Wazuh MCP Server - Talk to your SIEM

1# Wazuh MCP Server - Talk to your SIEM
2 
3A Rust-based server designed to bridge the gap between a Wazuh Security Information and Event Management (SIEM) system and applications requiring contextual security data, specifically tailored for the Claude Desktop Integration using the Model Context Protocol (MCP).
4 
5## Overview
6 
7Modern AI assistants like Claude can benefit significantly from real-time context about the user's security environment. The Wazuh MCP Server bridges this gap by providing comprehensive access to Wazuh SIEM data through natural language interactions.
8 
9This server transforms complex Wazuh API responses into MCP-compatible format, enabling AI assistants to access:
10 
11- **Security Alerts & Events** from the Wazuh Indexer for threat detection and incident response
12- **Agent Management & Monitoring** including health status, system processes, and network ports
13- **Vulnerability Assessment** data for risk management and patch prioritization  
14- **Security Rules & Configuration** for detection optimization and compliance validation
15- **System Statistics & Performance** metrics for operational monitoring and audit trails
16- **Log Analysis & Forensics** capabilities for incident investigation and compliance reporting
17- **Cluster Health & Management** for infrastructure reliability and availability requirements
18- **Compliance Monitoring & Gap Analysis** for regulatory frameworks like PCI-DSS, HIPAA, SOX, and GDPR
19 
20Rather than requiring manual API calls or complex queries, security teams can now ask natural language questions like "Show me critical vulnerabilities on web servers," "What processes are running on agent 001?" or "Are we meeting PCI-DSS logging requirements?" and receive structured, actionable data from their Wazuh deployment.
21 
22This approach is particularly valuable for compliance teams who need to quickly assess security posture, identify gaps in monitoring coverage, validate rule effectiveness, and generate evidence for audit requirements across distributed infrastructure.
23 
24![](media/wazuh-alerts-1.png)
25 
26## Example Use Cases
27 
28The Wazuh MCP Server provides direct access to Wazuh security data through natural language interactions, enabling several practical use cases:
29 
30### Security Alert Analysis
31*   **Alert Triage and Investigation:** Query recent security alerts with `get_wazuh_alert_summary` to quickly identify and prioritize threats requiring immediate attention.
32*   **Alert Pattern Recognition:** Analyze alert trends and patterns to identify recurring security issues or potential attack campaigns.
33 
34### Vulnerability Management
35*   **Agent Vulnerability Assessment:** Use `get_wazuh_vulnerability_summary` and `get_wazuh_critical_vulnerabilities` to assess security posture of specific agents and prioritize patching efforts.
36*   **Risk-Based Vulnerability Prioritization:** Correlate vulnerability data with agent criticality and exposure to focus remediation efforts.
37 
38### System Monitoring and Forensics
39*   **Process Analysis:** Investigate running processes on agents using `get_wazuh_agent_processes` for threat hunting and system analysis.
40*   **Network Security Assessment:** Monitor open ports and network services with `get_wazuh_agent_ports` to identify potential attack vectors.
41*   **Agent Health Monitoring:** Track agent status and connectivity using `get_wazuh_running_agents` to ensure comprehensive security coverage.
42 
43### Security Operations Intelligence
44*   **Rule Effectiveness Analysis:** Review and analyze security detection rules with `get_wazuh_rules_summary` to optimize detection capabilities.
45*   **Manager Performance Monitoring:** Track system performance and statistics using tools like `get_wazuh_weekly_stats`, `get_wazuh_remoted_stats`, and `get_wazuh_log_collector_stats`.
46*   **Cluster Health Management:** Monitor Wazuh cluster status with `get_wazuh_cluster_health` and `get_wazuh_cluster_nodes` for operational reliability.
47 
48### Incident Response and Forensics
49*   **Log Analysis:** Search and analyze manager logs using `search_wazuh_manager_logs` and `get_wazuh_manager_error_logs` for incident investigation.
50*   **Agent-Specific Investigation:** Combine multiple tools to build comprehensive profiles of specific agents during security incidents.
51*   **Natural Language Security Queries:** Ask complex security questions in natural language and receive structured data from multiple Wazuh components.
52 
53### Operational Efficiency
54*   **Automated Reporting:** Generate security reports and summaries through conversational interfaces without manual API calls.
55*   **Cross-Component Analysis:** Correlate data from both Wazuh Indexer (alerts) and Wazuh Manager (agents, rules, vulnerabilities) for comprehensive security insights.
