# How to integrate Kibana MCP with OpenClaw

```json
{
  "title": "How to integrate Kibana MCP with OpenClaw",
  "toolkit": "Kibana",
  "toolkit_slug": "kibana",
  "framework": "OpenClaw",
  "framework_slug": "openclaw",
  "url": "https://composio.dev/toolkits/kibana/framework/openclaw",
  "markdown_url": "https://composio.dev/toolkits/kibana/framework/openclaw.md",
  "updated_at": "2026-05-12T10:16:46.543Z"
}
```

## Introduction

OpenClaw is the fastest growing agent harness out there, which can work 24/7 to automate almost any kind of tasks. However, its capabilities are limited to the tools it has access to. Composio allows your OpenClaw to access Kibana with authentication management handled for you. You can execute actions on Kibana via your favorite OpenClaw interface (Telegram, WhatsApp, TUI, etc), whichever you prefer.

## Also integrate Kibana with

- [OpenAI Agents SDK](https://composio.dev/toolkits/kibana/framework/open-ai-agents-sdk)
- [Claude Agent SDK](https://composio.dev/toolkits/kibana/framework/claude-agents-sdk)
- [Claude Code](https://composio.dev/toolkits/kibana/framework/claude-code)
- [Claude Cowork](https://composio.dev/toolkits/kibana/framework/claude-cowork)
- [Codex](https://composio.dev/toolkits/kibana/framework/codex)
- [Hermes](https://composio.dev/toolkits/kibana/framework/hermes-agent)
- [CLI](https://composio.dev/toolkits/kibana/framework/cli)
- [Google ADK](https://composio.dev/toolkits/kibana/framework/google-adk)
- [LangChain](https://composio.dev/toolkits/kibana/framework/langchain)
- [Vercel AI SDK](https://composio.dev/toolkits/kibana/framework/ai-sdk)
- [Mastra AI](https://composio.dev/toolkits/kibana/framework/mastra-ai)
- [LlamaIndex](https://composio.dev/toolkits/kibana/framework/llama-index)
- [CrewAI](https://composio.dev/toolkits/kibana/framework/crew-ai)

## TL;DR

### Why use Composio?
Apart from a managed and hosted MCP server, you will get:
- Programmatic tool calling allows LLMs to write its code in a remote workbench to handle complex tool chaining. Reduces to-and-fro with LLMs for frequent tool calling.
- Handling Large tool responses out of LLM context to minimize context rot.
- Dynamic just-in-time access to 20,000 tools across 1000+ other Apps for cross-app workflows. It loads the tools you need, so LLMs aren't overwhelmed by tools you don't need.

## Connect Kibana to OpenClaw

### How to install Kibana with OpenClaw
### Using Composio API Key and Setup Prompt
- Go to [dashboard.composio.dev](https://dashboard.composio.dev/login?next=/~/org/connect/clients/openclaw&utm_source=toolkits&utm_medium=framework_template&utm_campaign=openclaw&utm_content=setup_prompt)
- Copy the setup prompt
- Run it in your OpenClaw chat interface.
- Authenticate Kibana from the [dashboard](https://dashboard.composio.dev/login?next=/~/org/connect/clients/openclaw&utm_source=toolkits&utm_medium=framework_template&utm_campaign=openclaw&utm_content=authenticate)
- Go back to your OpenClaw interface and start asking questions.
### Using OpenClaw/Composio Plugin
1. Install OpenClaw Composio plugin

```bash
openclaw plugins install @composio/openclaw-plugin
```

## What is the Kibana MCP server, and what's possible with it?

The Kibana MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your Kibana account. It provides structured and secure access so your agent can perform Kibana operations on your behalf.

