MCP Tools and Graylog
After your LLM client connects to the Graylog Model Context Protocol (MCP) endpoint, Graylog exposes a set of tools the model can use to retrieve information and perform supported actions in your environment. This article explains how those tools are organized, what each tool category is used for, and what kinds of prompts you can give your LLM to work with them effectively.
Graylog groups MCP tools by functional area so they are easier to understand and use. Some tools are available only when the corresponding Graylog enterprise products, such as Security or Illuminate, are enabled. The tools available to your client also depend on the permissions of the connected user.
This article explains what tools are available and what prompts you can test in your LLM for use with these tools. For information about MCP integration in Graylog generally, see Graylog Model Context Protocol (MCP) Integration. For instructions on connecting a client and configuring access, see Configure MCP.
Warning: Graylog MCP support is an experimental feature. Its behavior, available tools, and responses may change without notice between versions. Use MCP only in controlled, non-production environments. Actions performed through MCP may modify live data, trigger system events, or expose sensitive information, depending on the permissions of the connected user. Graylog does not provide full support for MCP-related issues at this time. Proceed only if you understand the potential impact to your environment.
System Information and Configuration
This group of tools helps the model answer basic questions about the current Graylog environment. These tools are useful when you want to confirm version details, understand the state of the system, inspect available resources, or review high-level security content such as MITRE ATT&CK coverage and Illuminate packs. In practice, this category is often a good starting point when you want your LLM to orient itself before moving into more targeted searches or security workflows.
| Tool | Description |
|---|---|
get_system_status
|
Return raw system information about the Graylog installation (cluster ID, version, hostname, timezone, operating system). |
get_formatted_system_status
|
Return the same system information as get_system_status formatted as markdown. |
get_current_time
|
Return the current time from the Graylog server in ISO-8601 UTC format. |
get_mitre_threat_coverage
|
Retrieve MITRE ATT&CK threat coverage statistics and current detection state for the environment. |
list_illuminate_content_packs
|
List installed Illuminate content packs with options to filter by active bundles or enabled packs only. |
list_resource
|
List all resources of a given type (stream, dashboard, or event definition) with their GRN (Graylog Resource Name) identifiers and names. |
describe_resource
|
Get a brief description of any Graylog resource by its GRN. |
Sample Prompts
You might use prompts in this category when you want your LLM to identify what environment it is connected to or summarize what is already configured. For example:
-
What version of Graylog am I running?
-
How does my current MITRE ATT&CK threat coverage look?
Streams and Index Management
This group focuses on the structure of your data and the components that support ingestion and retention. These tools help the model understand where data is going, how long it is kept, how it is distributed, and what inputs are currently active. They are especially useful when you are trying to scope a search, troubleshoot ingestion issues, or understand storage and retention behavior before asking more complex questions about the data itself.
| Tool | Description |
|---|---|
list_streams
|
List all available log streams in the Graylog instance, useful for scoping searches and understanding data sources. |
list_index_sets
|
List all index sets with their rotation and retention policies, helping you understand data lifecycle and storage configuration. |
list_indices
|
List all indices in the cluster with status, document counts, storage size, and health metrics for monitoring data distribution. |
list_inputs
|
List all configured log inputs (syslog, GELF, etc.) with their type, state, and throughput stats for monitoring ingestion health. |
Sample Prompts
These prompts work well when you want your LLM to help you understand the shape of your environment before running searches or troubleshooting operational issues. For example:
-
What streams are available for me to search?
-
How long is my log data being retained?
Search and Aggregation
This category is used to query and summarize log data. These tools give the model a way to search messages, inspect available fields, and run aggregations across the data set. In most everyday use, this is the category users will rely on most heavily, because it supports both direct investigation and higher-level analysis. A model can use these tools to answer targeted questions, summarize patterns, or narrow down unusual activity over a defined time range.
| Tool | Description |
|---|---|
search_messages
|
Execute Lucene queries against Graylog log messages with pagination, field selection, and time range scoping. Supports filtering by stream or stream category. |
aggregate_messages
|
Run aggregation queries (count, avg, min, max, etc.) on log data grouped by field values. Useful for summarizing trends like top sources, error rates, or event frequency. |
list_fields
|
Retrieve available field names and their metadata (data type, capabilities like enumerable or numeric) for building accurate search and aggregation queries. |
Sample Prompts
Prompts in related to these tools should usually tell the model what to look for, over what time period, and, if relevant, in which stream. That gives the model enough context to choose the right tool and build a better query. For example:
-
Show me the top 10 source IPs with the most failed SSH login attempts over the last 24 hours.
Security Events
These tools are designed for working with detections and alert-driven workflows in Graylog Security. They help the model retrieve recent events, inspect event details, review asset-specific activity, and update events as part of triage. This category is most useful when the goal is not just to search raw logs, but to understand and act on security-relevant findings that have already been surfaced as events.
| Tool | Description |
|---|---|
list_new_security_events
|
Fetch the most recent security events with a status of NEW, giving a real-time view of unreviewed alerts. |
describe_security_events
|
Get detailed information about specific security events by ID returned as a formatted table. |
list_security_events_by_asset
|
Query security events associated with specific asset IDs with optional status filtering. |
update_security_events
|
Update one or more security events, i.e. change status, assign an owner, or add/replace notes. |
describe_event_procedures
|
Retrieve detailed response procedure documentation for specific security event types by ID. |
Sample Prompts
Prompts here often combine review and action. A user might first ask the model to identify new events, then ask follow-up questions about severity, ownership, or recommended response steps. For example:
-
What new security alerts came in today?
-
What are the recommended response steps for the highest priority one?
Investigations
Investigation tools support longer-running analyst workflows. Instead of looking at a single event in isolation, these tools help the model work with broader investigation records that can collect evidence, track ownership, and reflect progress over time. This makes them useful when an alert has moved beyond initial review and needs to be documented, assigned, and expanded into a more formal investigation.
| Tool | Description |
|---|---|
list_investigations
|
Get a paginated, filterable list of security investigations with sorting support. |
create_investigation
|
Create a new security investigation with a name, priority, status, and optional evidence (like events, logs, searches, and dashboards). |
update_investigation
|
Update an existing investigation's name, priority, status, assignment, evidence, or archive status. |
get_possible_investigation_values
|
Retrieve all valid values for investigation fields such as priority, status, assignable users, and teams. |
Sample Prompts
These kind of prompts are most helpful when you want the LLM to assist with case creation, management, or handoff. Since investigation records are structured, it is useful to be explicit about names, priorities, assignments, and any evidence you want attached. For example:
-
Create a new High priority investigation called "Suspicious Admin Activity," assign it to the SOC team, and attach the latest new security events as evidence.
Assets and Vulnerabilities
This group helps the model work with asset context rather than only with events or logs. These tools are useful when you want to understand which hosts or entities are riskiest, inspect the details of a specific asset, or review known vulnerabilities tied to that asset. This category is especially helpful for risk-driven analysis, where the question starts with what matters most in the environment rather than what happened in a specific log stream.
| Tool | Description |
|---|---|
list_assets
|
List security assets, optionally sorted by risk score, to identify your highest-risk hosts or entities. |
describe_asset
|
Get detailed information about specific assets by ID, including type, priority, category, and risk score. |
list_vulnerabilities
|
List all known vulnerabilities associated with specific asset IDs. |
Sample Prompts
Prompts in this section work best when you want the LLM to surface the most important assets first and then drill into why they matter. For example:
-
Which of my assets have the highest risk scores?
-
What vulnerabilities are currently affecting them?
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