56*   **Multilingual Security Operations:** Access Wazuh data and receive insights in multiple languages for global security teams.
57 
58### Threat Intelligence Gathering and Response
59 
60For enhanced threat intelligence and incident response capabilities, the Wazuh MCP Server can be combined with complementary security MCP servers:
61 
62| Server | Description |
63|--------|-------------|
64| **[Cortex MCP Server](https://github.com/gbrigandi/mcp-server-cortex/)** | Artifact analysis and IOC enrichment via 140+ analyzers |
65| **[TheHive MCP Server](https://github.com/gbrigandi/mcp-server-thehive/)** | Case management and incident response orchestration |
66| **[MISP MCP Server](https://github.com/gbrigandi/mcp-server-misp/)** | Threat intelligence sharing and IOC lookup |
67 
68**Enhanced Capabilities with Cortex Integration:**
69*   **Artifact Analysis:** Automatically analyze suspicious files, URLs, domains, and IP addresses found in Wazuh alerts using Cortex's 140+ analyzers
70*   **IOC Enrichment:** Enrich indicators of compromise (IOCs) from Wazuh alerts with threat intelligence from multiple sources including VirusTotal, Shodan, MISP, and more
71*   **Automated Threat Hunting:** Combine Wazuh's detection capabilities with Cortex's analysis engines to automatically investigate and classify threats
72*   **Multi-Source Intelligence:** Leverage analyzers for reputation checks, malware analysis, domain analysis, and behavioral analysis
73*   **Response Orchestration:** Use analysis results to inform automated response actions and alert prioritization
74 
75**Enhanced Capabilities with TheHive Integration:**
76*   **Case Creation:** Automatically create cases in TheHive from Wazuh alerts for structured incident tracking
77*   **Alert Correlation:** Link related Wazuh alerts to existing cases for comprehensive incident timelines
78*   **Task Management:** Create and track investigation tasks based on alert severity and type
79*   **Observable Management:** Extract and manage IOCs as observables within case investigations
80*   **Collaboration:** Enable security team collaboration on incidents detected by Wazuh
81 
82**Enhanced Capabilities with MISP Integration:**
83*   **IOC Lookup:** Check if indicators from Wazuh alerts are known in your threat intelligence database
84*   **Threat Context:** Retrieve event context, threat actor attribution, and MITRE ATT&CK mappings for IOCs
85*   **False Positive Reduction:** Validate IOCs against MISP warninglists to reduce false positives
86*   **Sighting Tracking:** Record and query sighting history to assess IOC prevalence
87*   **Galaxy Exploration:** Access threat actor profiles, malware families, and attack patterns
88 
89**Example Workflow:**
901. Wazuh detects a suspicious file hash or network connection in an alert
912. The AI assistant queries the MISP MCP Server to check if the IOC is known in threat intelligence
923. If unknown, the Cortex MCP Server analyzes the artifact using multiple analyzers
934. Results from VirusTotal, hybrid analysis, domain reputation, and other sources are correlated
945. A case is created in TheHive via the TheHive MCP Server to track the investigation
956. The combined intelligence provides context for incident response decisions
967. Findings can be used to update Wazuh rules or trigger additional monitoring
97 
98## Requirements
99 
100-   An MCP (Model Context Protocol) compatible LLM client (e.g., Claude Desktop)
101-   A running Wazuh server (v4.12 recommended) with the API enabled and accessible.
102-   Network connectivity between this server and the Wazuh API (if API interaction is used).
103 
104## Installation
105 
106### Option 1: Download Pre-built Binary (Recommended)
107 
1081.  **Download the Binary:**
109    *   Go to the [Releases page](https://github.com/gbrigandi/mcp-server-wazuh/releases) of the `mcp-server-wazuh` GitHub repository.
110    *   Download the appropriate binary for your operating system (e.g., `mcp-server-wazuh-linux-amd64`, `mcp-server-wazuh-macos-amd64`, `mcp-server-wazuh-macos-arm64`, `mcp-server-wazuh-windows-amd64.exe`).
111    *   Make the downloaded binary executable (e.g., `chmod +x mcp-server-wazuh-linux-amd64`).
112    *   (Optional) Rename it to something simpler like `mcp-server-wazuh` and move it to a directory in your system's `PATH` for easier access.
