MCP 服务器

WinLog-mcp

Provides programmatic access to ingest and query Windows event logs (especially Sysmon logs), enabling security monitoring, incident response, and log analysis automation.

README

🪟 WinLog-mcp

A Model Context Protocol (MCP) tool for retrieving and analyzing Windows event logs (e.g. Sysmon). WinLog-mcp provides programmatic access to ingest and query Windows event logs, making it ideal for security monitoring, incident response, and log analysis automation.

✨ Features

Ingest Windows Sysmon logs and store them as files in a user-defined directory
Query logs by timestamp, returning recent event entries for analysis or troubleshooting
Seamless interoperability with MCP tools and ecosystem

📄 Log files format

Log files are named with the format <timestamp>_<log_type>.log in the chosen storage path

MCP Server (tool, prompts,...)

🛠️ Available Tools

ingest_syslog: Ingests recent Sysmon logs and writes them to a file
query_syslog: Queries ingested logs by timestamp and returns recent events

📋 Requirements

Operating System: Windows
Python: 3.7 or higher
Dependencies:
- pywin32
- mcp.server.fastmcp (or your MCP server implementation)

💾 Installation

Clone the repository and install dependencies:

pip install -r requirements.txt

🚀 Usage

🖥️ Sysmon Installation

Reference: Sysmon Installation Guideline

cd sysmon
install.bat

▶️ Running Directly

Run the tool as an MCP server:

python main.py --storage-path \\PATH\\TO\\logs\\

🧑‍💻 Development Mode

You can inspect or debug using the MCP Inspector:

# Run in development mode
python \\PATH\\TO\\main.py --storage-path \\PATH\\TO\\logs\\

# Run in inspector mode
npx @modelcontextprotocol/inspector python \\PATH\\TO\\main.py --storage-path \\PATH\\TO\\logs\\

⚙️ Configuration

MCP configuration to run winlog-mcp tool.

{
  "mcpServers": {
    "winlog-mcp": {
      "command": "python",
      "args": [
        "\\PATH\\TO\\main.py",
        "--storage-path",
        "\\PATH\\TO\\logs\\"
      ]
    }
  }
}