Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

Wazuh

Beacon writes JSONL endpoint events that Wazuh can ingest from the local runtime log. Use the Beacon Wazuh commands to print localfile configuration, generate rules, and write validation events.

Runtime log paths

ModeRuntime log
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl
Use system mode for MDM deployments so all managed endpoints write to the shared runtime log path.

Configure Wazuh localfile

Print the localfile snippet for a system deployment: 
beacon endpoint wazuh print-config --system
Add the generated snippet to the Wazuh agent configuration for the endpoint. For a custom log path, pass --log-path: 
beacon endpoint wazuh print-config --log-path /path/to/runtime.jsonl

Generate Wazuh content

Generate a content pack when you want file-based rules, config snippets, and sample content: 
beacon endpoint wazuh install-pack --system --output ./beacon-wazuh
The generated Wazuh content is built around the Beacon endpoint event schema and preserves the raw Beacon JSON for investigation.

Validate ingestion

Write a known-good validation event to the runtime log: 
sudo /opt/beacon/bin/beacon endpoint wazuh validate --system
Then confirm the validation event appears in Wazuh. If it does not, verify that the runtime log exists, the collector can write to it, and the Wazuh localfile path matches the Beacon runtime log path. 
sudo test -w /var/log/beacon-agent/runtime.jsonl
sudo launchctl print system/com.beacon.endpoint.collector

Wazuh command reference

Review Beacon Wazuh commands and flags.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.