Graylog Model Context Protocol (MCP) Integration

Graylog supports integration with the Model Context Protocol (MCP), which allows large language models (LLMs) to access and interact with Graylog data and workflows through a structured tool interface. Graylog exposes an MCP-compatible endpoint that supported LLM clients, such as Claude and LM Studio, can connect to in order to query data, retrieve system information, and perform supported tasks within the limits of the connected user’s permissions.

MCP gives Graylog users a way to work with their environment through natural language while still relying on the same underlying API and authorization model that governs standard Graylog access. Rather than requiring users to move between the Graylog interface and an external assistant, MCP allows a compatible client to interact directly with Graylog as a remote tool provider.

This article explains what MCP integration is in Graylog, why it may be useful, and where to go next to configure it and understand the tools it exposes.

Warning: Graylog MCP support is an experimental feature. Its behavior, available tools, and responses may change without notice between versions. Use MCP only in controlled, non-production environments. Actions performed through MCP may modify live data, trigger system events, or expose sensitive information, depending on the permissions of the connected user. Graylog does not provide full support for MCP-related issues at this time. Proceed only if you understand the potential impact to your environment.

Why MCP?

MCP integration allows Graylog users to interact with their data through an LLM client in a more direct and conversational way. Once connected, the model can use Graylog’s exposed MCP tools to retrieve information and carry out supported actions based on the user’s prompt. Depending on your environment and permissions, this can make it easier to ask questions, investigate activity, and perform routine tasks without manually navigating through multiple areas of the Graylog interface.

With MCP, an LLM may be able to help you:

  • ask real-time questions about your Graylog environment, such as system status, stream configuration, or index retention.

  • retrieve and summarize log data, security events, assets, or investigations through natural language prompts.

  • assist with common operational and investigative workflows without requiring direct API calls.

  • work more efficiently across Graylog features by using a single conversational interface.

The tools available through MCP depend on your Graylog deployment, licensed features, and the permissions assigned to the connected user. For example, some security-related tools are available only when the corresponding Graylog Security or Illuminate products are enabled.

Set Up MCP Integration

Before you can use MCP with Graylog, you must prepare both Graylog and your LLM client for the connection. This includes confirming that your Graylog version supports MCP, creating a dedicated user and API token for authentication, enabling MCP in Graylog, and configuring a supported client to connect to the MCP endpoint. Because MCP access is governed by the permissions of the associated Graylog user, setup is also an important part of controlling what data and actions are available to the model.

For step-by-step instructions, see Configure MCP. That article explains the prerequisites for MCP, how to create and format the required API token, how to enable MCP in Graylog, how to configure supported LLM clients, and what security considerations to keep in mind during setup.

Use MCP Tools and Prompt Your LLM

Once MCP is configured and your client is connected, Graylog exposes a set of tools the model can use to work with your environment. These tools are organized by functional area and may include capabilities related to system information, streams and index management, log search and aggregation, security events, investigations, assets, and vulnerabilities. The most effective prompts usually give the model enough context to choose the right tool, such as what to look for, the time range involved, and any relevant stream, asset, or event information.

For an overview of the available tools and examples of the kinds of prompts you can use with them, see MCP Tools and Graylog. That article explains how Graylog organizes MCP tools, what each tool category is used for, and what sample prompts you can test in your LLM for common operational and security workflows.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: