{"id":"socfortress-wazuh-mcp-server","name":"wazuh-mcp-server","homepage":null,"repo_url":"https://github.com/socfortress/wazuh-mcp-server","category":"security","subcategories":[],"tags":["mcp","wazuh","siem","llm-integration","security-analytics","python","syscollector","jwt"],"what_it_does":"Provides a Model Context Protocol (MCP) server that exposes Wazuh Manager and syscollector data (agents, ports, packages, processes, rules, rule files, and SCA results) as MCP tools, including an authentication tool to refresh JWT tokens used to call the Wazuh Manager API.","use_cases":["Ask an LLM questions about Wazuh-monitored infrastructure (agents status, listening ports, running processes)","Generate and validate incident context by pulling Wazuh rules and rule file content","Query syscollector data for forensic triage (packages/processes/ports per agent)","Automate security configuration assessment (SCA) lookups via natural language"],"not_for":["Public internet deployment without network controls (it binds to a host/port and relies on operational security)","Use as a general-purpose Wazuh API client without understanding Wazuh permissions and data exposure","Use where you require documented rate-limit behavior, idempotency guarantees, or strong operational SLAs from the MCP layer"],"best_when":"You control the runtime environment (network access, secrets, and Wazuh credentials) and want an MCP tool interface for an LLM to reason over Wazuh data.","avoid_when":"You cannot restrict access to the MCP server and Wazuh credentials, or you need strict guarantees around error codes, retry semantics, and pagination behavior beyond the stated defaults.","alternatives":["Use Wazuh APIs directly from your application and implement your own MCP tool wrapper","Build an MCP server on top of Wazuh's REST APIs with OpenAPI/typed schemas","Use LangChain/Wazuh integration (if available) or generic HTTP MCP connectors to call Wazuh endpoints"],"af_score":57.5,"security_score":55.8,"reliability_score":35.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:51:25.449200+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://127.0.0.1:8000/sse/ (example in README; MCP transport indicated as SSE)","has_sdk":false,"sdk_languages":["python"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Wazuh username/password to obtain/refresh JWT for Wazuh Manager API"],"oauth":false,"scopes":false,"notes":"README states JWT token management with automatic refresh and includes an AuthenticateTool to force JWT refresh. No user-facing MCP auth mechanism is described (i.e., who can call the MCP server)."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Self-hosted open-source (license shown as AGPL-3.0 in repo metadata; manifest snippet shows MIT but that is untrusted data). Costs are mainly infrastructure and Wazuh operations; no external pricing described."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":57.5,"security_score":55.8,"reliability_score":35.0,"mcp_server_quality":78.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":65.0,"rate_limit_clarity":5.0,"tls_enforcement":80.0,"auth_strength":55.0,"scope_granularity":30.0,"dependency_hygiene":60.0,"secret_handling":55.0,"security_notes":"Claims 'Secure: JWT token management with automatic refresh' and provides WAZUH_* credentials via env vars, but does not document MCP-side access control, authorization scopes per tool, or logging/redaction behavior. WAZUH_PROD_SSL_VERIFY defaults to true but can be disabled; that increases risk if misconfigured. Rate limiting and protection against abusive queries are not described.","uptime_documented":0.0,"version_stability":45.0,"breaking_changes_history":45.0,"error_recovery":50.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"offset/limit (offset and limit parameters across many tools; defaults stated as limit=500 offset=0)","retry_guidance_documented":false,"known_agent_gotchas":["MCP auth layer is not described; ensure access to the MCP endpoint is restricted (network/firewall, bind address).","Some tools can trigger expensive Wazuh queries (rules listing, syscollector queries per agent); use limit/offset and filtering parameters carefully.","Token refresh is exposed via AuthenticateTool; agents may need to call it when encountering auth failures."]}}