113 
114### Option 2: Docker 
115 
1161.  **Pull the Docker Image:**
117    ```bash
118    docker pull ghcr.io/gbrigandi/mcp-server-wazuh:latest
119    ```
120 
121### Option 3: Build from Source
122 
1231.  **Prerequisites:**
124    *   Install Rust: [https://www.rust-lang.org/tools/install](https://www.rust-lang.org/tools/install)
125 
1262.  **Build:**
127    ```bash
128    git clone https://github.com/gbrigandi/mcp-server-wazuh.git
129    cd mcp-server-wazuh
130 
131    # Build with stdio transport only (default)
132    cargo build --release
133 
134    # Build with HTTP transport support
135    cargo build --release --features http
136    ```
137    The binary will be available at `target/release/mcp-server-wazuh`.
138 
139### Configure Your LLM Client
140 
141The method for configuring your LLM client will vary depending on the client itself. For clients that support MCP (Model Context Protocol), you will typically need to point the client to the path of the `mcp-server-wazuh` executable.
142 
143**Example for Claude Desktop:**
144 
145Configure your `claude_desktop_config.json` file:
146 
147```json
148{
149  "mcpServers": {
150    "wazuh": {
151      "command": "/path/to/mcp-server-wazuh",
152      "args": [],
153      "env": {
154        "WAZUH_API_HOST": "your_wazuh_manager_api_host",
155        "WAZUH_API_PORT": "55000",
156        "WAZUH_API_USERNAME": "your_wazuh_api_user",
157        "WAZUH_API_PASSWORD": "your_wazuh_api_password",
158        "WAZUH_INDEXER_HOST": "your_wazuh_indexer_host",
159        "WAZUH_INDEXER_PORT": "9200",
160        "WAZUH_INDEXER_USERNAME": "your_wazuh_indexer_user",
161        "WAZUH_INDEXER_PASSWORD": "your_wazuh_indexer_password",
162        "WAZUH_VERIFY_SSL": "false",
163        "WAZUH_TEST_PROTOCOL": "https",
164        "RUST_LOG": "info"
165      }
166    }
167  }
168}
169```
170 
171Replace `/path/to/mcp-server-wazuh` with the actual path to your binary and configure the environment variables as detailed in the [Configuration](#configuration) section.
172 
173Once configured, your LLM client should be able to launch and communicate with the `mcp-server-wazuh` to access Wazuh security data.
174 
175If using Docker, create a `.env` file with your Wazuh configuration:
176    
177```bash
178WAZUH_API_HOST=your_wazuh_manager_api_host
179WAZUH_API_PORT=55000
180WAZUH_API_USERNAME=your_wazuh_api_user
181WAZUH_API_PASSWORD=your_wazuh_api_password
182WAZUH_INDEXER_HOST=your_wazuh_indexer_host
183WAZUH_INDEXER_PORT=9200
184WAZUH_INDEXER_USERNAME=your_wazuh_indexer_user
185WAZUH_INDEXER_PASSWORD=your_wazuh_indexer_password
186WAZUH_VERIFY_SSL=false
187WAZUH_TEST_PROTOCOL=https
188RUST_LOG=info
189```
190 
191Configure your `claude_desktop_config.json` file:
192 
193```
194{
195  "mcpServers": {
196    "wazuh": {
197      "command": "docker",
198      "args": [
199        "run", "--rm", "-i",
200        "--env-file", "/path/to/your/.env",
201        "ghcr.io/gbrigandi/mcp-server-wazuh:latest"
202      ]
203    }
204  }
205}
206```
207 
208## Configuration
209 
210Configuration is managed through environment variables. A `.env` file can be placed in the project root for local development.
