Skip to main content

Customer-Managed Log Pipelines

Beacon writes normalized endpoint events to the active local runtime JSONL log. Customer-managed forwarding means your existing shipper, endpoint agent, Vector deployment, log pipeline, or SIEM collector tails that file and owns remote delivery. Use this path when Beacon should remain the local event producer and your infrastructure should control destination URLs, credentials, buffering, retries, retention, and downstream routing.

Runtime log paths

ModeRuntime log
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl
Use system mode for MDM or managed endpoint deployments so the shipper can read a shared root-managed path instead of per-user home directories.

Forwarding contract

Configure your pipeline to:
  • Read from /var/log/beacon-agent/runtime.jsonl for system deployments.
  • Follow Beacon’s local rotation at the active runtime.jsonl path.
  • Checkpoint file offsets in the shipper or pipeline.
  • Treat each line as one complete JSON event.
  • Preserve the raw Beacon JSON for investigation.
  • Keep remote destination secrets outside Beacon endpoint configuration.
Beacon endpoint events use stable top-level fields such as vendor, product, event, actor, endpoint, process, file, tool, mcp, approval, destination, and health. Review the endpoint event schema before writing custom parsers or routing rules.

Example pipeline shape

Validation

Confirm Beacon is writing local events: 
sudo /opt/beacon/bin/beacon endpoint status --system --json
sudo test -r /var/log/beacon-agent/runtime.jsonl
sudo /opt/beacon/bin/beacon endpoint test-event --system
Then confirm your shipper read the new line and delivered it downstream. If events do not arrive, first verify that the shipper is reading the same runtime log path Beacon writes and that it follows rotated files without re-uploading older archives.

SIEM forwarding

Compare SIEM, log aggregation, object storage, and local forwarding paths.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.

Local JSONL

Review the default local runtime log and dashboard source.

Beacon concepts

Review customer-managed forwarding terminology.