beacon endpoint elastic

Forwarding Command

Use beacon endpoint elastic to generate Elastic integration content for Beacon endpoint events. The generated pack tails Beacon’s local runtime.jsonl file with Filebeat or standalone Elastic Agent and installs Elasticsearch/Kibana assets around the logs-beacon.endpoint-* data stream pattern. Beacon does not store Elastic cluster URLs or credentials. Keep ES_HOSTS, ES_API_KEY, usernames, passwords, and TLS settings in Filebeat, Elastic Agent, or your endpoint-management secret store.

Command syntax

beacon endpoint elastic [command]

Commands

beacon endpoint elastic print-config

Print a Filebeat config for the configured runtime log.

beacon endpoint elastic install-pack

Write Elasticsearch, Kibana, Filebeat, and Elastic Agent content to a directory.

beacon endpoint elastic up

Start a local Elasticsearch, Kibana, and Filebeat validation stack.

beacon endpoint elastic down

Stop the local Elastic validation stack.

Runtime log paths

Mode	Path
User mode	`~/.beacon/endpoint/logs/runtime.jsonl`
System mode	`/var/log/beacon-agent/runtime.jsonl`

beacon endpoint elastic print-config

beacon endpoint elastic print-config prints a Filebeat filestream config for the configured Beacon runtime JSONL log.

Print the configuration

beacon endpoint elastic print-config

Use this command when you want to copy the Filebeat input into an existing endpoint shipper configuration.

Examples

Print config for the default per-user Beacon install:

Print config for the default per-user Beacon install

beacon endpoint elastic print-config

Print config for a system-mode MDM deployment:

Print config for a system-mode MDM deployment

sudo /opt/beacon/bin/beacon endpoint elastic print-config --system

Print config for a custom runtime log:

Print config for a custom runtime log

beacon endpoint elastic print-config --log-path /path/to/runtime.jsonl

Flags

Flag	Description
`--user`	Use per-user endpoint paths. Enabled by default
`--system`	Use system endpoint paths and launch daemon
`--log-path <path>`	Runtime JSONL log path

beacon endpoint elastic install-pack

beacon endpoint elastic install-pack writes an Elastic content pack to a directory.

Generate the integration pack

beacon endpoint elastic install-pack --output ./beacon-elastic-pack

The pack includes Filebeat and standalone Elastic Agent configuration, Elasticsearch ILM, component templates, an index template, an ingest pipeline, starter Kibana saved objects, a sample event, and a local Docker Compose validation stack.

Examples

Generate a content pack for the default per-user install:

Generate a content pack for the default per-user install

beacon endpoint elastic install-pack --output ./beacon-elastic-pack

Generate a content pack for a system-mode deployment:

Generate a content pack for a system-mode deployment

sudo /opt/beacon/bin/beacon endpoint elastic install-pack \
  --system \
  --output ./beacon-elastic-pack

Generate a content pack for a custom runtime log:

Generate a content pack for a custom runtime log

beacon endpoint elastic install-pack \
  --output ./beacon-elastic-pack \
  --log-path /path/to/runtime.jsonl

Flags

Flag	Description
`--output <dir>`	Output directory for the Elastic content pack. Defaults to `beacon-elastic-pack`
`--user`	Use per-user endpoint paths. Enabled by default
`--system`	Use system endpoint paths and launch daemon
`--log-path <path>`	Runtime JSONL log path

beacon endpoint elastic up

beacon endpoint elastic up starts a loopback-only local Elasticsearch, Kibana, and Filebeat stack for validating Beacon event ingestion.

Command example

beacon endpoint elastic up --pack-dir ./beacon-elastic-pack

The command creates the pack if it does not exist, ensures the runtime log exists, mounts the runtime log directory into Filebeat, loads Elasticsearch and Kibana assets, and starts the stack with Docker Compose. When the stack is healthy, Beacon events are searchable in the logs-beacon.endpoint-* data stream using the beacon.* fields produced by the ingest pipeline:

When the stack is healthy, Beacon events are searchable in the logs-beacon.endpoint-* data stream using the beacon.* fields produced by the ingest pipeline

curl "http://localhost:9200/logs-beacon.endpoint-*/_search?q=beacon.product:endpoint-agent"
curl "http://localhost:9200/logs-beacon.endpoint-*/_search?q=beacon.prompt.text:%22Beacon%20E2E%22"
curl "http://localhost:9200/logs-beacon.endpoint-*/_search?q=beacon.harness.name:cursor"

Examples

Start the local validation stack with the default pack directory:

Start the local validation stack with the default pack directory

beacon endpoint elastic up

Start with a generated pack directory:

Start with a generated pack directory

beacon endpoint elastic install-pack --output ./beacon-elastic-pack
beacon endpoint elastic up --pack-dir ./beacon-elastic-pack

Use alternate local ports:

Use alternate local ports

BEACON_ELASTIC_ES_PORT=19200 \
BEACON_ELASTIC_KIBANA_PORT=15601 \
beacon endpoint elastic up

Flags

Flag	Description
`--pack-dir <dir>`	Elastic pack directory. Defaults to `beacon-elastic-pack`
`--user`	Use per-user endpoint paths. Enabled by default
`--system`	Use system endpoint paths and launch daemon
`--log-path <path>`	Runtime JSONL log path

elastic up is a macOS local validation helper that expects Docker Desktop or Docker Compose. For production, run Filebeat or standalone Elastic Agent through your endpoint-management system instead.

beacon endpoint elastic down

beacon endpoint elastic down stops the local Elastic validation stack for a generated pack directory.

Command example

beacon endpoint elastic down --pack-dir ./beacon-elastic-pack

Examples

Stop the local validation stack:

Stop the local validation stack

beacon endpoint elastic down

Stop a stack that uses a custom pack directory:

Stop a stack that uses a custom pack directory

beacon endpoint elastic down --pack-dir ./beacon-elastic-pack

Flags

Flag	Description
`--pack-dir <dir>`	Elastic pack directory. Defaults to `beacon-elastic-pack`
`--user`	Use per-user endpoint paths. Enabled by default
`--system`	Use system endpoint paths and launch daemon
`--log-path <path>`	Runtime JSONL log path

Elastic forwarding

Set up local, Elastic Cloud, or self-managed Elastic forwarding.

Log forwarding

Review forwarding patterns and validation steps.

Endpoint agent

Install and inspect the local endpoint agent.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.

​Forwarding Command

​Commands

beacon endpoint elastic print-config

beacon endpoint elastic install-pack

beacon endpoint elastic up

beacon endpoint elastic down

​Runtime log paths

​beacon endpoint elastic print-config

​Examples

​Flags

​beacon endpoint elastic install-pack

​Examples

​Flags

​beacon endpoint elastic up

​Examples

​Flags

​beacon endpoint elastic down

​Examples

​Flags

​Related

Elastic forwarding

Log forwarding

Endpoint agent

Endpoint event schema

Forwarding Command

Commands

Runtime log paths

beacon endpoint elastic print-config

Examples

Flags

beacon endpoint elastic install-pack

Examples

Flags

beacon endpoint elastic up

Examples

Flags

beacon endpoint elastic down

Examples

Flags

Related