Skip to main content

Overview

This guide shows how to confirm local telemetry collection, generate or find activity, inspect runtime events in the dashboard, and decide whether events are ready to forward for detection. Use it when you want to see what supported AI agent runtimes actually did: prompts, tools, commands, approvals, MCP-like activity, file changes, and runtime health signals.

Setup

Configure endpoint telemetry:
Configure collection
beacon endpoint install
beacon endpoint status
Sample output
$ beacon endpoint status

Collector: running
Runtime log: ~/.beacon/endpoint/logs/runtime.jsonl
Configured harnesses: claude,codex
Last event: 2026-06-10T04:24:11Z
If the status output has no recent runtime event, write a controlled validation event before testing real agent activity:
Write a validation event
beacon endpoint test-event
Sample output
$ beacon endpoint test-event

checked runtime log: ok
wrote validation event: ok
event action: endpoint.validation

1. Generate Or Find Activity

Run a supported local agent harness, then check that Beacon has observed activity:
Check observed runtime coverage
beacon endpoint inventory
If the validation event appears but runtime activity does not, check Inventory Local Agent Runtimes for installed, configured, managed, and observed state.

2. Open The Local Dashboard

Open Log Search and Security Overview:
Open the dashboard
beacon endpoint dashboard --open

3. Inspect Key Fields

SignalWhy it matters
HarnessIdentifies the agent runtime that produced the event.
User and endpointTies activity to the local account and host.
Session and repositoryReconstructs where work happened.
Tool, command, fileShows actions taken by the agent.
MCP-like activityHighlights external tool or server interactions.
Approval and policyShows prompts for permission, denial, blocking, or enforcement context.
Severity and needs-reviewHelps analysts prioritize.
Content handlingExplains whether prompt, command, or diff content is present, redacted, or truncated.
Beacon normalizes runtime-specific signals into the Endpoint Event Schema, so analysts can search across runtimes with the same core fields.

4. Investigate Activity

In Log Search, start with:
  • Harness or model
  • Severity or needs-review
  • Commands and file changes
  • Approval or blocked activity
  • MCP-like activity
  • Repository or working directory

5. Forward For Detection

Beacon writes normalized JSONL locally first. Forward it into Wazuh, Splunk HEC, Falcon LogScale, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, Microsoft Sentinel, AWS S3, Google Cloud Storage, or a customer-managed shipper with Log Forwarding.

Key Features Demonstrated

  • Local collection health and last-event freshness.
  • Runtime coverage from installed/configured/observed inventory state.
  • Cross-runtime event review through the normalized endpoint schema.
  • Dashboard-based triage before SIEM or log forwarding.

Troubleshooting

  • If beacon endpoint status has no recent event, run beacon endpoint test-event.
  • If test events appear but runtime activity does not, confirm the runtime is supported and configured in Inventory Local Agent Runtimes.
  • If the dashboard is empty, confirm it is reading the same user-mode, system-mode, or custom runtime log you validated.
  • If forwarded events are missing downstream, validate local JSONL first before debugging destination configuration.

Inventory Local Agent Runtimes

Discover local runtimes, MCP servers, configs, hooks, and observed coverage.

Endpoint Telemetry

Configure endpoint telemetry and harnesses.

Endpoint Event Schema

Review normalized Beacon JSONL fields and event entities.

Log Forwarding

Forward Beacon endpoint events into customer-managed destinations.