## Supported Tools

| Tool slug | Name | Description |
|---|---|---|
| `KIBANA_DELETE_ALERTING_RULES` | Delete Alerting Rule | Tool to delete an alerting rule in Kibana. Use when you need to remove a specific alerting rule by its ID. |
| `KIBANA_DELETE_CONNECTORS` | Delete Connector | Tool to delete a connector in Kibana. Use when you need to remove an existing connector. |
| `KIBANA_DELETE_FLEET_OUTPUT` | Delete Fleet Output | Tool to delete a specific output configuration in Kibana Fleet. Use when you need to remove an existing output by its ID. |
| `KIBANA_DELETE_FLEET_PROXY` | Delete Fleet Proxy | Deletes a Fleet proxy configuration by its unique identifier. Fleet proxies enable agents to communicate through proxy servers. Use this action to remove proxy configurations that are no longer needed. The proxy must not be in use by any agent policies or outputs before deletion. Requires 'fleet-settings-all' privileges in Kibana. |
| `KIBANA_DELETE_LIST` | Delete List | Deletes a list. Use when you want to delete a list by its ID. |
| `KIBANA_DELETE_OSQUERY_SAVED_QUERIES` | Delete Osquery Saved Query | Delete a saved Osquery query by its saved object ID. Use this to remove a specific Osquery saved query from Kibana. IMPORTANT: This action requires the 'saved_object_id' (UUID format), not the custom 'id' field. You can obtain the saved_object_id by listing queries first or from the response when creating a query. |
| `KIBANA_DELETE_SAVED_OBJECTS` | Delete Saved Object | Tool to delete a saved object in Kibana. Use when you need to remove a specific saved object like a visualization or dashboard. |
| `KIBANA_FIND_ALERTS` | Find Kibana Alerts | Tool to find and/or aggregate detection alerts in Kibana. Use this to retrieve a list of alerts, optionally filtering them with a query and performing aggregations. |
| `KIBANA_GET_ACTION_TYPES` | Get Action Types | Retrieves all available connector types (actions) in Kibana. Connector types (also called action types) are integrations like Slack, Email, Webhook, ServiceNow, etc. that can be used with alerting rules, cases, and workflows. Use this to discover which connector types are available and their requirements (license, features) before creating a new connector instance. Returns detailed information about each connector type including: - ID (e.g., '.slack', '.email', '.webhook') - Display name and enabled status - License requirements (basic, gold, platinum, enterprise) - Supported features (alerting, cases, workflows, etc.) - Configuration and deprecation status |
| `KIBANA_GET_ALERTING_RULES` | Get Alerting Rules | Tool to retrieve a list of alerting rules in Kibana. Use when you need to get a paginated set of rules based on specified conditions. |
| `KIBANA_GET_ALERT_TYPES` | Get Rule Types | Retrieves available rule types (alert types) in Kibana. Returns comprehensive metadata about each rule type including: - Available action groups and variables for action templates - License requirements and authorization details - Category (management, observability, securitySolution) - Configuration options like auto-recovery and timeout settings Use this to discover what types of alerting rules can be created in your Kibana instance, such as Elasticsearch query alerts, index threshold alerts, machine learning anomaly detection, and security detection rules. |
| `KIBANA_GET_CASES` | Get Cases | Tool to retrieve a list of cases in Kibana. Use when you need to find or list existing security or operational cases, potentially filtering by various attributes like status, assignee, or severity. |
| `KIBANA_GET_CONNECTORS` | Get All Connectors | Tool to retrieve a list of all connectors in Kibana. Use this tool when you need to get information about available connectors. |
| `KIBANA_GET_DATA_VIEWS` | Get Data Views | Retrieves all data views (formerly known as index patterns) available in Kibana. Data views define which Elasticsearch indices you want to explore and are used throughout Kibana for features like Discover, Visualize, and Dashboard. This action returns a list of all configured data views with their IDs, names, and index patterns. Use this to discover available data sources before querying specific data views for detailed field information. |
| `KIBANA_GET_DETECTION_ENGINE_RULES_FIND` | Find Detection Engine Rules | Retrieves a paginated list of Kibana detection engine rules with flexible filtering and sorting options. Use this action to: - List all detection rules in your Kibana security solution - Search for specific rules using KQL filters (by name, tags, severity, enabled status, etc.) - Sort rules by various criteria (name, risk score, creation date, etc.) - Paginate through large rule sets - Select specific fields to return for efficient data retrieval The detection engine rules are used for identifying security threats and generating alerts. |
| `KIBANA_GET_ENDPOINT_LIST_ITEMS` | Get Endpoint List Items | Retrieves Elastic Endpoint exception list items with filtering, pagination, and sorting capabilities. Use this action to: - List all endpoint exceptions in the security solution - Filter exceptions by specific field values (e.g., host.name:test-host) - Sort and paginate through exception items - Verify existing exceptions before creating new ones The endpoint exception list contains security exceptions applied to Elastic Endpoint agents. |
