Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

Datadog

Beacon v0.0.18 adds Datadog Agent custom log collection support for teams that want Beacon endpoint events in Datadog Logs. Beacon still writes one local source of truth, the runtime JSONL log. The Datadog Agent tails that file and owns Datadog API keys, site configuration, and transport. Use this path when Datadog Agent is already part of your endpoint management stack and you want Beacon events searchable in Log Explorer without giving Beacon Datadog credentials.

Runtime log paths

ModeRuntime log
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl
Use system mode for MDM deployments so the Datadog Agent can tail /var/log/beacon-agent/runtime.jsonl without per-user home directory permissions.

Prerequisites

  • Datadog Agent is installed on the endpoint.
  • Log collection is enabled in /opt/datadog-agent/etc/datadog.yaml:
logs_enabled: true
Beacon does not store Datadog API keys or site settings. Keep those values in the Datadog Agent configuration or your endpoint-management secret store.

Install the Datadog pack

Generate the Datadog content pack for a managed system-mode deployment: 
sudo /opt/beacon/bin/beacon endpoint datadog install-pack \
  --system \
  --output ./beacon-datadog-pack
The pack includes:
  • conf.yaml for Datadog Agent custom log collection
  • README.md with install and validation steps
  • sample-event.jsonl with Beacon endpoint sample events
Install the generated Datadog Agent configuration on macOS: 
sudo mkdir -p /opt/datadog-agent/etc/conf.d/beacon.d
sudo cp ./beacon-datadog-pack/conf.yaml /opt/datadog-agent/etc/conf.d/beacon.d/conf.yaml
sudo chmod 0644 /opt/datadog-agent/etc/conf.d/beacon.d/conf.yaml
sudo launchctl kickstart -k system/com.datadoghq.agent
The generated config sets: 
logs:
  - type: file
    path: "/var/log/beacon-agent/runtime.jsonl"
    service: beacon-endpoint-agent
    source: beacon
    sourcecategory: agent-runtime
    tags:
      - vendor:beacon
      - product:endpoint-agent
If you use a custom Beacon log path, generate the pack with --log-path /path/to/runtime.jsonl.

Validate forwarding

Confirm the Beacon runtime log exists and has recent endpoint events: 
sudo /opt/beacon/bin/beacon endpoint status --system --json
sudo test -r /var/log/beacon-agent/runtime.jsonl
Write a Datadog validation event: 
sudo /opt/beacon/bin/beacon endpoint datadog validate --system
Check Datadog Agent status: 
sudo datadog-agent status
The Logs Agent section should show Beacon log collection and processed logs. In Datadog Log Explorer, search for: 
service:beacon-endpoint-agent vendor:beacon product:endpoint-agent
You can also search directly for the validation event: 
service:beacon-endpoint-agent "Beacon endpoint datadog validation event"

User-mode permissions

The Datadog Agent usually runs as _dd-agent. When tailing a user-mode Beacon log inside a home directory, _dd-agent must be able to traverse the parent directories and read the log file. If datadog-agent status reports permission denied, either use Beacon system mode or grant a narrow ACL for the configured user-mode log path.

Content retention

Beacon content retention controls what can be written to runtime.jsonl and forwarded to Datadog. Use metadata or redacted for stricter deployments: 
sudo /opt/beacon/bin/beacon endpoint install --system --content-retention metadata
Use full only when prompt text, tool input, command output, and retained content match your approved telemetry collection policy.

OpenTelemetry note

Datadog’s DDOT Collector is a good fit for OTel-first Linux or Kubernetes deployments. Beacon’s macOS endpoint v0 uses native Datadog Agent file log collection because it is the supported host path for tailing local JSONL files.

beacon endpoint datadog

Review Datadog command syntax, flags, and examples.

SIEM forwarding

Review forwarding patterns across Wazuh, Splunk HEC, Elastic, Datadog, and customer-managed pipelines.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.

Supported surfaces

Review supported runtimes, deployment modes, storage, and forwarding.