A Model Context Protocol (MCP) server for analyzing different types of logs on Windows systems, built with the FastMCP framework.
-
Multiple Log Format Support
- Windows Event Logs (EVT/EVTX)
- Windows Event Trace Logs (ETL)
- Structured Logs (JSON, XML)
- CSV Logs
- Unstructured Text Logs
-
MCP Tools
register_log_source
: Register new log sourceslist_log_sources
: View all registered sourcesget_log_source
: Get details about a specific sourcedelete_log_source
: Remove a log sourcequery_logs
: Query logs with filters and paginationanalyze_logs
: Perform analysis (summary, pattern, anomaly)
-
MCP Resources
logs://sources
: View registered log sourceslogs://types
: Learn about supported log typeslogs://analysis-types
: Understand analysis optionssystem://windows-event-logs
: Recent Windows System and Application event logssystem://linux-logs
: Linux systemd journal and application logssystem://process-list
: Current processes with PID, CPU, and memory usagesystem://netstat
: Network connections and statistics for troubleshooting
-
MCP Prompts
- Log analysis quickstart guide
- Troubleshooting guide
- Windows Event Log specific guide
# Clone the repository
git clone https://github.com/your-username/mcp-log-analyzer.git
cd mcp-log-analyzer
# Install the package
pip install -e .
# For ETL file support (optional)
pip install -e ".[etl]"
# For development dependencies
pip install -e ".[dev]"
On Windows, the package includes Windows Event Log support via pywin32
. If you encounter import errors:
# Ensure Windows dependencies are installed
pip install pywin32>=300
# Test the setup
python test_windows_setup.py
# If successful, start the server
python main.py
Note: On first install of pywin32
, you may need to run the post-install script:
python Scripts/pywin32_postinstall.py -install
MCP (Model Context Protocol) servers don't have traditional web endpoints. They communicate via stdin/stdout with MCP clients (like Claude Code). When you run python main.py
, the server starts silently and waits for MCP protocol messages.
# Test that the server is working
python check_server.py
# See usage instructions
python check_server.py --usage
# Run directly
python main.py
# Or use Claude Code's MCP integration
claude mcp add mcp-log-analyzer python main.py
-
Add the server to Claude Code:
claude mcp add mcp-log-analyzer python /path/to/main.py
-
Use the tools in Claude Code:
- Register a log source: Use the
register_log_source
tool - Query logs: Use the
query_logs
tool - Analyze logs: Use the
analyze_logs
tool
- Register a log source: Use the
-
Access resources:
- Reference resources using
@mcp-log-analyzer:logs://sources
- Get help with prompts like
/mcp__mcp-log-analyzer__log_analysis_quickstart
- Reference resources using
These resources provide real-time system information without needing to register log sources:
-
Check System Processes:
- Access via
@mcp-log-analyzer:system://process-list
- Shows top processes by CPU usage with memory information
- Access via
-
Windows Event Logs (Windows only):
- Default:
@mcp-log-analyzer:system://windows-event-logs
(last 10 entries) - By count:
@mcp-log-analyzer:system://windows-event-logs/last/50
(last 50 entries) - By time:
@mcp-log-analyzer:system://windows-event-logs/time/30m
(last 30 minutes) - By range:
@mcp-log-analyzer:system://windows-event-logs/range/2025-01-07 13:00/2025-01-07 14:00
- Shows System and Application event log entries
- Default:
-
Linux System Logs (Linux only):
- Default:
@mcp-log-analyzer:system://linux-logs
(last 50 lines) - By count:
@mcp-log-analyzer:system://linux-logs/last/100
(last 100 lines) - By time:
@mcp-log-analyzer:system://linux-logs/time/1h
(last hour) - By range:
@mcp-log-analyzer:system://linux-logs/range/2025-01-07 13:00/2025-01-07 14:00
- Shows systemd journal, syslog, and common application logs
- Default:
-
Network Monitoring (Cross-platform):
- Default:
@mcp-log-analyzer:system://netstat
(listening ports) - Listening ports:
@mcp-log-analyzer:system://netstat/listening
- Established connections:
@mcp-log-analyzer:system://netstat/established
- All connections:
@mcp-log-analyzer:system://netstat/all
- Network statistics:
@mcp-log-analyzer:system://netstat/stats
- Routing table:
@mcp-log-analyzer:system://netstat/routing
- Port-specific:
@mcp-log-analyzer:system://netstat/port/80
- Uses netstat on Windows, ss (preferred) or netstat on Linux
- Default:
- Relative time:
30m
(30 minutes),2h
(2 hours),1d
(1 day) - Absolute time:
2025-01-07 13:00
,2025-01-07 13:30:15
,07/01/2025 13:00
-
Register a Windows System Log:
Use register_log_source tool with: - name: "system-logs" - source_type: "evt" - path: "System"
-
Query Recent Errors:
Use query_logs tool with: - source_name: "system-logs" - filters: {"level": "Error"} - limit: 10
-
Analyze Patterns:
Use analyze_logs tool with: - source_name: "system-logs" - analysis_type: "pattern"
-
Register an ETL File:
Use register_log_source tool with: - name: "network-trace" - source_type: "etl" - path: "C:\\Traces\\network.etl"
# Run tests
pytest
# Code formatting
black .
isort .
# Type checking
mypy src
# Run all quality checks
black . && isort . && mypy src && flake8
src/mcp_log_analyzer/
: Main packagemcp_server/
: MCP server implementation using FastMCPcore/
: Core functionality and modelsparsers/
: Log parsers for different formats
main.py
: Server entry point.mcp.json
: MCP configurationtests/
: Test files
- Python 3.12+
- Windows OS (for Event Log support)
- See
pyproject.toml
for full dependencies
MIT