Security Team Rollout
Use this path when you are piloting Beacon for a security operations, IT, or endpoint-management rollout. Beacon runs locally on the endpoint, writes normalized AI agent activity to JSONL, and can forward events into Wazuh, Splunk HEC, Falcon LogScale HEC, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, or a customer-managed pipeline.1. Choose a pilot scope
Start with a small macOS pilot group that uses supported agent harnesses. Decide before rollout:- Which runtimes are in scope for collection.
- Whether Gemini CLI should be included in the endpoint harness list. Gemini telemetry is opt-in.
- Whether hook-based runtimes such as Antigravity CLI, Claude Code, Cursor, Devin CLI, Devin Desktop, Factory, Grok Build, Hermes Agent, and OpenCode should be installed in user or project scope.
- Whether events will stay local first, flow into Wazuh localfile, forward to Splunk HEC or Falcon LogScale HEC, ship to Elastic, Datadog, Sumo Logic, or Rapid7 InsightIDR, or flow through a customer-managed forwarder.
2. Deploy the endpoint agent
For managed rollout, use the signed and notarized macOS package through Jamf Pro, Fleet, or another MDM. Package deployments use system mode and write endpoint events to/var/log/beacon-agent/runtime.jsonl.
3. Validate health and collection
After deployment, confirm that the collector is running, the runtime log is writable, and configured harnesses match the intended scope.| Area | Signal |
|---|---|
| Install coverage | Beacon package or binary version is present |
| Collector health | com.beacon.endpoint.collector is running |
| Runtime log | /var/log/beacon-agent/runtime.jsonl exists and is fresh |
| Harness scope | Configured harnesses match the approved runtime list |
| Forwarding | Wazuh localfile, Splunk HEC, Falcon LogScale HEC, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, or customer-managed forwarding is configured when required |
4. Connect security workflows
Beacon always preserves local JSONL. Add forwarding when your team is ready to centralize events.- Use Wazuh and Wazuh forwarding for localfile ingestion, generated rules, and validation events.
- Use Splunk HEC forwarding to send collector output to Splunk while keeping local JSONL.
- Use Falcon LogScale forwarding to send collector output to CrowdStrike Falcon LogScale while keeping local JSONL.
- Use Elastic forwarding to ship Beacon JSONL into Elasticsearch and Kibana with Filebeat or standalone Elastic Agent.
- Use Datadog forwarding to tail Beacon JSONL into Datadog Logs with Datadog Agent custom log collection.
- Use Sumo Logic forwarding to send Beacon JSONL into a Hosted Collector HTTP Logs & Metrics Source.
- Use Rapid7 forwarding to send Beacon JSONL into Rapid7 InsightIDR Custom Logs through a webhook event source.
- Use log forwarding for customer-managed forwarders into other pipelines.
5. Add runtime hooks where needed
The base endpoint agent configures local collector telemetry. Antigravity CLI, Claude Code, Cursor, Devin CLI, Devin Desktop, Factory, Grok Build, Hermes Agent, and OpenCode hooks are installed separately because hook configuration is user or project scoped. OpenClaw Gateway is configured in OpenClaw; use the OpenClaw integration commands to print Gateway OTLP settings and validate observed events../.grok/hooks/beacon-endpoint.json and require /hooks-trust in Grok before they execute. Hermes Agent hooks write ~/.hermes/config.yaml and support user-level installs only.
See Runtime hooks for supported hook telemetry and operational guidance.
Related
MDM Deployment
Plan managed macOS rollout with the packaged system agent.
Log Forwarding
Forward Beacon events into Wazuh, Splunk HEC, Falcon LogScale, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, or customer-managed pipelines.
Endpoint status
Inspect collector, service, harness, diagnostic, and runtime log state.
Command reference
Jump to detailed guides for each Beacon command.