Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

Endpoint Event Schema

Beacon endpoint events are JSONL records with a stable schema contract. The schema is designed for local inspection, Wazuh localfile ingestion, and customer-managed forwarding pipelines.

Normalization

Beacon normalizes different runtime signals into the same endpoint contract. The collector exporter looks for common OTLP attributes such as gen_ai.request.model, gen_ai.tool.name, mcp.tool.name, process.command_line, file.path, conversation.id, vcs.repository.url, and git.branch. Hook telemetry builds the same fields directly from hook payloads. When a runtime does not provide an explicit Beacon action, Beacon infers one from the signal. Prompt-like events become prompt.submitted, shell or exec events become command.executed, MCP events become mcp.tool_invoked, file/write/edit events become file.modified, approval events become approval.requested, and other tool activity becomes tool.invoked.

Required fields

FieldMeaning
timestampUTC event time
vendorAlways beacon
productAlways endpoint-agent
schema_versionCurrent public schema version, 1.0
event.kindEvent family, currently agent_runtime
event.actionNormalized action such as command.executed or tool.invoked
severityinfo, low, medium, high, or critical
endpointHost and operating system context
harnessRuntime that produced the signal

Optional context

Optional context fields add detail when available:
  • user: local user metadata
  • session: conversation or runtime session metadata
  • tool: tool name, command, or path metadata
  • file: file path, operation, language, diff hash, or diff byte counts
  • command: shell command, exit code, or duration metadata
  • mcp: MCP-like server and tool metadata
  • approval: approval requirement, decision, or reason
  • policy: policy ID, name, decision, enforcement mode, or reason
  • content: content retention mode and inclusion/redaction state
  • destination: output destination state, such as Wazuh localfile validation
  • health: component health status
  • model, repository, branch, message, raw, and field_truncated: additional runtime context and truncation metadata

Example command event

{
  "timestamp": "2026-05-11T22:21:00Z",
  "vendor": "beacon",
  "product": "endpoint-agent",
  "schema_version": "1.0",
  "event": {
    "kind": "agent_runtime",
    "action": "command.executed",
    "category": "command"
  },
  "severity": "info",
  "endpoint": {
    "hostname": "example-mac",
    "os": "darwin",
    "agent_version": "0.1.0"
  },
  "user": {
    "name": "local-user"
  },
  "harness": {
    "name": "cursor"
  },
  "session": {
    "id": "conversation-1",
    "working_directory": "/Users/local-user/repo"
  },
  "tool": {
    "name": "Shell",
    "command": "go test ./..."
  },
  "command": {
    "command": "go test ./..."
  },
  "content": {
    "retention": "metadata",
    "included": false
  },
  "message": "Shell command executed"
}

Privacy and retention fields

Beacon records metadata by default. Content retention is configurable with --content-retention metadata, --content-retention redacted, or --content-retention full.
  • metadata: default; excludes prompt text, raw attributes, command output, and raw diffs
  • redacted: includes configured content fields after local redaction and size limits
  • full: includes configured content fields in local or customer-controlled logs, still subject to event size limits
Beacon also caps event size, redacts common secret patterns, and marks events with field_truncated when fields must be shortened before writing.

Beacon architecture

See how runtime telemetry becomes normalized JSONL.

Wazuh

Configure Wazuh ingestion for Beacon endpoint events.