Wazuh (SIEM) MCP. Query logs, status, and compliance using natural language.
Wazuh (SIEM) connects security operations and endpoint monitoring directly to any AI agent. Instantly list agents, check compliance reports, and pull manager logs using natural conversation. It lets you run complex security queries—like checking File Integrity Monitoring or mapping MITRE ATT&CK tactics—without ever leaving your chat interface.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
Fetch detailed compliance reports from modules like Rootcheck or Security Configuration Assessment (SCA) to confirm endpoint hardening.
List, enroll, restart, or upgrade all agents across the network using simple commands in your AI client.
Retrieve MITRE ATT&CK mappings and run log decoders to validate threat detection capabilities against specific attack vectors.
Pull live logs from the manager daemon or check the overall health of the cluster nodes instantly.
List, update, or test security rules and decoders against sample log data to improve detection accuracy.
Ask an AI about this
Waiting for input…
What AI agents can do with Wazuh (SIEM) MCP - 21 Tools
Use these 21 tools to control agents, audit security policies, test rules, and retrieve deep logs directly from your AI agent.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using Wazuh (SIEM) MCPList Cluster Nodes
Retrieves a list of all nodes currently running in your Wazuh cluster.
Create Agent
Enrolls and adds a brand new agent to the monitored network using specified details.
Create Security Role
Defines and creates a specific security role within the Wazuh system for resource...
List Decoders
Lists all currently loaded decoders, allowing you to see how log sources are...
Delete Agents
Removes specified Wazuh agents from the monitoring system using a defined query...
List Agents
Provides a list of all monitored agents, supporting filters to narrow down results.
Get Logtest
Tests specific security rules and decoders against sample log data to see if they trigger correctly.
Get Manager Logs
Retrieves the latest operational logs from the Wazuh manager daemon for review.
Get Manager Status
Checks and reports on the current running status of the main Wazuh manager service.
Get Mitre
Fetches structured data mapping security findings to MITRE ATT&CK framework...
Restart Agents
Initiates a restart command for selected or all monitored agents.
Restart Cluster
Forces a full restart of the entire Wazuh cluster to resolve deep-seated service issues.
Get Rootcheck
Runs and returns results from Rootcheck, which verifies system file integrity against known baselines.
List Rules
Lists all active security rules configured in Wazuh, with support for filtering.
Get Sca
Runs and returns results from Security Configuration Assessment (SCA), checking...
List Security Users
Lists all user accounts that have API access credentials within Wazuh.
Get Syscheck
Pulls the results from File Integrity Monitoring (Syscheck), showing changes to...
Get Syscollector
Retrieves the current inventory of installed software and hardware components across monitored agents.
Update Rule File
Allows you to programmatically push updates or changes to a specific Wazuh rule file.
Update Security Config
Updates the overall security configuration settings for the Wazuh manager system.
Upgrade Agents
Initiates a controlled upgrade process for monitored agents to ensure they run the...
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The Wazuh (SIEM) integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Wazuh (SIEM), then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Wazuh. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
The daily struggle of SIEM dashboards
You know the drill. An alert fires at 2 AM. You log into the Wazuh dashboard. First, you navigate to 'Agents' just to see who's online. Then you have to check a different tab for File Integrity Monitoring results. Next, you might need to run a manual report on configuration assessment failures. It’s a clicking nightmare—jumping between tabs and copying data into separate spreadsheets.
With this MCP connection, the process flips. You tell your agent what you're looking for in plain English. Your client runs `list_agents` and then automatically pulls `get_syscheck` results and `get_sca` reports, compiling it all into one clean response right where you are working.
Control agents, logs, and security roles with the Wazuh (SIEM) MCP
The manual steps that vanish include: navigating to the 'System' panel; manually running agent status checks; and then having to jump over to the 'Compliance' section for audit data. You don't need those clicks anymore.
You just ask, and your AI client gives you a structured answer. It’s instant access to deep system intelligence that used to take thirty minutes of painful dashboard navigation.
What Wazuh (SIEM) MCP does for your AI
Managing a Security Information and Event Management (SIEM) system usually means jumping between dashboards, running command-line tools, and filtering massive amounts of data. This MCP changes that process entirely. You connect it to any AI agent through Vinkius, giving your client the ability to speak directly to your Wazuh environment.
Instead of writing complex queries or navigating deep menu structures, you simply ask questions about your infrastructure. Your agent handles everything from checking if cluster nodes are healthy to retrieving security configuration assessment results across all endpoints. This means you get immediate answers on agent status, threat intelligence mappings, and audit data without ever needing to log into the Wazuh UI.
019e3909-476f-70fb-ad4f-801165cf5846 
How to set up Wazuh (SIEM) MCP
The bottom line is that this connection lets your AI client treat complex security infrastructure like a simple API endpoint, turning manual console work into conversational queries.
First, you subscribe to this MCP on Vinkius and provide your specific Wazuh API URL, username, and password.