211 
212| Variable                 | Description                                                                    | Default     | Required |
213| ------------------------ | ------------------------------------------------------------------------------ | ----------- | -------- |
214| `WAZUH_API_HOST`         | Hostname or IP address of the Wazuh Manager API server.                        | `localhost` | Yes      |
215| `WAZUH_API_PORT`         | Port number for the Wazuh Manager API.                                         | `55000`     | Yes      |
216| `WAZUH_API_USERNAME`     | Username for Wazuh Manager API authentication.                                 | `wazuh`     | Yes      |
217| `WAZUH_API_PASSWORD`     | Password for Wazuh Manager API authentication.                                 | `wazuh`     | Yes      |
218| `WAZUH_INDEXER_HOST`     | Hostname or IP address of the Wazuh Indexer API server.                        | `localhost` | Yes      |
219| `WAZUH_INDEXER_PORT`     | Port number for the Wazuh Indexer API.                                         | `9200`      | Yes      |
220| `WAZUH_INDEXER_USERNAME` | Username for Wazuh Indexer API authentication.                                 | `admin`     | Yes      |
221| `WAZUH_INDEXER_PASSWORD` | Password for Wazuh Indexer API authentication.                                 | `admin`     | Yes      |
222| `WAZUH_VERIFY_SSL`       | Set to `true` to verify SSL certificates for Wazuh API and Indexer connections.  | `false`     | No       |
223| `WAZUH_TEST_PROTOCOL`    | Protocol for Wazuh connections (e.g., "http", "https"). Overrides client default. | `https`     | No       |
224| `RUST_LOG`               | Log level (e.g., `info`, `debug`, `trace`).                                    | `info`      | No       |
225 
226**Note on `WAZUH_VERIFY_SSL`:** For production environments, it is strongly recommended to set `WAZUH_VERIFY_SSL=true` and ensure proper certificate validation for both Wazuh Manager API and Wazuh Indexer connections. Setting it to `false` disables certificate checks, which is insecure.
227The "Required: Yes" indicates that these variables are essential for the server to connect to the respective Wazuh components. While defaults are provided, they are unlikely to match a production or non-local setup.
228 
229## Building
230 
231### Prerequisites
232 
233-   Install Rust: [https://www.rust-lang.org/tools/install](https://www.rust-lang.org/tools/install)
234-   Install Docker and Docker Compose (optional, for containerized deployment): [https://docs.docker.com/get-docker/](https://docs.docker.com/get-docker/)
235 
236### Local Development
237 
2381.  **Clone the repository:**
239    ```bash
240    git clone https://github.com/gbrigandi/mcp-server-wazuh.git 
241    cd mcp-server-wazuh
242    ```
2432.  **Configure (if using Wazuh API):**
244    -   Copy the example environment file: `cp .env.example .env`
245    -   Edit the `.env` file with your specific Wazuh API details (e.g. `WAZUH_API_HOST`, `WAZUH_API_PORT`).
2463.  **Build:**
247    ```bash
248    # Build with default features (stdio transport only)
249    cargo build
250 
251    # Build with HTTP transport support
252    cargo build --features http
253    ```
2544.  **Run:**
255    ```bash
256    # Run with stdio transport (default)
257    cargo run
258 
259    # Run with HTTP transport (requires --features http during build)
260    cargo run --features http -- --transport http
261 
262    # Or use the run script (which might set up stdio mode):
263    # ./run.sh
264    ```
265 
266## Transport Modes
267 
268The Wazuh MCP Server supports two transport modes for communication with MCP clients:
269 
270### stdio Transport (Default)
271 
272The stdio transport is the default mode, ideal for local integrations where the MCP client launches the server as a child process. Communication occurs via stdin/stdout using JSON-RPC 2.0 messages.
273 
274```bash
275# Run with stdio transport (default)
276mcp-server-wazuh
277 
278# Explicit stdio transport
279mcp-server-wazuh --transport stdio
280```
281 
282### Streamable HTTP Transport
283 
284The HTTP transport enables remote server deployment, allowing MCP clients to connect over the network. This mode implements the MCP Streamable HTTP specification with Server-Sent Events (SSE) support.
285 
286```bash
287# Run with HTTP transport on default address (127.0.0.1:8080)
288mcp-server-wazuh --transport http
289 
290# Run with custom host and port
291mcp-server-wazuh --transport http --host 0.0.0.0 --port 3000
292```
293 
294**HTTP Transport Features:**
295- Single `/mcp` endpoint for all MCP communication
296- POST requests with JSON-RPC messages
297- Server-Sent Events (SSE) for streaming responses
298- Session management with `MCP-Session-Id` header
299- Protocol version: `2025-06-18` (MCP spec supported by rmcp 0.10)
300 
301**Security Note:** By default, HTTP transport binds to `127.0.0.1` (localhost only). When binding to `0.0.0.0` for remote access, ensure proper network security measures (firewall rules, reverse proxy with TLS, etc.) are in place.
302 
303### CLI Arguments
304 
305| Argument | Description | Default |
306|----------|-------------|---------|
307| `--transport` | Transport mode: `stdio` or `http` | `stdio` |
308| `--host` | HTTP server bind address (only for http transport) | `127.0.0.1` |
309| `--port` | HTTP server port (only for http transport) | `8080` |
310 
311## Architecture
312 
313The server is built using the [rmcp](https://crates.io/crates/rmcp) framework (v0.10+) and facilitates communication between MCP clients (e.g., Claude Desktop, IDE extensions) and the Wazuh MCP Server. The server supports both stdio and Streamable HTTP transports and interacts with the Wazuh Indexer and Wazuh Manager APIs to fetch security alerts and other data.
