Skip to main content

Forwarding Command

Use beacon endpoint cloudwatch to generate AWS CloudWatch Logs forwarding content for Beacon endpoint events. The generated pack keeps Beacon as a local JSONL producer and helps your customer-managed Vector agent ship runtime.jsonl to a CloudWatch Logs log group. Beacon does not store AWS credentials, profiles, IAM roles, log group retention settings, stream names, or encryption settings. Keep those values in AWS, Vector, endpoint-management policy, or deployment tooling.
Command syntax
beacon endpoint cloudwatch [command]

Commands

beacon endpoint cloudwatch print-config

Print the Vector AWS CloudWatch Logs forwarding template for the configured runtime log.

beacon endpoint cloudwatch install-pack

Write AWS CloudWatch Logs forwarding content to a directory.

beacon endpoint cloudwatch validate

Write and describe a Beacon AWS CloudWatch Logs validation event.

Runtime log paths

ModePath
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl

beacon endpoint cloudwatch print-config

beacon endpoint cloudwatch print-config prints a Vector configuration that tails the selected Beacon runtime JSONL log and writes parsed Beacon events to AWS CloudWatch Logs.
Print the configuration
beacon endpoint cloudwatch print-config
Use this command when you want to inspect or copy the Vector template into an existing endpoint forwarding workflow.

Examples

Print Vector config for the default per-user Beacon install:
Print Vector config for the default per-user Beacon install
beacon endpoint cloudwatch print-config
Print Vector config for a system-mode MDM deployment:
Print Vector config for a system-mode MDM deployment
sudo /opt/beacon/bin/beacon endpoint cloudwatch print-config --system
Print Vector config for a custom runtime log:
Print Vector config for a custom runtime log
beacon endpoint cloudwatch print-config --log-path /path/to/runtime.jsonl

Flags

FlagDescription
--userUse per-user endpoint paths. Enabled by default
--systemUse system endpoint paths and launch daemon
--log-path <path>Runtime JSONL log path

beacon endpoint cloudwatch install-pack

beacon endpoint cloudwatch install-pack writes AWS CloudWatch Logs forwarding content to a directory.
Generate the integration pack
beacon endpoint cloudwatch install-pack --output ./beacon-cloudwatch-pack
The pack includes setup instructions, a Vector aws_cloudwatch_logs forwarding template, and sample Beacon endpoint events.

Examples

Generate a content pack for the default per-user install:
Generate a content pack for the default per-user install
beacon endpoint cloudwatch install-pack --output ./beacon-cloudwatch-pack
Generate a content pack for a system-mode deployment:
Generate a content pack for a system-mode deployment
sudo /opt/beacon/bin/beacon endpoint cloudwatch install-pack \
  --system \
  --output ./beacon-cloudwatch-pack
Generate a content pack for a custom runtime log:
Generate a content pack for a custom runtime log
beacon endpoint cloudwatch install-pack \
  --output ./beacon-cloudwatch-pack \
  --log-path /path/to/runtime.jsonl

Flags

FlagDescription
--output <dir>Output directory for the AWS CloudWatch Logs content pack. Defaults to beacon-cloudwatch-pack
--userUse per-user endpoint paths. Enabled by default
--systemUse system endpoint paths and launch daemon
--log-path <path>Runtime JSONL log path

beacon endpoint cloudwatch validate

beacon endpoint cloudwatch validate writes a Beacon validation event to the runtime JSONL log and prints the expected CloudWatch validation fields and follow-up AWS checks.
Run the validation check
beacon endpoint cloudwatch validate

Examples

Write a validation event for the default per-user install:
Write a validation event for the default per-user install
beacon endpoint cloudwatch validate
Write a validation event for a system-mode deployment:
Write a validation event for a system-mode deployment
sudo /opt/beacon/bin/beacon endpoint cloudwatch validate --system
Write a validation event to a custom runtime log:
Write a validation event to a custom runtime log
beacon endpoint cloudwatch validate --log-path /path/to/runtime.jsonl
The validation command writes the local event only. Confirm remote delivery with AWS tooling: 
aws logs filter-log-events --log-group-name "$BEACON_CLOUDWATCH_LOG_GROUP" --filter-pattern '"Beacon endpoint AWS CloudWatch Logs validation event"' --region "$AWS_REGION"
CloudWatch Logs Insights query: 
fields @timestamp, vendor, product, destination.type, destination.mode, message
| filter message like /Beacon endpoint AWS CloudWatch Logs validation event/
| sort @timestamp desc
| limit 20
Expected validation fields: 
vendor=beacon product=endpoint-agent destination.type=cloudwatch destination.mode=aws_cloudwatch_logs

Flags

FlagDescription
--userUse per-user endpoint paths. Enabled by default
--systemUse system endpoint paths and launch daemon
--log-path <path>Runtime JSONL log path

AWS CloudWatch Logs forwarding

Configure Vector forwarding from Beacon JSONL into AWS CloudWatch Logs.

Log forwarding

Review forwarding patterns and validation steps.

Endpoint agent

Install and inspect the local endpoint agent.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.