Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

Splunk HEC

Beacon can send endpoint telemetry directly to Splunk HTTP Event Collector (HEC) through the bundled collector. Splunk export is additive: Beacon still writes the local runtime.jsonl audit log while the collector sends logs, traces, and metrics to HEC. Use a customer-managed HEC endpoint and token. Beacon stores the destination in endpoint configuration and writes token-bearing config files with restricted permissions.

Runtime log paths

ModeRuntime log
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl
Use system mode for MDM deployments so every managed endpoint writes to /var/log/beacon-agent/runtime.jsonl.

Configure Splunk HEC

Create or reuse a Splunk HEC token for Beacon endpoint telemetry, then install Beacon with the HEC destination: 
beacon endpoint install \
  --splunk-hec-endpoint https://splunk.example:8088/services/collector \
  --splunk-hec-token "$SPLUNK_HEC_TOKEN" \
  --splunk-index beacon
To add or update Splunk HEC on an existing endpoint, run repair with the same destination flags: 
beacon endpoint repair \
  --splunk-hec-endpoint https://splunk.example:8088/services/collector \
  --splunk-hec-token "$SPLUNK_HEC_TOKEN" \
  --splunk-index beacon

Settings

SettingRecommendation
EndpointSplunk HEC endpoint URL, such as https://splunk.example:8088/services/collector
TokenSplunk HEC token from your Splunk administrator
IndexYour endpoint telemetry or security operations index
Sourcebeacon-endpoint-agent by default
Sourcetypebeacon:endpoint by default
TLSUse --splunk-ca-file <path> for private CA trust; use --splunk-insecure-skip-verify only for testing
Keep the HEC token in your endpoint-management secret store and pass it to Beacon at install or repair time.

Flags

FlagDescription
--splunk-hec-endpoint <url>Splunk HEC endpoint URL
--splunk-hec-token <token>Splunk HEC token. Required when Splunk HEC forwarding is configured
--splunk-index <index>Optional Splunk index
--splunk-source <source>Optional Splunk source. Defaults to beacon-endpoint-agent
--splunk-sourcetype <type>Optional Splunk sourcetype. Defaults to beacon:endpoint
--splunk-insecure-skip-verifySkip Splunk HEC TLS certificate verification
--splunk-ca-file <path>Optional CA certificate path for Splunk HEC TLS verification

Collector behavior

When Splunk HEC is configured, Beacon writes a collector pipeline with both exporters enabled: 
exporters: [beaconjson, splunk_hec]
The beaconjson exporter preserves the local runtime log. The splunk_hec exporter sends OTLP logs, traces, and metrics to Splunk HEC.

Validate forwarding

Confirm Beacon has the destination configured: 
sudo /opt/beacon/bin/beacon endpoint status --system --json
In the JSON output, check that destinations.splunk_hec.configured is true and that the endpoint, index, source, and sourcetype match your deployment. The token is not printed. Then write a validation event: 
sudo /opt/beacon/bin/beacon endpoint wazuh validate --system
Then search Splunk for the validation event: 
index=<your_index> sourcetype="beacon:endpoint" product="endpoint-agent" event.category="validation"
If the event does not appear, verify that the collector service is running, the HEC endpoint accepts the configured token, and TLS settings match your Splunk deployment. 
sudo /opt/beacon/bin/beacon endpoint status --system --json
sudo launchctl print system/com.beacon.endpoint.collector

SIEM forwarding

Review forwarding patterns and validation steps.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.