| `KIBANA_GET_ENTITY_STORE_ENGINES` | Get Entity Store Engines | Retrieves all entity store engines configured in Kibana. Entity store engines aggregate and manage entity data for different entity types (user, host, service). This action returns detailed configuration and status information for all engines, including their current status (installing, started, stopped, error), index patterns, processing parameters, and any error details if applicable. Use this to monitor entity store engines, check their operational status, and review their configuration settings. |
| `KIBANA_GET_ENTITY_STORE_ENTITIES_LIST` | List Entity Store Entities | Tool to list entity records in the entity store with support for paging, sorting, and filtering. Use when you need to retrieve a list of entities such as users, hosts, or services. |
| `KIBANA_GET_ENTITY_STORE_STATUS` | Get Entity Store Status | Retrieves the current status of the Kibana Entity Store and its configured engines. The Entity Store is a security feature that collects and organizes entity data (users, hosts, etc.) from various sources. This action returns the overall status ('not_installed', 'installing', 'running', 'stopped', or 'error') and details about configured entity engines. Use this to check if the entity store is operational and to view which entity engines are configured. |
| `KIBANA_GET_FLEET_AGENT_POLICIES` | Get Fleet Agent Policies | Retrieves a paginated list of Fleet agent policies with filtering, sorting, and optional detailed information. Use this action to: - List all agent policies in your Fleet deployment - Filter policies using KQL queries (e.g., by name, namespace, or other fields) - Get agent enrollment counts per policy (use withAgentCount=true) - Retrieve full policy details including package policies (use full=true) - Find policies with available upgrades (use showUpgradeable=true) Agent policies define the configuration for groups of Elastic Agents, including which integrations (package policies) are enabled and how agents should collect and send data. |
| `KIBANA_GET_FLEET_AGENTS_AVAILABLE_VERSIONS` | Get Fleet Agents Available Versions | Tool to retrieve the available versions for Fleet agents. Use when you need to get a list of all available Elastic Agent versions. |
| `KIBANA_GET_FLEET_AGENTS_SETUP_STATUS` | Get Fleet Agents Setup Status | Check Fleet setup readiness and identify missing requirements. Returns whether Fleet is ready (isReady), lists any missing prerequisites (missing_requirements), and shows optional feature availability. Use this to verify Fleet is properly configured before managing agents or policies. |
| `KIBANA_GET_FLEET_CHECK_PERMISSIONS` | Check Fleet Permissions | Tool to check the permissions for the Fleet API. Use when you need to verify if the current user has the necessary privileges for Fleet operations. |
| `KIBANA_GET_FLEET_ENROLLMENT_API_KEY` | Get Fleet Enrollment API Key | Tool to retrieve details of a specific enrollment API key by its ID. Use when you have the ID of an enrollment API key and need its details. |
| `KIBANA_GET_FLEET_ENROLLMENT_API_KEYS` | Get Fleet Enrollment API Keys | Tool to fetch a list of enrollment API keys. Use when you need to retrieve existing enrollment tokens for Kibana Fleet. |
| `KIBANA_GET_FLEET_EPM_CATEGORIES` | Get Fleet EPM Categories | Get all available package categories in the Elastic Package Manager (EPM) with package counts. Returns categories like Security, Observability, Cloud, etc., along with the number of packages in each category. Use this to discover available integration categories before browsing or filtering packages. |
| `KIBANA_GET_FLEET_EPM_DATA_STREAMS` | Get Fleet EPM Data Streams | Tool to retrieve the list of data streams in the Elastic Package Manager. Use when you need to get a list of available data streams, optionally filtering by type, dataset, or categorization. |
| `KIBANA_GET_FLEET_EPM_PACKAGE_DETAILS` | Get Fleet EPM Package Details | Retrieves comprehensive details for a specific Fleet integration package version from the Elastic Package Manager (EPM). Returns detailed information including: - Package metadata (name, title, description, version, type) - Installation status and requirements - Data streams and their configurations - Assets (dashboards, visualizations, pipelines) - License and compatibility requirements - Icons and documentation paths Use this action when you need detailed information about a specific package version, such as: - Checking package compatibility requirements - Viewing data streams provided by a package - Accessing package assets and configuration - Verifying installation status and details |
