Model Context Protocol (MCP) Tools and Graylog

Warning: Model Context Protocol for use with Graylog is currently in beta. These features are intended for testing and evaluation only and are not recommended for production use. Tool definitions, parameters, and output formats may change without notice as we refine and stabilize the functionality.

Graylog supports integration with the Model Context Protocol (MCP), which allows large language models (LLMs) to access and interact with Graylog data and workflows in real time. Graylog exposes an MCP-compatible endpoint for LLM clients, such as Claude and LM Studio.

This article explains how to prepare your Graylog environment for MCP, configure supported LLM clients, and understand the available tools and related security considerations.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must be running Graylog version 7.0 or later to use MCP tools.

  • Each MCP user must have a unique API token generated for authentication.

  • You need a supported LLM client, such as Claude, LM Studio, or Claude Desktop, to connect with the MCP server.

  • You should have a basic understanding of Graylog API tokens and REST endpoints before beginning configuration.

Why MCP?

MCP integration allows Graylog users to interact with their data through LLMs. With MCP, an LLM can connect directly to Graylog as a remote tool interface, performing queries, retrieving system information, and assisting with common administrative or investigative tasks. This capability may make it possible to:

  • Ask real-time questions about your Graylog environment, such as system status, disk usage, or index sizes.

  • Automate operational checks and repetitive administrative actions through natural language prompts.

  • Retrieve and summarize log data, stream configurations, or security event details without leaving the LLM interface.

  • Explore investigations, assets, or resources in Graylog Enterprise and Security editions using conversational commands.

Warning: MCP support in Graylog is an experimental beta feature. Its behavior, available tools, and responses may change without notice between versions. Use MCP in controlled, non-production environments only. Actions performed through MCP may modify live data, trigger system events, or expose sensitive information depending on the permissions of the connected user. Graylog does not provide full support for MCP-related issues at this time. Proceed only if you understand the potential impact to your environment.

Set Up MCP Access in Graylog

Before you can connect an LLM to Graylog, you need to prepare the environment. This setup involves creating a dedicated MCP user, generating an API token, and enabling MCP support within your Graylog instance.

Create an API Token for the MCP User

  1. Each MCP connection requires its own authentication token. Creating a dedicated user ensures limited access and isolates MCP activity from administrative accounts.

  2. Create a dedicated read-only Graylog user for MCP. Do not use administrator accounts. Instead, create a limited-access user that can only read the data required for MCP.

  3. Generate an API token for that user under in System > Users and Teams > Tokens. See REST API Access Tokens for information.

  4. Format the API token for use as an authentication header value. Add the Graylog API token as the <username> in the following format:

    Copy 
    echo -n "<username>:token" | base64

    In the example below, the user has replaced <username> with the generated API token and maintained the syntax for token:

    Copy 
    echo -n "3bpe4cpas2skrpvm9f3390ik2hqg8pfl4kp5bcs2cd78korjfjq:token" | base64

    Hint: Note that, as in the example above, you do NOT replace the value token with your API token. The API token is added in the <username> field. The word token remains the same as demonstrated.

Enable MCP Support

After generating the API token, you must enable the MCP feature in Graylog. This makes the MCP endpoint available so that approved clients can connect and issue tool-based requests.

  1. Navigate to System > Configurations > MCP.
  2. Toggle Enable MCP to On.
  3. Save your configuration.

Configure Your LLM Client

Once MCP is enabled in Graylog, the next step is to connect your preferred LLM client. Configuration details vary depending on the client, but each setup requires specifying your Graylog MCP server URL and authentication token. We have provided example configuration steps for two LLM clients: Claude Code and LM Studio.

Configure Claude Code

Use Claude Code to connect directly to your Graylog MCP server for live querying and operational tasks. Configuration is completed through simple command-line steps that register your Graylog instance as a remote MCP endpoint.

