MCP Server

The Tenzir MCP Server enables AI assistants to interact with Tenzir through the Model Context Protocol (MCP).

Quick Start

Check our installation guide to get up and running with the MCP Server.

What It Does

The MCP server provides a comprehensive toolkit for working with Tenzir and OCSF through AI assistants. Built on FastMCP with a modular architecture, it offers:

• Code Generation: Automatically generate TQL parsers and complete OCSF mapping packages from sample log events.
• Package Management: Create, modify, and test Tenzir packages with user-defined operators, contexts, and tests.
• Documentation Discovery: Search and read embedded Tenzir documentation with cross-reference navigation.
• Pipeline Execution: Run TQL pipelines and tests directly from your AI conversation.
• OCSF Schema Access: Query OCSF schemas for classes, objects, and definitions.

Once you install and register the server with your MCP-aware client (for example Claude Code, Codex, Cursor, or a custom harness), these tools become available automatically.

Tool Catalogue

The MCP server provides tools organized into categories for execution, documentation, OCSF schemas, package management, and code generation. Each tool’s parameters are documented in the tool implementation and visible in your MCP client. This page focuses on when to use each tool and provides usage examples.

run_pipeline Execution

When to use:

• Testing TQL code before adding it to a package
• Debugging pipeline behavior with sample data
• Verifying operator syntax and semantics
• Iterating quickly on pipeline development

Pipelines run with diagnostics enabled, providing detailed error messages and warnings.

run_test Execution

When to use:

• Verifying package operators work correctly
• Running regression tests after making changes
• Generating test baselines (with update=True)
• Debugging failing tests (with passthrough=True)

Tests use the tenzir-test framework and can include fixtures like embedded Tenzir nodes for integration testing.

docs_read Documentation

When to use:

• Read operator documentation BEFORE using any operator in TQL
• Read function documentation BEFORE using any function
• Study tutorials and guides for learning workflows
• List all available operators or functions

docs_search Documentation

When to use:

• Find operators or functions by keyword (e.g., “json”, “parse”, “filter”)
• Discover related documentation through See Also links (depth > 0)
• Explore specific documentation areas (search_type filter)
• Learn about unfamiliar concepts or workflows

The depth parameter traverses cross-references, helping you discover operators and functions you might not have known about.

Example:

# Find operators by keyword
docs_search(query="json", search_type="operators")

# Discover related docs
docs_search(query="from", depth=1)

ocsf_get_versions OCSF

When to use:

• See which OCSF schema versions are available
• Choose a specific version for your mapping work

Typically you’ll want ocsf_get_latest_version to get the most recent stable version automatically.

ocsf_get_latest_version OCSF

When to use:

• Get the current recommended OCSF version for new mappings
• Ensure you’re using up-to-date schema definitions
• Start OCSF mapping workflows with the latest standard

Filters out development versions (alpha, beta, rc) and returns only stable releases.

ocsf_get_classes OCSF

When to use:

• Browse available OCSF event classes before creating a mapping
• Identify which class best matches your log data
• Understand the purpose and scope of each event class

Once you identify a candidate class, use ocsf_get_class to see its complete schema.

Example:

ocsf_get_classes(version="1.3.0")

ocsf_get_class OCSF

When to use:

• Understand the full schema of an OCSF event class before mapping
• See required vs optional fields
• Discover nested object structures and their field definitions
• Validate that your source data can map to the class

Returns the complete class definition including all attributes, types, and constraints.

Example:

ocsf_get_class(version="1.3.0", name="Network Activity")

ocsf_get_object OCSF

When to use:

• Understand complex nested object structures in OCSF classes
• See the fields and types within objects like ‘file’, ‘process’, ‘user’
• Map source data to nested OCSF structures correctly

Objects are reusable components within OCSF event classes, defining standard structures.

Example:

ocsf_get_object(version="1.3.0", name="process")

package_create Packaging

When to use:

• Start a new Tenzir package project
• Set up the standard directory structure for operators, tests, and documentation
• Initialize package metadata (ID, name, author, description)

Creates the foundation for building custom TQL operators, parsers, and OCSF mappings.

package_add_operator Packaging

When to use:

• Add custom TQL operators to your package
• Organize operators using nested namespaces (e.g., ocsf::logs::firewall)
• Create parsers, transformations, or OCSF mappings as reusable operators
• Automatically generate test scaffolds for new operators

Operators become available as package_id::operator_name in TQL pipelines after installation.

package_add_test Packaging

When to use:

• Create test cases for your operators
• Define expected behavior with input/output pairs
• Set up integration tests with fixtures (e.g., embedded Tenzir nodes)
• Generate test scaffolds to be populated later with run_test

Tests use the tenzir-test framework. Provide input/output when known, or omit and use run_test with update=True to generate baselines.

package_add_changelog Packaging

When to use:

• Document changes to your package
• Track breaking changes, new features, bug fixes, and general changes
• Maintain a history of package evolution
• Communicate updates to package users

make_parser Coding

When to use:

• You have sample log events and need to parse them into structured data
• You’re starting a new parser for JSON, CSV, syslog, or key-value logs
• You want guidance on format detection and TQL operator selection
• You need to infer types and create proper schema transformations

This tool provides a complete workflow with step-by-step instructions for analyzing log format, selecting TQL operators, generating parsing code, creating a package, and testing.

make_ocsf_mapping Coding

When to use:

• You need to map security logs to the OCSF standard
• You’re normalizing data from multiple sources into a common schema
• You want to make your data compatible with OCSF-aware tools
• You need guidance on OCSF class selection and field mapping

This tool provides a complete workflow with step-by-step instructions for analyzing your data, identifying the appropriate OCSF class, creating field mappings, generating TQL operators, and testing the transformation.