| `KIBANA_GET_FLEET_EPM_PACKAGE_FILE` | Get Fleet EPM Package File | Retrieves a specific file from an Elastic Package Manager (EPM) package. Use this to access package metadata, documentation, changelogs, or configuration files. Common use cases: inspecting manifest.yml for package details, reading README.md for documentation, or reviewing changelog.yml for version history. Requires a valid package name, version, and file path. |
| `KIBANA_GET_FLEET_EPM_PACKAGES` | Get Fleet EPM Packages | Tool to fetch the list of available packages in the Elastic Package Manager. Use when you need to find available integrations or their details. |
| `KIBANA_GET_FLEET_EPM_PACKAGES_INSTALLED` | Get Installed EPM Packages | Tool to retrieve the list of installed packages in the Elastic Package Manager. Use this when you need to check which packages are currently installed in Fleet. |
| `KIBANA_GET_FLEET_EPM_PACKAGES_LIMITED` | Get Fleet EPM Packages (Limited) | Retrieves a limited list of package names from the Elastic Package Manager (EPM) registry. Returns only package names (strings) without additional metadata, making it faster than the full packages endpoint. Useful for quickly getting a list of available integration packages (maximum 10,000 items). Use this when you only need package names; use the full packages endpoint if you need detailed package information. |
| `KIBANA_GET_FLEET_EPM_PACKAGE_STATS` | Get EPM Package Statistics | Retrieves usage statistics for a specific Fleet package in Kibana, including the number of package policies and agent policies using the package. Use this to understand package adoption and usage across your Fleet-managed agents. |
| `KIBANA_GET_FLEET_PACKAGE_POLICIES` | Get Fleet Package Policies | Retrieves a list of Fleet package policies (integration policies) in Kibana. Package policies define how integrations are configured and which agent policies they're associated with. Use this to list all package policies, filter them by criteria, or get their IDs and configurations. Supports pagination, sorting, and KQL filtering. |
| `KIBANA_GET_FLEET_SERVER_HOST` | Get Fleet Server Host | Tool to fetch details of a specific Fleet server host by its item ID. Use when you need to get information about a particular Fleet Server host. |
| `KIBANA_GET_FLEET_SERVER_HOSTS` | Get Fleet Server Hosts | Tool to retrieve the list of Fleet Server hosts. Use when you need to get information about the available Fleet Server hosts. |
| `KIBANA_GET_INDEX_MANAGEMENT_INDICES` | Get Index Management Indices | Tool to fetch information about indices managed by Kibana's Index Management feature. It queries the underlying Elasticsearch /_cat/indices API to retrieve index details. Use when you need to list or get details about one or more indices in the cluster. |
| `KIBANA_GET_METRICS` | Get Node Metrics | Tool to retrieve statistics for nodes in an Elasticsearch cluster, often visualized in Kibana. Use when you need to monitor node health, performance, or resource usage. This action calls the Elasticsearch Nodes Stats API. |
| `KIBANA_GET_REPORTING_JOBS` | Get Reporting Jobs | Tool to retrieve a list of reporting jobs in Kibana. Use when you need to see pending or completed reports. This uses an internal API endpoint, which might be subject to change without notice. |
| `KIBANA_GET_SAVED_OBJECTS` | Get Saved Objects | Tool to retrieve a list of saved objects in Kibana based on specified criteria. Use when you need to find dashboards, visualizations, index patterns, or other saved entities. |
| `KIBANA_GET_STATUS` | Get Kibana Status | Tool to get the current status of Kibana. Use when you need to check if Kibana is healthy, monitor its state, or get information about the Kibana instance including version, UUID, and metrics. |
| `KIBANA_POST_ALERTING_RULES` | Create Alerting Rule | Tool to create a new alerting rule in Kibana. Use when you need to define a new condition that, when met, triggers an alert and potentially executes predefined actions. |
| `KIBANA_POST_CASES` | Create Case | Tool to create a new case in Kibana. Use when you need to open and track issues, incidents, or investigations. You can assign users, set severity levels, add tags, and configure external connectors for integration with ITSM systems. |
| `KIBANA_POST_CONNECTORS` | Create Kibana Connector | Tool to create a new connector in Kibana. Use when you need to integrate Kibana with an external service. |
| `KIBANA_POST_DASHBOARDS` | Create Dashboard | Tool to create a new dashboard in Kibana. Use when you need to create a dashboard to visualize data. Dashboards can contain visualizations, saved searches, and other embeddable objects. Note: When using serverless Kibana, you must provide a dashboard_id. The action will automatically fallback to the import API for serverless environments. |
| `KIBANA_POST_DATA_VIEWS` | Create Data View | Tool to create a new data view (index pattern) in Kibana. Use when you need to define which Elasticsearch indices to query and analyze in Kibana. Data views determine which fields are available in Discover, Visualize, and other Kibana apps. |
| `KIBANA_POST_SAVED_OBJECTS` | Create or Update Saved Object | Tool to create or update a saved object in Kibana. Use when you need to programmatically manage Kibana dashboards, visualizations, index patterns, etc. |

