Quick Overview
Model Context Protocol (MCP) gives large language models (LLMs) a secure way to interact with your Graylog data and workflows.
Instead of writing complex queries, you can ask questions in plain English, such as:
- “Which inputs are active?”
- “How much disk space is my Graylog server using?”
- Get real-time answers grounded in your environment—not generic, pre-trained data.
Analysts gain speed, administrators maintain control, and security stays intact.
Why MCP Matters
Security teams already spend too much time clicking through dashboards, repeating searches, and correlating results manually. MCP reduces that friction.
By embedding a remote MCP server inside Graylog, analysts and engineers can:
- Query Graylog data conversationally through supported AI tools
- Integrate their preferred LLM, whether local or cloud-based
- Apply role-based guardrails that align with Graylog Users and Roles
- Accelerate investigations without leaving their environment
The result is faster insights, fewer manual steps, and more focus on real security work.
How MCP Works
Once MCP is enabled in Graylog V7.0, your deployment acts as a secure remote MCP server that exposes a defined set of tools for your LLM to use.
- Agent Connection – Connect Graylog to an AI client such as Claude Code or LM Studio.
- Guardrails and Tokens – Each MCP user requires a unique API token tied to their Graylog role, ensuring least-privilege access.
- Conversational Queries – Ask deployment-aware questions such as:
“What indexes were created in the last 24 hours?”
“Which Graylog inputs are configured with a sleep parameter greater than 10 milliseconds?” - Actionable Output – Your LLM runs real API calls behind the scenes and returns live, contextual answers based on your current data, not a static training set.
Seth Goldhammer, VP of Product demonstrates his connection to Graylog from an LLM
Setting Up MCP
1- Create API Tokens
Each LLM or user agent must have its own API token.
- Follow standard Graylog REST API token creation steps.
- Assign tokens only to read-only users, not administrators.
- Encode the token as a Basic Auth header, for example:
echo -n “user:token” | base64
2 – Connect Claude Code
Claude Code, built by Anthropic, provides strong MCP support.
claude mcp add –transport http graylog http://127.0.0.1:9000/api/mcp \
–header “Authorization: Basic <base64token>”
Confirm with claude mcp list, then ask questions such as:
“How much disk space is my Graylog server using, and which index set is largest?”
3 – Connect LM Studio
LM Studio is a free, local option.
Edit mcp.json to include:
{
"mcpServers": {
"graylog-mcp-server": {
"url": "http://localhost:9000/api/mcp",
"headers": {
"Authorization": "Basic <base64token>"
}
}
}
}
Save the file, reload LM Studio, and your Graylog server becomes an available MCP endpoint.
Tip: Connect only one Graylog MCP server at a time to prevent data from being read or written to the wrong system.
Using MCP Tools
MCP Tools cover several key areas across Graylog environments:
| Category | Example Prompts |
| System Info | “List system information about my Graylog server. What version are we running?” |
| Inputs | “Which inputs are currently active?” |
| Indices | “List all indices and their document counts.” |
| Index Sets | “Which index sets have only a single shard?” |
| Streams | “Which streams are not active? Who created the most streams?” |
| Strategic Ops | “Is my Graylog server ready to scale? Which index sets should I create before scaling up?” |
These tools let your LLM retrieve live metrics, validate configurations, and perform readiness checks without requiring any manual query writing.
Security Factors
- No new network ports required
- MCP permissions mirror existing Graylog REST API roles
- Remote access can be disabled or restricted at any time
- MCP can be turned off globally in System → Configurations → MCP
Before sharing Graylog data with any LLM, confirm that the model does not automatically upload prompts or responses for further training.
Benefits of MCP with Graylog
MCP is designed to extend Graylog’s value without adding complexity.
- Faster Administration – Reduce repetitive tasks and context switching with conversational access.
- Lower Alert Fatigue – Analysts get precise answers with the right context.
- Flexible AI Options – Connect cloud-hosted or local models with equal ease.
- Security Built In – Role-based guardrails prevent oversharing and protect sensitive data.
- Operational Impact – Combine MCP with Entity-Centric Risk Modeling and Context-Aware Incident Response to strengthen investigations and reduce triage time.
Real-World Example
An analyst notices unusual login attempts. Instead of switching between dashboards or running manual searches, they ask their MCP-connected agent:
“Have any alerts triggered in the last five minutes?”
“Do I have enough memory to add a new Graylog node?”
Within seconds, the agent queries Graylog, applies the right context, and delivers precise answers that accelerate the investigation. What once took hours now takes minutes.
This example shows how Graylog helps security teams move from detection to action faster, using context-rich data, automation, and intuitive workflows. Analysts spend less time searching and more time stopping real threats.
Key capabilities that enable this flow:
- Dashboard and widget enhancements that allow analysts to drill into data and take immediate action.
- Filtered AWS Security Data Lake inputs that reduce noise, lower costs, and ensure investigations use only relevant data.
- Context-aware incident response that combines guided steps, AI summaries, and automation to streamline triage and remediation.
- Performance and usability improvements across core features that make searches, dashboards, and investigations faster and more reliable.
Graylog helps analysts connect people, data, and automation in one investigation workspace. Every search, alert, and response happens in context, empowering teams to close investigations quickly, reduce alert fatigue, and strengthen security outcomes.
With Graylog, faster insights mean faster decisions, and faster protection.
FAQs About MCP
Q: Do I need to use a specific AI model with MCP?
A: No. MCP supports both local and cloud-based large language models. You choose what fits your environment.
Q: Does MCP replace Graylog dashboards?
A: Not at all. MCP complements dashboards, searches, and workflows by offering a conversational access layer.
Q: How is security enforced?
A: Graylog applies your Graylog Users and Roles to MCP guardrails, so your AI tool only accesses defined data sets, preventing oversharing or data leaks.
Q: When will MCP be available?
A: MCP will debut with Graylog 7.0. We’ll share more details soon—watch the Graylog Blog for updates.
How Graylog Customers Benefit with MCP
- Lean SOCs act bigger: Conversational access and automation help small teams deliver at scale.
- Data remains controlled: Combine MCP with No-Compromise Data Retention to query cold storage without breaking budgets.
- Context-driven triage: MCP works alongside the Threat Prioritization Engine for faster, evidence-based decisions.
Final Thoughts
MCP gives analysts a more natural and efficient way to work with Graylog data. By connecting conversational AI to live deployments under strict guardrails, teams can move faster, reduce manual overhead, and stay focused on the real work of threat detection and response.
Download the MCP Guide to learn how plain-English queries can deliver faster, more accurate answers.
