Local Log Output
Beacon’s default destination is the local runtime JSONL log. The endpoint agent writes one normalized endpoint event per line and keeps the active path stable for local review, the Beacon dashboard, and downstream shippers. Use this path when you want a local audit trail without configuring a remote SIEM, log aggregator, or object storage exporter.Runtime log paths
| Mode | Runtime log |
|---|---|
| User mode | ~/.beacon/endpoint/logs/runtime.jsonl |
| System mode | /var/log/beacon-agent/runtime.jsonl |
What reads the local log
Beacon uses the same JSONL source for:- Local inspection with
beacon endpoint status,beacon endpoint doctor, and diagnostics commands. - The loopback-only endpoint dashboard, including Log Search and Security Overview.
- Validation events written by forwarding commands.
- Customer-managed shippers that tail the active
runtime.jsonlpath.
runtime.jsonl.1. The active runtime.jsonl path remains the stable handoff point for the local dashboard and external shippers.
Inspect locally
Confirm the endpoint is healthy and writing events:Confirm the endpoint is healthy and writing events
For a system-mode deployment
Open the local dashboard
Content Handling
Beacon applies redaction, sanitization, truncation, and event-size limits before events are written to local JSONL. Review filesystem access, archive retention, and any downstream readers so retained telemetry matches your approved collection policy.Related
beacon endpoint dashboard
Inspect Beacon runtime logs in the local dashboard.
Log forwarding
Compare local, SIEM, log aggregation, and object storage paths.
Customer-managed log pipelines
Forward local Beacon JSONL through customer-controlled shippers.
Endpoint event schema
Review normalized Beacon JSONL fields and example events.