314 
315```mermaid
316sequenceDiagram
317    participant ClientApp as Client Application (e.g., IDE Extension / Claude Desktop)
318    participant WazuhMCPServer as Wazuh MCP Server (this application)
319    participant WazuhAPI as Wazuh API
320 
321    ClientApp->>+WazuhMCPServer: (stdio) MCP Initialize
322    WazuhMCPServer-->>-ClientApp: (stdout) MCP Initialized
323    
324    ClientApp->>+WazuhMCPServer: (stdio) MCP Request (tools/list)
325    WazuhMCPServer->>WazuhMCPServer: Parse MCP Request
326    WazuhMCPServer->>WazuhMCPServer: Process internally
327    WazuhMCPServer-->>-ClientApp: (stdout) MCP Response (available tools)
328    
329    ClientApp->>+WazuhMCPServer: (stdio) MCP Request (tools/call for wazuhAlerts)
330    WazuhMCPServer->>WazuhMCPServer: Parse MCP Request
331    WazuhMCPServer->>+WazuhAPI: Request Wazuh Alerts (with WAZUH_API_USERNAME, WAZUH_API_PASSWORD)
332    WazuhAPI-->>-WazuhMCPServer: Wazuh Alert Data (JSON)
333    WazuhMCPServer->>WazuhMCPServer: Transform Wazuh Alerts to MCP Format
334    WazuhMCPServer-->>-ClientApp: (stdout) MCP Response (alerts)
335```
336 
337**Data Flow (stdio focus):**
338 
3391.  An application (e.g., an IDE extension, a CLI tool) launches the Wazuh MCP Server as a child process.
3402.  The application sends MCP-formatted requests (commands) to the server's `stdin`.
3413.  The Wazuh MCP Server reads the command from `stdin`.
3424.  **Processing:**
343    *   The server parses the MCP command.
344    *   If the command requires fetching data from Wazuh (e.g., "get latest alerts"):
345        *   The server connects to the Wazuh API (authenticating if necessary using configured credentials like `WAZUH_API_USERNAME`, `WAZUH_API_PASSWORD`).
346        *   It fetches the required data (e.g., security alerts).
347        *   The server's transformation logic processes each alert, mapping Wazuh fields to MCP format.
348    *   If the command is internal (e.g., a status check specific to the MCP server), it processes it directly.
3495.  The server sends an MCP-formatted JSON response (e.g., transformed alerts, command acknowledgment, or error messages) to the application via its `stdout`.
3506.  The application reads and processes the MCP response from the server's `stdout`.
351 
352This stdio interaction allows for tight integration with local development tools or other applications that can manage child processes. An optional HTTP endpoint (`/mcp`) may also be available for clients that prefer polling.
353 
354 
355The server communicates via `stdin` and `stdout` using JSON-RPC 2.0 messages, adhering to the Model Context Protocol (MCP).
356 
357Example interaction flow:
358 
3591.  **Client Application (e.g., IDE extension) starts the `mcp-server-wazuh` process.**
360 
3612.  **Client sends `initialize` request to server's `stdin`:**
362    ```json
363    {
364      "jsonrpc": "2.0",
365      "id": 0,
366      "method": "initialize",
367      "params": {
368        "protocolVersion": "2025-06-18",
369        "capabilities": {
370          "sampling": {},
371          "roots": { "listChanged": true }
372        },
373        "clientInfo": {
374          "name": "mcp-inspector",
375          "version": "0.11.0"
376        }
377      }
378    }
379    ```
380 
3813.  **Server sends `initialize` response to client via `stdout`:**
382    ```json
383    {
384      "jsonrpc": "2.0",
385      "id": 1,
386      "result": {
387        "protocolVersion": "2025-06-18",
388        "capabilities": {
389          "prompts": {},
390          "resources": {},
391          "tools": {}
392        },
393        "serverInfo": {
394          "name": "mcp-server-wazuh",
395          "version": "0.3.0"
396        },
397        "instructions": "This server provides tools to interact with a Wazuh SIEM instance for security monitoring and analysis.\nAvailable tools:\n- 'get_wazuh_alert_summary': Retrieves a summary of Wazuh security alerts. Optionally takes 'limit' parameter to control the number of alerts returned (defaults to 100)."
