Configure MCP

Configuring Model Context Protocol (MCP) in Graylog makes it possible for a supported LLM client to connect to your Graylog environment and use Graylog’s exposed MCP tools through the same API and permission model that already governs REST access. In practice, that means setup is less about turning on a standalone feature and more about preparing Graylog for controlled, authenticated access by creating the right user, generating the right token, enabling MCP, and connecting a compatible client correctly. Because MCP can expose live data and allow tool-based interaction with your environment, careful configuration matters just as much as functionality.

This article explains the requirements for MCP setup in Graylog, how to create and format authentication credentials, how to enable MCP, how to connect supported LLM clients, and what security considerations to keep in mind during configuration.

Warning: Graylog MCP support is an experimental feature. Its behavior, available tools, and responses may change without notice between versions. Use MCP only in controlled, non-production environments. Actions performed through MCP may modify live data, trigger system events, or expose sensitive information, depending on the permissions of the connected user. Graylog does not provide full support for MCP-related issues at this time. Proceed only if you understand the potential impact to your environment.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must be running Graylog version 7.0 or later to use MCP tools.

  • Each MCP user must have a unique API token generated for authentication.

  • You need a supported LLM client, such as Claude Code, LM Studio, or Claude Desktop, to connect with the MCP server.

  • You should have a basic understanding of Graylog API tokens and REST endpoints before beginning configuration.

Set Up MCP Access in Graylog

Before you can connect an LLM to Graylog, you need to prepare the environment. This setup involves creating a dedicated MCP user, generating an API token, and enabling MCP support within your Graylog instance.

Create an API Token for the MCP User

  1. Each MCP connection requires its own authentication token. Creating a dedicated user ensures limited access and isolates MCP activity from administrative accounts.

  2. Create a dedicated read-only Graylog user for MCP. Do not use administrator accounts. Instead, create a limited-access user that can only read the data required for MCP.

  3. Generate an API token for that user under in System > Users and Teams > Tokens. See REST API Access Tokens for information.

  4. Format the API token for use as an authentication header value. Add the Graylog API token as the <username> in the following format:

    Copy 
    echo -n "<username>:token" | base64

    In the example below, the user has replaced <username> with the generated API token and maintained the syntax for token:

    Copy 
    echo -n "3bpe4cpas2skrpvm9f3390ik2hqg8pfl4kp5bcs2cd78korjfjq:token" | base64

    Hint: Note that, as in the example above, you do NOT replace the value token with your API token. The API token is added in the <username> field. The word token remains the same as demonstrated.

Enable MCP Support

After generating the API token, you must enable the MCP feature in Graylog. This makes the MCP endpoint available so that approved clients can connect and issue tool-based requests.

  1. Navigate to System > Configurations > MCP.
  2. Toggle Enable MCP to On.
  3. Save your configuration.

Configure Your LLM Client

Once MCP is enabled in Graylog, the next step is to connect your preferred LLM client. Configuration details vary depending on the client, but each setup requires specifying your Graylog MCP server URL and authentication token. We have provided example configuration steps for two LLM clients: Claude Code and LM Studio.

Configure Claude Code

Use Claude Code to connect directly to your Graylog MCP server for live querying and operational tasks. Configuration is completed through simple command-line steps that register your Graylog instance as a remote MCP endpoint.

  1. Install and open Claude Code according to their documentation.

  2. Display the current list of MCP servers for verification: 

    Copy 
    claude mcp list
  3. Register your Graylog MCP server:
    Copy
    claude mcp add --transport http graylog http://127.0.0.1:9000/api/mcp \
    --header "Authorization: Basic CKDFJKLCFKLLFKCL..."
  4. Verify the connection:
    Copy
    claude mcp list
  5. Start prompting Claude about your Graylog server.

Warning: Do not connect Claude Code to multiple Graylog instances at the same time!

Configure LM Studio

LM Studio supports MCP through a local configuration file. By editing the mcp.json file, you can register your Graylog server and begin using MCP tools directly from your LM Studio chat interface.

  1. Install and launch LM Studio according to their documentation.
  2. Go to Settings > Program > Edit mcp.json.
  3. Add your Graylog MCP configuration:
    Copy
    {
      "mcpServers": {
        "graylog-mcp-server": {
          "url": "http://localhost:9000/api/mcp",
          "headers": {
            "Authorization": "Basic CKDFJKLCFKLLFKCL..."
          }
        }
      }
    }
  4. Save the file. LM Studio refreshes the configuration automatically.
  5. Enable MCP tools and begin prompting.

Warning: Do not connect LM Studio to multiple Graylog instances at the same time!

Claude Desktop

Claude Desktop requires an additional proxy setup to communicate with the MCP endpoint. This configuration is intended for advanced users who want to run MCP commands locally through a controlled proxy environment:

Copy 
{
    "mcpServers": {
        "graylog-proxy": {
            "command": "uvx",
            "args": [ "fastmcp", "run", "http://<username>:<password>@localhost:9000/api/mcp" ]
        }
    }
}

Or, if using a previously-generated API token:

Copy 
{
    "mcpServers": {
        "graylog-proxy": {
            "command": "uvx",
            "args": [ "fastmcp", "run", "http://<api token>:token@localhost:9000/api/mcp" ]
        }
    }
}

 

Security Considerations

MCP uses the same HTTP API that Graylog already relies on, so it does not require any additional network ports or external access points. All requests made through MCP are subject to the same authentication and authorization controls as the Graylog REST API.

Access to MCP tools is governed by the user roles assigned to the API token in use. This means the scope of actions an LLM can perform depends entirely on the permissions of the associated Graylog account. To minimize risk, create a dedicated read-only user for MCP rather than reusing existing administrative credentials.

By default, remote MCP access is disabled in Graylog. You can enable it manually in System > Configurations > MCP when you are ready to test the feature. Always review your environment and data exposure before enabling MCP in production systems, as connected models may perform or suggest actions based on live data.

Use Your LLM With Graylog

Now that you have set up MCP integration with Graylog and configured your LLM client, review MCP Tools and Graylog to see what what tools are currently available and what prompts you can test in your LLM for use with these tools.

Troubleshooting and Common Issues

The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.

Issue: Connection Fails When Registering MCP Server

Verify that the Graylog MCP endpoint (/api/mcp) is reachable and that your API token is base64-encoded correctly. Check the Graylog logs for MCP errors.

Solution: Validate Configuration

Ensure that MCP is enabled under System > Configurations > MCP and that your LLM client’s configuration matches the server URL and authentication header format.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: