matching or relevant policies.

### suspend_user
Temporarily suspends a user's access rights, revoking their ability to log into the platform immediately.

### unsuspend_user
Restores full access permissions for a previously suspended user account.

### update_alert
Modifies the criteria or notification settings of an existing alert definition without deleting it.

### update_security_rule
Changes the logic, severity, or target of a security rule to adapt to new threats.

### update_user
Modifies an existing user's profile, roles, or access permissions on the platform.

## Prompt Examples

**Prompt:** 
```
Search for logs with level 'ERROR' in the last 15 minutes using search_logs.
```

**Response:** 
```
I've executed the search. I found 12 error logs. Most of them are related to 'Connection Timeout' in the production cluster. Would you like to see the full details of these entries?
```

**Prompt:** 
```
List all configured alerts and tell me which ones are currently disabled.
```

**Response:** 
```
Fetching your alerts... You have 8 alerts configured. Currently, 'High Latency DB' and 'Disk Space Warning' are disabled. The other 6 are active.
```

**Prompt:** 
```
Show me the most recent triggered alerts with 'High' severity.
```

**Response:** 
```
I found 3 triggered alerts with High severity: 'API 5xx Spike', 'Unauthorized Access Attempt', and 'Memory Usage Critical'. All were triggered within the last hour.
```

## Capabilities

### Search all system logs
Execute detailed queries against massive datasets of historical logs using advanced search syntax.

### Manage alert status
List, create, update, or temporarily disable alerts based on specific system conditions.

### Investigate security incidents
Retrieve a history of triggered security events and the underlying logs that caused them.

### Audit user accounts
View or modify user permissions across different accounts within your logging infrastructure.

### Define SIEM rules
Create, update, and delete complex security rules to automatically flag suspicious activity.

## Use Cases

### Finding the root cause of production errors
A DevOps Engineer notices a spike in 500 errors. Instead of logging into the Kibana interface, they ask their agent to run `search_logs` for 'HTTP 500' events in the last hour. The agent returns not just the count, but also the most common associated endpoint and user ID, saving hours of manual searching.

### Responding to a potential security breach
A Security Analyst suspects unauthorized access. They prompt their agent to run `search_security_events` and then use the resulting event IDs to perform a highly focused search with `search_logs`, instantly isolating the exact log entries that detail the suspicious activity.

### Updating compliance policies after an audit
An SRE learns a new vulnerability requires monitoring for specific IP ranges. They use their agent to first run `create_lookup_list` with the blacklisted IPs, and then immediately use `create_security_rule` to enforce the new rule across all monitored traffic.

### Onboarding a new team member
A manager needs to grant access to a new developer. Rather than navigating complex permission trees, they ask their agent to `create_user`, specifying the necessary roles and ensuring the account is properly linked into the main logging system.

## Benefits

- You cut down investigation time dramatically by using the `search_logs` tool to run complex queries without switching from your agent client. You can search millions of log entries instantly, identifying patterns like 'Connection Timeout' errors immediately.
- Never miss a critical issue again. Use `list_triggered_alerts` and then filter those results in the chat to pinpoint only 'High' severity events, giving you instant situational awareness during an incident.
- Managing security policies is cleaner than ever. You can use dedicated tools like `create_security_rule` or `update_security_rule` right through your agent conversation, eliminating manual UI navigation for compliance updates.
- User access management becomes simple. Instead of finding the user settings page, you simply ask your agent to list all users with `list_users_recursive` or suspend a compromised account using `suspend_user` on demand.
- Incident response is faster when you can manage alerts in one place. Need to temporarily pause monitoring for a known false positive? Just tell the agent to use `disable_alert`, then reactivate it later with `enable_alert`.

## How It Works

The bottom line is that you use a single conversational interface instead of navigating multiple web dashboards and running manual API calls.

1. Subscribe to this MCP and provide your Logz.io API token along with the correct region code.
2. Your AI client uses the provided credentials to establish a secure connection to the Logz.io platform's APIs.
3. You prompt your agent in natural language, asking it to perform an action—like finding 'Connection Timeout' errors or listing all active alerts—and the MCP returns the actionable data.

## Frequently Asked Questions

**How do I search logs using Logz.io with the search_logs tool?**
You tell your agent exactly what you need, like 'Search for all logs containing connection timeout in the EU region.' The MCP uses the underlying Elasticsearch DSL to execute a powerful query that returns structured results.

**Can Logz.io MCP help me list and manage alerts?**
Yes. You can use `list_alerts` to see everything configured, or if you find a false positive, tell the agent to `disable_alert` so it doesn't spam your inbox.

**What is the difference between list_triggered_alerts and search_security_events?**
Listing triggered alerts gives you an overview of recent issues. Running `search_security_events` lets you dive deeper, retrieving the specific logs that caused a security rule to fire.

**I need to change user permissions; which tool should I use?**
Use `update_user`. You simply ask your agent what changes are needed—like revoking read access—and the MCP executes the permission modification safely.