398      }
399    }
400    ```
401 
4024.  **Client sends `notifications/initialized` to server's `stdin`:**
403    (This is a notification, so `id` is omitted by the client.)
404    ```json
405    {
406      "jsonrpc": "2.0",
407      "method": "notifications/initialized"
408    }
409    ```
410 
4115.  **Client requests available tools by sending `tools/list` to server's `stdin`:**
412    ```json
413    {
414      "jsonrpc": "2.0",
415      "id": 1,
416      "method": "tools/list",
417      "params": {}
418    }
419    ```
420 
4216.  **Server responds with the list of tools to client via `stdout`:**
422    ```json
423    {
424      "jsonrpc": "2.0",
425      "id": 2,
426      "result": {
427        "tools": [
428          {
429            "name": "get_wazuh_alert_summary",
430            "description": "Retrieves a summary of Wazuh security alerts. Returns formatted alert information including ID, timestamp, and description.",
431            "inputSchema": {
432              "$schema": "http://json-schema.org/draft-07/schema#",
433              "properties": {
434                "limit": {
435                  "description": "Maximum number of alerts to retrieve (default: 100)",
436                  "format": "uint32",
437                  "minimum": 0.0,
438                  "type": ["integer", "null"]
439                }
440              },
441              "title": "GetAlertSummaryParams",
442              "type": "object"
443            }
444          }
445        ]
446      }
447    }
448    ```
449 
4507.  **Client calls the `get_wazuh_alert_summary` tool by sending `tools/call` to server's `stdin`:**
451    ```json
452    {
453      "jsonrpc": "2.0",
454      "id": 3,
455      "method": "tools/call",
456      "params": {
457        "name": "get_wazuh_alert_summary",
458        "arguments": {
459          "limit": 5
460        }
461      }
462    }
463    ```
464 
4658.  **Server receives on `stdin`, processes the `get_wazuh_alert_summary` call (which involves querying the Wazuh Indexer API and transforming the data).**
466 
4679.  **Server sends `tools/call` response with formatted alerts to client via `stdout`:**
468    ```json
469    {
470      "jsonrpc": "2.0",
471      "id": 3,
472      "result": {
473        "content": [
474          {
475            "type": "text",
476            "text": "Alert ID: 1747091815.1212763\nTime: 2024-01-15T10:30:45.123Z\nAgent: web-server-01\nLevel: 7\nDescription: Attached USB Storage"
477          },
478          {
479            "type": "text", 
480            "text": "Alert ID: 1747066333.1207112\nTime: 2024-01-15T10:25:12.456Z\nAgent: database-server\nLevel: 5\nDescription: New dpkg (Debian Package) installed."
481          }
482        ],
483        "isError": false
484      }
485    }
486    ```
487 
488    **Or, if no alerts are found:**
489    ```json
490    {
491      "jsonrpc": "2.0",
492      "id": 3,
493      "result": {
494        "content": [
495          {
496            "type": "text",
497            "text": "No Wazuh alerts found."
498          }
499        ],
500        "isError": false
501      }
502    }
503    ```
504 
505    **Or, if there's an error connecting to Wazuh:**
506    ```json
507    {
508      "jsonrpc": "2.0",
509      "id": 3,
510      "result": {
511        "content": [
512          {
513            "type": "text",
514            "text": "Error retrieving alerts from Wazuh: HTTP request error: connection refused"
515          }
516        ],
517        "isError": true
518      }
519    }
520    ```
521 
522## Development & Testing
523 
524-   **Code Style:** Uses standard Rust formatting (`cargo fmt`).
525-   **Linting:** Uses Clippy (`cargo clippy`).
526-   **Testing:** Contains unit tests for transformation logic and integration tests. For stdio, tests might involve piping input/output to a test harness. For HTTP, tests use a mock Wazuh API server (`httpmock`) and a test MCP client.
527    ```bash
528    # Run all tests
529    cargo test
530 
531    # Run specific integration test (example for HTTP tests)
532    # cargo test --test integration_test
533 
534    # Run tests with detailed logging
535    RUST_LOG=debug cargo test
536    ```
537-   See `tests/README.md` for more details on running tests and using the test client CLI.
538 
539## License
540 
541This project is licensed under the [MIT License](LICENSE).
542 
543