Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

SIEM Forwarding

Beacon writes normalized endpoint events as JSONL. Security teams can ingest that local runtime log with Wazuh localfile configuration, enable Beacon’s built-in Splunk HTTP Event Collector (HEC) destination, or route the JSONL log through another customer-managed log shipper. The stable audit point is the local runtime.jsonl file and the Beacon endpoint event schema. Splunk HEC export is additive: Beacon still writes the local runtime log while the bundled collector sends logs, traces, and metrics to the configured HEC endpoint.

Runtime log paths

ModeRuntime log
User mode~/.beacon/endpoint/logs/runtime.jsonl
System mode/var/log/beacon-agent/runtime.jsonl
Use system mode for MDM deployments so endpoint events land in the shared system log path.

Forwarding options

Wazuh

Use Wazuh localfile ingestion with Beacon-generated config, rules, and validation events.

Splunk HEC

Send Beacon collector signals to Splunk HTTP Event Collector while preserving local JSONL.

Quick examples

Wazuh localfile

Use Beacon’s Wazuh commands to generate localfile configuration, rules, sample content, and validation events. 
beacon endpoint wazuh print-config --system
beacon endpoint wazuh install-pack --system --output ./beacon-wazuh
beacon endpoint wazuh validate --system
print-config emits the localfile snippet for an existing Wazuh agent configuration. install-pack writes a file-based bundle with rules and config snippets. validate writes a known-good Beacon event to the runtime log so you can confirm ingestion.

Splunk HEC

Configure Beacon’s collector to send logs, traces, and metrics to Splunk HEC: 
beacon endpoint install \
  --splunk-hec-endpoint https://splunk.example:8088/services/collector \
  --splunk-hec-token "$SPLUNK_HEC_TOKEN" \
  --splunk-index beacon
Recommended settings:
  • Use --splunk-source beacon-endpoint-agent unless your Splunk convention requires another source.
  • Use --splunk-sourcetype beacon:endpoint unless your Splunk convention requires another sourcetype.
  • Use --splunk-ca-file <path> for private CA trust, or --splunk-insecure-skip-verify only for testing.
  • Keep the HEC token in your endpoint-management secret store.
  • Validate the destination with beacon endpoint status --json.

Customer-managed log shipper

For Elastic, Datadog, or another SIEM, configure your existing forwarder to read the Beacon runtime log and preserve each JSONL line as one event. Recommended settings:
  • Read from /var/log/beacon-agent/runtime.jsonl for system deployments.
  • Treat each line as a complete JSON event.
  • Preserve the raw Beacon JSON for investigation.
  • Use the vendor, product, event, actor, endpoint, process, file, tool, mcp, approval, and health fields for parsing and routing.
  • Validate forwarding after deployment by writing a Beacon validation event.

Validation

After installing or repairing Beacon, confirm the endpoint state and write a validation event: 
sudo /opt/beacon/bin/beacon endpoint status --system --json
sudo /opt/beacon/bin/beacon endpoint wazuh validate --system
If the validation event is not visible downstream, verify that the runtime log exists, is writable, and is the same path your Wazuh agent or customer-managed shipper is reading. For Splunk HEC, also confirm beacon endpoint status --json reports destinations.splunk_hec.configured: true. 
sudo test -w /var/log/beacon-agent/runtime.jsonl
sudo launchctl print system/com.beacon.endpoint.collector

Event schema

Beacon endpoint events share a stable schema across supported runtime sources. The generated Wazuh content can identify telemetry health issues, command and MCP activity, policy blocks, endpoint health failures, prompt and tool workflow telemetry, file activity, and tool failures while preserving the raw Beacon JSON.

Endpoint event schema

Review normalized Beacon JSONL fields and example events.

Wazuh

Print Wazuh config, generate rules, and validate ingestion.

Splunk HEC

Configure Splunk HTTP Event Collector forwarding for Beacon events.