syslog-server-mcp 0.2.0

MCP server providing read-only investigation tools for SysLog-Server
Documentation

syslog-server-mcp

MCP server providing read-only investigation tools for SysLog-Server. Designed for operators using Claude Code, Cursor, or any MCP-aware agent to investigate syslog data conversationally.

The 6 Phase 0 thin / system tools are always available. When connected to SysLog-Server v0.2.0+ with Phase 1 REST endpoints, the capability probe advertises 3 additional investigator tools: investigate_event, investigate_source, and investigate_alert. Older hubs automatically keep the 6-tool Phase 0 surface.

Install

cargo install syslog-server-mcp

Or download a pre-built binary from the Releases page.

Usage

Stdio mode (default — operator's dev box)

Create a syslog-server API key with reader (or admin) role. Add to your MCP client config:

{
  "mcpServers": {
    "syslog-hub": {
      "type": "stdio",
      "command": "syslog-server-mcp",
      "args": ["serve"],
      "env": {
        "SYSLOG_BASE_URL": "https://syslog.prod:9514",
        "SYSLOG_API_KEY": "sk_live_..."
      },
      "windowsHide": true
    }
  }
}

For multiple syslog-servers (hub + edge + airgapped), add one entry per server.

HTTP-server mode (opt-in — service deployment)

Build with the http feature:

cargo install syslog-server-mcp --features http

Generate operator keys (≥32 random bytes):

openssl rand -base64 32

Hash each:

echo -n '<the-key>' | sha256sum

Write /etc/syslog-mcp/config.toml (chmod 600):

[mcp]

allowed_hosts = ["mcp.prod.example.com"]

backend_api_key = "sk_live_backend_..."

max_concurrent_calls_per_session = 8

max_concurrent_calls_total = 64



[mcp.probe]

capability_interval_secs = 300

phase_override = "auto" # auto | phase0 | phase1



[mcp.operator_keys]

"daryl-laptop"    = "<sha256-hex>"

"ops-cursor"      = "<sha256-hex>"

Run:

syslog-server-mcp serve --http 127.0.0.1:8765 --base-url https://syslog.prod:9514 --config /etc/syslog-mcp/config.toml

Put a TLS-terminating reverse proxy (nginx/Caddy/IIS-ARR) in front. Proxy needs proxy_buffering off and bumped proxy_read_timeout for SSE-upgrade.

Tools

The server probes for Phase 1 REST endpoints at startup and every 5 minutes by default. A Phase 1 hub exposes all 9 tools; a Phase 0 hub exposes only the first 6. See ai_docs/api-compatibility.md.

Tool What it does Required syslog-server role
query_events Query events with vendor / severity / source / time filters reader
list_alert_rules List pattern + correlation rules merged with kind discriminator reader
list_saved_searches List operator-saved searches reader
get_audit_log Query audit log with time / event / level / text filters reader
health_summary Structured "is the server OK?" with ingest rate, lag, tenant scope reader
list_spool_segments Spool inspection (segments, checkpoints, lag) admin
investigate_event (Phase 1) Investigate a single event: anchor event, same-source context, related alerts reader
investigate_source (Phase 1) Investigate a source IP: aggregate activity, alert history, recent events reader
investigate_alert (Phase 1) Investigate an alert: alert details, same-source triggering events, preceding alerts reader

Environment variables

Var Default Purpose
SYSLOG_BASE_URL http://127.0.0.1:9514 REST base URL
SYSLOG_API_KEY — (required) Bearer for syslog-server REST
SYSLOG_INSECURE_SKIP_VERIFY off Dev only
MCP_CLIENT_NAME derived Sent as MCP-Client header
MCP_CAPABILITY_PROBE_INTERVAL_SECS 300 Phase capability re-probe interval
RUST_LOG info Tracing filter

Useful probe flags:

syslog-server-mcp serve --capability-probe-interval-secs 60

syslog-server-mcp serve --phase-override phase0

syslog-server-mcp serve --phase-override phase1

License

MIT OR Apache-2.0.