Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

SIEM Forwarding

Beacon writes normalized endpoint events as Wazuh-compatible JSONL. Security teams can ingest that local runtime log with Wazuh localfile configuration or forward it with an existing customer-managed log shipper. Beacon does not currently ship direct Datadog, Splunk, Elastic, or other SIEM exporters. The stable integration point is the local runtime.jsonl file and the Beacon endpoint event schema.

Runtime log paths

ModeRuntime log
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl
Use system mode for MDM deployments so endpoint events land in the shared system log path.

Forwarding options

Wazuh localfile

Use Beacon’s Wazuh commands to generate localfile configuration, rules, sample content, and validation events. 
beacon endpoint wazuh print-config --system
beacon endpoint wazuh install-pack --system --output ./beacon-wazuh
beacon endpoint wazuh validate --system
print-config emits the localfile snippet for an existing Wazuh agent configuration. install-pack writes a file-based bundle with rules and config snippets. validate writes a known-good Beacon event to the runtime log so you can confirm ingestion.

Customer-managed log shipper

For Splunk, Elastic, Datadog, or another SIEM, configure your existing forwarder to read the Beacon runtime log and preserve each JSONL line as one event. Recommended settings:
  • Read from /var/log/beacon-agent/runtime.jsonl for system deployments.
  • Treat each line as a complete JSON event.
  • Preserve the raw Beacon JSON for investigation.
  • Use the vendor, product, event, actor, endpoint, process, file, tool, mcp, approval, and health fields for parsing and routing.
  • Validate forwarding after deployment by writing a Beacon validation event.

Validation

After installing or repairing Beacon, confirm the endpoint state and write a validation event: 
sudo /opt/beacon/bin/beacon endpoint status --system --json
sudo /opt/beacon/bin/beacon endpoint wazuh validate --system
If the validation event is not forwarded, verify that the runtime log exists, is writable, and is the same path your shipper is reading. 
sudo test -w /var/log/beacon-agent/runtime.jsonl
sudo launchctl print system/com.beacon.endpoint.collector

Event schema

Beacon endpoint events share a stable schema across supported runtime sources. The generated Wazuh content can identify telemetry health issues, command and MCP activity, policy blocks, endpoint health failures, prompt and tool workflow telemetry, file activity, and tool failures while preserving the raw Beacon JSON.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.

Wazuh

Print Wazuh config, generate rules, and validate ingestion.