## Supported Triggers

None listed.

## Creating MCP Server - Stand-alone vs Composio SDK

The Kibana MCP server provides comprehensive access to Kibana operations through Composio. Once connected, you can perform all major Kibana actions directly from OpenClaw using natural language commands.

## Complete Code

None listed.

## Conclusion

### Conclusion
You've successfully integrated Kibana with OpenClaw using Composio plugin. Now interact with Kibana directly from your terminal, Web UI, or any messenger app using natural language commands.
Key benefits of this setup:
- Seamless integration across TUI, Web UIs, and Messenger apps like Telegram, WhatsApp, Slack, etc.
- Natural language commands for Kibana operations
- Managed authentication through Composio
- Access to 20,000+ tools across 1000+ apps for cross-app workflows
- Programmatic tool calling for complex tool chaining
Next steps:
- Try asking OpenClaw to perform various Kibana operations
- Explore cross-app workflows by connecting more toolkits like Calendar, Slack, Notion, etc.
- Build complex automation scripts that leverage OpenClaw's 24/7 running capabilities

## How to build Kibana MCP Agent with another framework

- [OpenAI Agents SDK](https://composio.dev/toolkits/kibana/framework/open-ai-agents-sdk)
- [Claude Agent SDK](https://composio.dev/toolkits/kibana/framework/claude-agents-sdk)
- [Claude Code](https://composio.dev/toolkits/kibana/framework/claude-code)
- [Claude Cowork](https://composio.dev/toolkits/kibana/framework/claude-cowork)
- [Codex](https://composio.dev/toolkits/kibana/framework/codex)
- [Hermes](https://composio.dev/toolkits/kibana/framework/hermes-agent)
- [CLI](https://composio.dev/toolkits/kibana/framework/cli)
- [Google ADK](https://composio.dev/toolkits/kibana/framework/google-adk)
- [LangChain](https://composio.dev/toolkits/kibana/framework/langchain)
- [Vercel AI SDK](https://composio.dev/toolkits/kibana/framework/ai-sdk)
- [Mastra AI](https://composio.dev/toolkits/kibana/framework/mastra-ai)
- [LlamaIndex](https://composio.dev/toolkits/kibana/framework/llama-index)
- [CrewAI](https://composio.dev/toolkits/kibana/framework/crew-ai)

## Related Toolkits

- [Firecrawl](https://composio.dev/toolkits/firecrawl) - Firecrawl automates large-scale web crawling and data extraction. It helps organizations efficiently gather, index, and analyze content from online sources.
- [Tavily](https://composio.dev/toolkits/tavily) - Tavily offers powerful search and data retrieval from documents, databases, and the web. It helps teams locate and filter information instantly, saving hours on research.
- [Exa](https://composio.dev/toolkits/exa) - Exa is a data extraction and search platform for gathering and analyzing information from websites, APIs, or databases. It helps teams quickly surface insights and automate data-driven workflows.
- [Serpapi](https://composio.dev/toolkits/serpapi) - SerpApi is a real-time API for structured search engine results. It lets you automate SERP data collection, parsing, and analysis for SEO and research.
- [Peopledatalabs](https://composio.dev/toolkits/peopledatalabs) - Peopledatalabs delivers B2B data enrichment and identity resolution APIs. Supercharge your apps with accurate, up-to-date business and contact data.
- [Snowflake](https://composio.dev/toolkits/snowflake) - Snowflake is a cloud data warehouse built for elastic scaling, secure data sharing, and fast SQL analytics across major clouds.
- [Posthog](https://composio.dev/toolkits/posthog) - PostHog is an open-source analytics platform for tracking user interactions and product metrics. It helps teams refine features, analyze funnels, and reduce churn with actionable insights.
- [Amplitude](https://composio.dev/toolkits/amplitude) - Amplitude is a digital analytics platform for product and behavioral data insights. It helps teams analyze user journeys and make data-driven decisions quickly.
- [Bright Data MCP](https://composio.dev/toolkits/brightdata_mcp) - Bright Data MCP is an AI-powered web scraping and data collection platform. Instantly access public web data in real time with advanced scraping tools.
- [Browseai](https://composio.dev/toolkits/browseai) - Browseai is a web automation and data extraction platform that turns any website into an API. It's perfect for monitoring websites and retrieving structured data without manual scraping.
- [ClickHouse](https://composio.dev/toolkits/clickhouse) - ClickHouse is an open-source, column-oriented database for real-time analytics and big data processing using SQL. Its lightning-fast query performance makes it ideal for handling large datasets and delivering instant insights.
- [Coinmarketcal](https://composio.dev/toolkits/coinmarketcal) - CoinMarketCal is a community-powered crypto calendar for upcoming events, announcements, and releases. It helps traders track market-moving developments and stay ahead in the crypto space.
- [Control d](https://composio.dev/toolkits/control_d) - Control d is a customizable DNS filtering and traffic redirection platform. It helps you manage internet access, enforce policies, and monitor usage across devices and networks.
- [Databox](https://composio.dev/toolkits/databox) - Databox is a business analytics platform that connects your data from any tool and device. It helps you track KPIs, build dashboards, and discover actionable insights.
- [Databricks](https://composio.dev/toolkits/databricks) - Databricks is a unified analytics platform for big data and AI on the lakehouse architecture. It empowers data teams to collaborate, analyze, and build scalable solutions efficiently.
- [Datagma](https://composio.dev/toolkits/datagma) - Datagma delivers data intelligence and analytics for business growth and market discovery. Get actionable market insights and track competitors to inform your strategy.
- [Delighted](https://composio.dev/toolkits/delighted) - Delighted is a customer feedback platform based on the Net Promoter System®. It helps you quickly gather, track, and act on customer sentiment.
- [Dovetail](https://composio.dev/toolkits/dovetail) - Dovetail is a research analysis platform for transcript review and insight generation. It helps teams code interviews, analyze feedback, and create actionable research summaries.
- [Dub](https://composio.dev/toolkits/dub) - Dub is a short link management platform with analytics and API access. Use it to easily create, manage, and track branded short links for your business.
- [Elasticsearch](https://composio.dev/toolkits/elasticsearch) - Elasticsearch is a distributed, RESTful search and analytics engine for all types of data. It delivers fast, scalable search and powerful analytics across massive datasets.

## Frequently Asked Questions

### What are the differences in Tool Router MCP and Kibana MCP?

With a standalone Kibana MCP server, the agents and LLMs can only access a fixed set of Kibana tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from Kibana and many other apps based on the task at hand, all through a single MCP endpoint.

### Can I use Tool Router MCP with OpenClaw?

Yes, you can. OpenClaw fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right Kibana tools.

### Can I manage the permissions and scopes for Kibana while using Tool Router?

Yes, absolutely. You can configure which Kibana scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do.

### How safe is my data with Composio Tool Router?

All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your Kibana data and credentials are handled as safely as possible.

---
[See all toolkits](https://composio.dev/toolkits) · [Composio docs](https://docs.composio.dev/llms.txt)