Documentation Index
Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt
Use this file to discover all available pages before exploring further.
Supported Surfaces
Beacon is visibility-first endpoint telemetry for local AI agent runtimes. The public build observes supported runtime activity, writes normalized local JSONL, and supports Wazuh localfile, optional Splunk HEC export, or customer-managed forwarding.Support matrix
| Area | Current support |
|---|---|
| AI runtimes | Claude Code and Codex CLI through local OTLP configuration; Cursor through hooks; Claude Cowork through admin-configured OTLP and validation |
| Deployment | Homebrew, default per-user install, explicit system-mode install, macOS launchd service files, and signed/notarized .pkg deployment through Jamf Pro, Fleet, or another macOS MDM |
| Local storage | User-mode log at ~/.beacon/endpoint/logs/runtime.jsonl; system-mode log at /var/log/beacon-agent/runtime.jsonl |
| Inspection | Local dashboard bound to loopback by default |
| Wazuh | Localfile config, rule pack, sample event, and validation event through beacon endpoint wazuh |
| Splunk HEC | Optional collector destination for logs, traces, and metrics through beacon endpoint install or beacon endpoint repair |
| Forwarding | Wazuh localfile ingestion, built-in Splunk HEC export, or customer-managed forwarding from local JSONL to another SIEM pipeline |
Runtime support
Beacon supports multiple runtime surfaces because each AI agent runtime exposes telemetry differently:- Claude Code: configured to export OpenTelemetry to Beacon’s localhost collector.
- Codex CLI: configured through
~/.codex/config.tomlto export OpenTelemetry logs, traces, and metrics to Beacon’s localhost collector. Beacon disables prompt text logging and filters noisy internal Codex transport spans before writing endpoint events. - Cursor: configured through hooks that invoke the embedded
beacon-hooksadapter for session, prompt, tool, command, MCP-like, approval, and file edit telemetry where payloads are available. - Claude Cowork: configured in Claude organization settings and validated with Beacon’s Claude Cowork integration commands.
MDM deployment
For MDM deployments, use the signed and notarized macOS.pkg so endpoint events land in /var/log/beacon-agent/runtime.jsonl. The package installs Beacon under /opt/beacon, creates system endpoint configuration, loads the local collector LaunchDaemon, and supports Jamf Pro, Fleet, or another macOS MDM.
Use the MDM deployment guide for rollout details, beacon endpoint install for endpoint configuration details, and beacon endpoint status to inspect collector, service, harness, diagnostic, and runtime log state after deployment.
If a system collector is running while the CLI is reading the default per-user log, beacon endpoint status and the local dashboard surface a runtime-log source warning so you can tell where OTLP events are being written.
Wazuh integration
Beacon’s Wazuh integration consumes the local JSONL runtime log through Wazuh localfile ingestion. Usebeacon endpoint wazuh print-config to print the localfile snippet, beacon endpoint wazuh install-pack to generate rules and sample content, and beacon endpoint wazuh validate to write a known-good validation event.
The generated Wazuh content is built around the Beacon event contract. It can identify telemetry health issues, command and MCP activity, policy blocks, endpoint health failures, prompt and tool workflow telemetry, file activity, and tool failures while preserving the raw Beacon JSON for investigation.
For Splunk HEC, configure Beacon with the Splunk destination flags on beacon endpoint install or beacon endpoint repair. Beacon still writes the local JSONL audit log while the bundled collector forwards logs, traces, and metrics to HEC. For Elastic, Datadog, or another SIEM, use a customer-managed forwarder to read the Beacon runtime log and preserve each JSONL line as one event.
Current boundaries
Beacon does not currently provide kernel or process monitoring, shell history collection, cloud audit ingestion, browser or SaaS telemetry, credential-use attribution, MCP configuration inventory, or direct Datadog/Elastic exporters.Related
Installation
Install Beacon and understand the files it manages.
MDM deployment
Deploy Beacon through Jamf Pro, Fleet, or another macOS MDM.
Jamf
Deploy Beacon with Jamf Pro policies and extension attributes.
Fleet
Deploy Beacon with Fleet software, policies, queries, and scripts.
SIEM forwarding
Forward Beacon events to Wazuh, Splunk HEC, or customer-managed SIEM pipelines.