The AI-agent-first CLI for the Wazuh Server API
wazuh-cli is a high-performance, single-binary wrapper for the entire Wazuh Server REST API.
Designed specifically for AI agents (Claude Code, Gemini CLI, Cline) and Security Engineers who value speed, structure, and security.
- π‘οΈ Total Parity β Complete coverage of all Wazuh API modules: Agents, FIM, SCA, RBAC, and more.
- π€ AI Native β Built-in Agent Skill, deterministic exit codes, and machine-first JSON output.
- π Hardened Security β 0600 file permissions, secure interactive login, and credential masking.
- π Rich Output β Toggle between structured JSON for scripts and clean Markdown tables for reports.
- π Zero Friction β Single binary, no heavy dependencies, and a 4-tier configuration system.
Quick links to deep-dive guides:
- ποΈ Architecture β Design philosophy and component structure.
- π Authentication β Multi-method auth, token caching, and secure password input.
- βοΈ Configuration β Priority resolution, environment variables, and
config setflags. - π Command Reference β Comprehensive list of supported modules.
- π₯ User Management β How to create and configure API users.
- π οΈ Implementation β Technical details for developers.
- π€ AGENTS.md β Guidance for AI coding agents (Gemini CLI, Codex, etc.).
curl -fsSL https://raw.githubusercontent.com/ba0f3/wazuh-cli/main/install.sh | shDetects your OS and architecture, downloads the correct release binary from GitHub, verifies its checksum, and installs to /usr/local/bin (or ~/bin if not writable). Pass optional flags after sh -s --:
# install a specific version
curl -fsSL https://raw.githubusercontent.com/ba0f3/wazuh-cli/main/install.sh | sh -s -- --version v1.2.3
# install to a custom directory
curl -fsSL https://raw.githubusercontent.com/ba0f3/wazuh-cli/main/install.sh | sh -s -- --dir ~/.local/binbrew install ba0f3/tap/wazuh-cligo install github.com/ba0f3/wazuh-cli@latestDownload the latest binary for your platform from the GitHub Releases page.
git clone https://github.com/ba0f3/wazuh-cli
cd wazuh-cli
make build
sudo mv bin/wazuh-cli /usr/local/bin/Use the interactive login to cache your JWT token without leaking passwords to your shell history:
wazuh-cli auth login --url https://wazuh:55000 --user admin --insecurewazuh-cli manager info# List active agents in Markdown format
wazuh-cli agent list --status active --output markdown
# Find critical vulnerabilities for a specific agent
wazuh-cli vulnerability list 001 --severity critical
# Check cluster and manager status
wazuh-cli cluster health
wazuh-cli manager statusSettings are merged in the following order (highest wins):
- Flags:
--url,--user,--password, etc. - Env Vars:
WAZUH_URL,WAZUH_USER,WAZUH_PASSWORD,WAZUH_TOKEN,WAZUH_INDEXER_URL, etc. - Local:
.envfile in the current working directory. - Global:
~/.config/wazuh/config.json.
Note
Alerts & OpenSearch: To query alerts using wazuh-cli alert, you must configure indexer_url (e.g. wazuh-cli config set indexer_url https://indexer:9200). If indexer_user and indexer_password are not explicitly set, the CLI will automatically fall back to using the Wazuh Manager user and password.
Important
Both the config file and the token cache (~/.config/wazuh/token) must have 0600 permissions. The CLI will refuse to load them if they are too open.
wazuh-cli is optimized to be used as a tool by LLM-based agents.
- Copy the skill definition:
cp skill/SKILL.md ~/.claude/skills/wazuh-cli.md - Or simply reference it in your project's
CLAUDE.md.
The skill file provides the agent with a compressed reference of all commands, investigation patterns, and error recovery strategies.
Please refer to SECURITY.md for supported versions and instructions on how to report a vulnerability.
Distributed under the MIT License. See LICENSE for more information.