Next, you activate the connection within your preferred AI client (Claude, Cursor, etc.).
Finally, tell your agent what you need—like 'Show me all failed SCA checks for agents in the finance department.' The MCP executes the query and returns structured data.
Who uses Wazuh (SIEM) MCP
This MCP is for the Security Analyst who hates dashboard clicks and the DevSecOps Engineer who needs to automate agent lifecycle management from their terminal. If your job involves checking compliance or hunting through logs, this tool saves hours of manual work.
Quickly query agent status, run File Integrity Monitoring (Syscheck) reports, and cross-reference findings with MITRE ATT&CK data during an active investigation.
Automate repetitive tasks like upgrading agents or monitoring cluster health directly from a terminal-based AI workflow without manual SSH connections.
Pull manager logs and check for connection warnings immediately during an active incident, bypassing the need to navigate multiple log viewer tabs.
Benefits of connecting Wazuh (SIEM) MCP
Stop manual dashboard diving. Instead of clicking through tabs to check agent status, just ask your AI client to list_agents. You get the list instantly in plain text.
Accelerate incident response. When you need to know if a system was tampered with, use get_syscheck to pull File Integrity Monitoring reports immediately, without running console commands.
Improve compliance posture checks. Instead of manually checking dozens of policies, ask for the latest Security Configuration Assessment (SCA) results using get_sca, and get actionable failure points.
Automate maintenance. Need to update a bunch of machines? Run upgrade_agents or use restart_agents. It's one simple command instead of coordinating multiple SSH sessions.
Deepen threat hunting. Use the MCP to pull MITRE ATT&CK mappings via get_mitre, which lets you instantly map observed attacker behavior to industry-standard tactics.
Wazuh (SIEM) MCP use cases
Investigating a potential breach
An incident hits the network. Instead of logging into three different dashboards, the analyst asks their agent to check get_syscheck for file changes and then run get_mitre to see if those changes match known attack patterns. The results come back together in one chat window.
Quarterly compliance audit
The auditor needs proof that all agents meet minimum security standards. The DevSecOps engineer simply calls get_sca and runs the report through the agent, getting a consolidated list of failures across hundreds of endpoints.
Cluster troubleshooting
Agents start failing randomly. Instead of logging into the cluster manager to check services, the engineer asks the MCP to run get_manager_status and then list_cluster_nodes. The AI client pinpoints which specific node is offline.
Tuning detection rules
A new log format comes in. Instead of writing a complex decoder, the analyst uses get_logtest to feed sample logs and test if existing rules are interpreting the data correctly before deploying changes using update_rule_file.
Wazuh (SIEM) MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Using raw API calls
Manually constructing complex WQL filters or crafting multiple multi-step API requests to get agent status and compliance data.
Just ask your AI client directly. Use the natural language interface to run list_agents combined with get_syscheck. The MCP handles all the underlying complexity for you.
Over-relying on the GUI
Opening the Wazuh dashboard, clicking through 'Agents', then switching tabs to 'Compliance' just to gather a list of endpoints and their security roles.
Use list_agents followed by get_sca. The MCP pulls all that data into one flow. It’s faster, cleaner, and easier to track.
Ignoring cluster health
Assuming everything is fine when a service suddenly slows down, without checking the underlying manager processes.
Always check first by requesting get_manager_status or running restart_cluster if necessary. This ensures you know the core infrastructure isn't failing.
When to use Wazuh (SIEM) MCP
Use this MCP if your primary job revolves around querying massive, complex datasets—specifically security event logs, compliance reports, and agent status. You need to ask 'Why?' or 'What changed?' regarding system integrity.
Don't use it if you just need simple ticketing or task management (use a dedicated ITSM tool). Don't use it if your core job is drafting documents or running basic CRUD operations unrelated to security data. If you only need to list users, list_security_users works, but if you need context on why those users exist and what they access, this MCP is necessary.
Frequently asked questions about Wazuh (SIEM) MCP
How do I use the Wazuh (SIEM) MCP to check endpoint compliance? +
To audit security posture, ask your agent to run get_sca. This executes the Security Configuration Assessment and provides a list of policies that are failing across your monitored agents.
Can I find out which agents are online using Wazuh (SIEM) MCP? +
Yes, simply ask your agent to run list_agents. It uses the system's filtering capabilities to give you a current list of all monitored endpoints.
What is the best way to test new security rules with Wazuh (SIEM) MCP? +
Use the get_logtest tool. You can provide sample logs and let the agent run them against your current set of rules and decoders to validate if they trigger correctly.
How do I check the overall health of my Wazuh cluster? +
Check manager status using get_manager_status. If that looks okay, you can also run list_cluster_nodes to verify every node is communicating correctly.
What if I need to update a rule file after finding an issue with Wazuh (SIEM) MCP? +
You use the update_rule_file tool. After troubleshooting, you can push changes directly to your rules without manual API calls.