OS and Log Analysis MCP

An MCP (Model Context Protocol) server that provides comprehensive system monitoring, log analysis, and diagnostics for Windows, Linux, and cross-platform environments.

What This Skill Does

This MCP server enables Claude to:

Installation and Setup

1. Install Dependencies

```bash

Install the package in development mode

pip install -e .

Install with development dependencies

pip install -e ".[dev]"

On Windows, ensure pywin32 is properly installed for Event Log access

pip install pywin32>=300

python -c "import win32api" # Test Windows API access

```

2. Add to Claude Code

```bash

Add the MCP server to Claude Code

claude mcp add mcp-log-analyzer python main.py

Verify it's registered

claude mcp list

Test the server is working

python check_server.py

```

**Important**: When running `python main.py`, you won't see console output. MCP servers communicate via stdin/stdout with MCP clients and run silently.

Architecture Overview

Tool Categories

**Core Log Management Tools** (`tools/log_management_tools.py`):

**Windows System Tools** (`tools/windows_test_tools.py`):

**Linux System Tools** (`tools/linux_test_tools.py`):

**Process Monitoring Tools** (`tools/process_test_tools.py`):

**Network Diagnostic Tools** (`tools/network_test_tools.py`):

Resources

Resources provide direct access to system data via URI patterns:

**Log Management**:

**Windows Resources**:

**Linux Resources**:

**Process Resources**:

**Network Resources**:

Resource Parameters

Resources support flexible time-based parameters:

Usage Instructions for AI Agent

Step 1: Initial System Assessment

When a user asks about system health or logs, start by determining the platform:

1. Check what tools are available using `test_system_resources_access` or platform-specific test tools

2. For Windows: Use `test_windows_event_log_access` to verify Event Log access

3. For Linux: Use `test_linux_log_access` to verify log file and systemd access

4. Get a baseline system health summary using `get_system_health_summary` or `get_windows_system_health`/`get_linux_system_overview`

Step 2: Log Analysis Workflow

**Analyzing Windows Event Logs**:

1. Use `get_windows_event_log_info` to understand what Event Logs are available

2. Use `query_windows_events_by_criteria` with appropriate filters (severity, event_id, time_range)

3. Focus on Critical and Error events first

4. Reference common Event IDs (e.g., 41 = unexpected shutdown, 1074 = planned restart)

**Analyzing Linux Logs**:

1. Use `query_systemd_journal` with unit names or priority levels

2. For service issues, use `analyze_linux_services` to check service status

3. Check traditional log files in `/var/log/` by registering them as log sources

4. Use time-based filtering to narrow down issues

**Analyzing Custom Logs**:

1. Register log sources using `register_log_source` (supports JSON, XML, CSV, text)

2. Use `query_logs` with filters and time ranges

3. Use `analyze_logs` for pattern detection and anomaly identification

Step 3: Performance Analysis

**System Performance**:

1. Use `analyze_system_performance` for current CPU, memory, disk, network stats

2. Use `find_resource_intensive_processes` to identify bottlenecks

3. Use `monitor_process_health` to track specific processes over time

4. Check `processes/list` resource for real-time process list

**Network Diagnostics**:

1. Use `test_network_connectivity` to verify connectivity to hosts

2. Use `test_port_connectivity` to check specific services

3. Use `analyze_network_connections` to review active connections

4. Use `diagnose_network_issues` for comprehensive network troubleshooting

5. Reference `network/listening-ports` to see what's listening

Step 4: Pattern Recognition and Troubleshooting

When analyzing logs and system data:

1. **Look for patterns**: Repeated errors, timing correlations, resource spikes

2. **Cross-reference**: Correlate Event Logs with process activity and network connections

3. **Time-based analysis**: Use time range parameters to focus on incident windows

4. **Severity filtering**: Start with Critical/Error, then Warning, then Informational

5. **Service health**: Check if services are running and if restarts correlate with errors

Step 5: Reporting Findings

When presenting findings to users:

1. Summarize the issue clearly

2. Provide relevant Event IDs or log entries with timestamps

3. Identify root causes or contributing factors

4. Suggest remediation steps based on findings

5. Include supporting data from multiple tools/resources

Example Scenarios

**Scenario 1: Windows System Crash Investigation**

```

1. test_windows_event_log_access → verify access

2. get_windows_event_log_info → understand available logs

3. query_windows_events_by_criteria → filter for Critical events in last 24h

4. Look for Event ID 41, 1001 (BugCheck), or unexpected shutdown events

5. analyze_system_performance → check current system health

6. Report findings with timestamps and Event IDs

```

**Scenario 2: Linux Service Not Starting**

```

1. test_linux_log_access → verify systemd access

2. analyze_linux_services → check service status

3. query_systemd_journal → get logs for the specific service unit

4. Look for error messages, dependency failures, or permission issues

5. get_linux_system_overview → check overall system state

6. Report findings with service name, error messages, and suggested fixes

```

**Scenario 3: Network Connectivity Issues**

```

1. test_network_tools_availability → verify diagnostic tools

2. test_network_connectivity → test connectivity to affected hosts

3. analyze_network_connections → review active connections

4. diagnose_network_issues → comprehensive diagnostics

5. Check firewall rules and routing table

6. Report findings with connection states, latency, and recommendations

```

Development Commands

Running and Testing

```bash

Start the MCP server (runs silently)

python main.py

Test the server is working

python check_server.py

Run tests with proper PYTHONPATH

PYTHONPATH=src python3 -m pytest tests/ -v

Run tests with coverage

PYTHONPATH=src python3 -m pytest --cov=mcp_log_analyzer tests/

Test server import

PYTHONPATH=src python3 -c "from mcp_log_analyzer.mcp_server.server import mcp; print('Server import successful')"

```

Code Quality

```bash

Format code

black .

isort .

Type checking

mypy src

Linting

flake8

Run all quality checks

black . && isort . && mypy src && flake8

```

Adding New Features

Adding New Tools

1. Choose appropriate category folder under `tools/`

2. Create Pydantic models for requests in the tool file

3. Add async function decorated with `@mcp.tool()`

4. Update the category's `register_*_tools()` function

5. Add comprehensive docstring and error handling

Adding New Resources

1. Choose appropriate category folder under `resources/`

2. Add async function decorated with `@mcp.resource()`

3. Implement parameterization if needed

4. Update the category's `register_*_resources()` function

Adding New Prompts

1. Choose appropriate category folder under `prompts/`

2. Add async function decorated with `@mcp.prompt()`

3. Follow the established format with emojis and markdown

4. Update the category's `register_*_prompts()` function

Platform Support

**Windows Features**:

**Linux Features**:

**Cross-Platform Features**:

Important Constraints

1. **No Console Output**: MCP servers communicate via stdio. Running `python main.py` produces no visible output.

2. **Platform-Specific Tools**: Some tools only work on their target platform (Windows Event Logs on Windows, systemd on Linux).

3. **Permission Requirements**: Windows Event Logs may require administrator privileges. Linux systemd journals may require appropriate user permissions.

4. **Network Tests**: Network diagnostic tools require internet connectivity and may be affected by firewalls.

5. **Real-Time Data**: Process and network resources reflect current system state and change frequently.

Dependencies

**Core Requirements**:

**Platform-Specific**:

**Development**: