Skip to main content

Local JSONL

Beacon’s default destination is the local runtime JSONL log. The endpoint agent writes one normalized endpoint event per line and keeps the active path stable for local review, the Beacon dashboard, and downstream shippers. Use this path when you want a local audit trail without configuring a remote SIEM, log aggregator, or object storage exporter.

Runtime log paths

ModeRuntime log
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl
User mode is convenient for local evaluation. System mode is preferred for package or MDM deployments because the log path is shared and root-managed.

What reads the local log

Beacon uses the same JSONL source for:
  • Local inspection with beacon endpoint status, beacon endpoint doctor, and diagnostics commands.
  • The loopback-only endpoint dashboard, including Log Search and Security Overview.
  • Validation events written by forwarding commands.
  • Customer-managed shippers that tail the active runtime.jsonl path.
Beacon rotates the active log at 10 MiB and keeps five numbered archives such as runtime.jsonl.1. The active runtime.jsonl path remains the stable handoff point for the local dashboard and external shippers.

Inspect locally

Confirm the endpoint is healthy and writing events: 
beacon endpoint status --json
beacon endpoint test-event
For a system-mode deployment: 
sudo /opt/beacon/bin/beacon endpoint status --system --json
sudo /opt/beacon/bin/beacon endpoint test-event --system
sudo test -r /var/log/beacon-agent/runtime.jsonl
Open the local dashboard: 
beacon endpoint dashboard --open

Content retention

Beacon content retention controls how much prompt, command, attribute, and diff content can be written to local JSONL. Use metadata or redacted for stricter deployments: 
sudo /opt/beacon/bin/beacon endpoint install --system --content-retention metadata
Use full only when prompt text, tool input, command output, and retained content match your approved telemetry collection policy.

beacon endpoint dashboard

Inspect Beacon runtime logs in the local dashboard.

SIEM forwarding

Compare local, SIEM, log aggregation, and object storage paths.

Customer-managed log pipelines

Forward local Beacon JSONL through customer-controlled shippers.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.