  1. Install and open Claude Code according to their documentation.

  2. Display the current list of MCP servers for verification: 

    Copy 
    claude mcp list
  3. Register your Graylog MCP server:
    Copy
    claude mcp add --transport http graylog http://127.0.0.1:9000/api/mcp \
    --header "Authorization: Basic CKDFJKLCFKLLFKCL..."
  4. Verify the connection:
    Copy
    claude mcp list
  5. Start prompting Claude about your Graylog server.

Warning: Do not connect Claude Code to multiple Graylog instances at the same time!

Configure LM Studio

LM Studio supports MCP through a local configuration file. By editing the mcp.json file, you can register your Graylog server and begin using MCP tools directly from your LM Studio chat interface.

  1. Install and launch LM Studio according to their documentation.
  2. Go to Settings > Program > Edit mcp.json.
  3. Add your Graylog MCP configuration:
    Copy
    {
      "mcpServers": {
        "graylog-mcp-server": {
          "url": "http://localhost:9000/api/mcp",
          "headers": {
            "Authorization": "Basic CKDFJKLCFKLLFKCL..."
          }
        }
      }
    }
  4. Save the file. LM Studio refreshes the configuration automatically.
  5. Enable MCP tools and begin prompting.

Warning: Do not connect LM Studio to multiple Graylog instances at the same time!

Claude Desktop

Claude Desktop requires an additional proxy setup to communicate with the MCP endpoint. This configuration is intended for advanced users who want to run MCP commands locally through a controlled proxy environment:

Copy 
{
    "mcpServers": {
        "graylog-proxy": {
            "command": "uvx",
            "args": [ "fastmcp", "run", "http://admin:admin@localhost:9000/api/mcp" ]
        }
    }
}

Available MCP Tools in Graylog

When your client successfully connects to the Graylog MCP endpoint, the system exposes a structured set of tools that the model can call to perform specific tasks. Each MCP tool represents an action or query available through the Graylog API, allowing the model to retrieve data, perform lookups, or initiate operations. The available tools are grouped by functional category, such as system information, log management, or security operations.

Hint: Some tools are available only when the corresponding Graylog features, such as Security or Illuminate, are enabled.

System Information

  • mcp_preview_get_current_time

  • mcp_preview_get_system_status

  • mcp_preview_get_formatted_system_status

Log Management

  • mcp_preview_list_streams

  • mcp_preview_list_inputs

  • mcp_preview_list_indices

  • mcp_preview_list_index_sets

  • mcp_preview_list_fields

Search and Analysis

  • mcp_preview_search_messages

  • mcp_preview_aggregate_messages

Security Operations

  • mcp_preview_list_assets

  • mcp_preview_describe_asset

  • mcp_preview_list_new_security_events

  • mcp_preview_list_security_events_by_asset

  • mcp_preview_update_security_events

Investigations

  • mcp_preview_list_investigations

  • mcp_preview_create_investigation

  • mcp_preview_update_investigation

  • mcp_preview_get_possible_investigation_values

Threat Intelligence

  • mcp_preview_get_mitre_threat_coverage

  • mcp_preview_list_illuminate_content_packs

Resources

  • mcp_preview_list_resource

  • mcp_preview_describe_resource

Security Considerations

MCP uses the same HTTP API that Graylog already relies on, so it does not require any additional network ports or external access points. All requests made through MCP are subject to the same authentication and authorization controls as the Graylog REST API.

Access to MCP tools is governed by the user roles assigned to the API token in use. This means the scope of actions an LLM can perform depends entirely on the permissions of the associated Graylog account. To minimize risk, create a dedicated read-only user for MCP rather than reusing existing administrative credentials.

By default, remote MCP access is disabled in Graylog. You can enable it manually in System > Configurations > MCP when you are ready to test the feature. Always review your environment and data exposure before enabling MCP in production systems, as connected models may perform or suggest actions based on live data.

Troubleshooting and Common Issues

The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.

Issue: Connection Fails When Registering MCP Server

Verify that the Graylog MCP endpoint (/api/mcp) is reachable and that your API token is base64-encoded correctly. Check the Graylog logs for MCP errors.

Solution: Validate Configuration

Ensure that MCP is enabled under System > Configurations > MCP and that your LLM client’s configuration matches the server URL and authentication header format.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: