Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

beacon endpoint elastic

Use beacon endpoint elastic to generate Elastic integration content for Beacon endpoint events. The generated pack tails Beacon’s local runtime.jsonl file with Filebeat or standalone Elastic Agent and installs Elasticsearch/Kibana assets around the logs-beacon.endpoint-* data stream pattern. Beacon does not store Elastic cluster URLs or credentials. Keep ES_HOSTS, ES_API_KEY, usernames, passwords, and TLS settings in Filebeat, Elastic Agent, or your endpoint-management secret store. 
beacon endpoint elastic [command]

Commands

beacon endpoint elastic print-config

Print a Filebeat config for the configured runtime log.

beacon endpoint elastic install-pack

Write Elasticsearch, Kibana, Filebeat, and Elastic Agent content to a directory.

beacon endpoint elastic up

Start a local Elasticsearch, Kibana, and Filebeat validation stack.

beacon endpoint elastic down

Stop the local Elastic validation stack.

Runtime log paths

ModePath
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl

beacon endpoint elastic print-config

beacon endpoint elastic print-config prints a Filebeat filestream config for the configured Beacon runtime JSONL log. 
beacon endpoint elastic print-config
Use this command when you want to copy the Filebeat input into an existing endpoint shipper configuration.

Examples

Print config for the default per-user Beacon install: 
beacon endpoint elastic print-config
Print config for a system-mode MDM deployment: 
sudo /opt/beacon/bin/beacon endpoint elastic print-config --system
Print config for a custom runtime log: 
beacon endpoint elastic print-config --log-path /path/to/runtime.jsonl

Flags

FlagDescription
--userUse per-user endpoint paths. Enabled by default
--systemUse system endpoint paths and launch daemon
--log-path <path>Runtime JSONL log path

beacon endpoint elastic install-pack

beacon endpoint elastic install-pack writes an Elastic content pack to a directory. 
beacon endpoint elastic install-pack --output ./beacon-elastic-pack
The pack includes Filebeat and standalone Elastic Agent configuration, Elasticsearch ILM, component templates, an index template, an ingest pipeline, starter Kibana saved objects, a sample event, and a local Docker Compose validation stack.

Examples

Generate a content pack for the default per-user install: 
beacon endpoint elastic install-pack --output ./beacon-elastic-pack
Generate a content pack for a system-mode deployment: 
sudo /opt/beacon/bin/beacon endpoint elastic install-pack \
  --system \
  --output ./beacon-elastic-pack
Generate a content pack for a custom runtime log: 
beacon endpoint elastic install-pack \
  --output ./beacon-elastic-pack \
  --log-path /path/to/runtime.jsonl

Flags

FlagDescription
--output <dir>Output directory for the Elastic content pack. Defaults to beacon-elastic-pack
--userUse per-user endpoint paths. Enabled by default
--systemUse system endpoint paths and launch daemon
--log-path <path>Runtime JSONL log path

beacon endpoint elastic up

beacon endpoint elastic up starts a loopback-only local Elasticsearch, Kibana, and Filebeat stack for validating Beacon event ingestion. 
beacon endpoint elastic up --pack-dir ./beacon-elastic-pack
The command creates the pack if it does not exist, ensures the runtime log exists, mounts the runtime log directory into Filebeat, loads Elasticsearch and Kibana assets, and starts the stack with Docker Compose. When the stack is healthy, Beacon events are searchable in the logs-beacon.endpoint-* data stream using the beacon.* fields produced by the ingest pipeline: 
curl "http://localhost:9200/logs-beacon.endpoint-*/_search?q=beacon.product:endpoint-agent"
curl "http://localhost:9200/logs-beacon.endpoint-*/_search?q=beacon.prompt.text:%22Beacon%20E2E%22"
curl "http://localhost:9200/logs-beacon.endpoint-*/_search?q=beacon.harness.name:cursor"

Examples

Start the local validation stack with the default pack directory: 
beacon endpoint elastic up
Start with a generated pack directory: 
beacon endpoint elastic install-pack --output ./beacon-elastic-pack
beacon endpoint elastic up --pack-dir ./beacon-elastic-pack
Use alternate local ports: 
BEACON_ELASTIC_ES_PORT=19200 \
BEACON_ELASTIC_KIBANA_PORT=15601 \
beacon endpoint elastic up

Flags

FlagDescription
--pack-dir <dir>Elastic pack directory. Defaults to beacon-elastic-pack
--userUse per-user endpoint paths. Enabled by default
--systemUse system endpoint paths and launch daemon
--log-path <path>Runtime JSONL log path
elastic up is a macOS local validation helper that expects Docker Desktop or Docker Compose. For production, run Filebeat or standalone Elastic Agent through your endpoint-management system instead.

beacon endpoint elastic down

beacon endpoint elastic down stops the local Elastic validation stack for a generated pack directory. 
beacon endpoint elastic down --pack-dir ./beacon-elastic-pack

Examples

Stop the local validation stack: 
beacon endpoint elastic down
Stop a stack that uses a custom pack directory: 
beacon endpoint elastic down --pack-dir ./beacon-elastic-pack

Flags

FlagDescription
--pack-dir <dir>Elastic pack directory. Defaults to beacon-elastic-pack
--userUse per-user endpoint paths. Enabled by default
--systemUse system endpoint paths and launch daemon
--log-path <path>Runtime JSONL log path

Elastic forwarding

Set up local, Elastic Cloud, or self-managed Elastic forwarding.

SIEM forwarding

Review forwarding patterns and validation steps.

Endpoint agent

Install and inspect the local endpoint agent.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.