Unified telemetry for AI agents, wherever they run.
Docs · Discord · Install · For Security & IT Teams · Dashboard · Commands
Agent Beacon is the world's first open-source telemetry layer for AI agents wherever they run: locally, in CI, or in the cloud.
Beacon started with local endpoint telemetry for security and IT teams that need visibility into AI agent activity on employee machines. It now captures supported runtime activity across local agents, CI agents, and cloud agents, then normalizes that activity into events your team can inspect, retain, and forward under your control.
Beacon is built to be easy to deploy for Security and IT teams through MDM deployment, CI workflows, and cloud-agent setup paths, and to emit agent harness telemetry logs to all the major enterprise-grade SIEMs.
Learn more in the Agent Beacon Documentation.
Beacon keeps endpoint collection, processing, and inspection local by default, while extending the same normalized event model to CI and cloud-agent telemetry paths under customer control.
- Agent runtime layer: Hooks, OpenTelemetry sources, CI wrappers, and SDKs capture supported activity from AI agent harnesses wherever they run.
- Beacon endpoint layer: Local processing normalizes events, applies retention and redaction settings, and writes durable endpoint telemetry.
- Output layer: Teams inspect events in the local dashboard, retain JSONL, or forward records into all the major enterprise-grade SIEMs.
Beacon captures supported agent harness activity across local endpoints, CI jobs, and cloud-agent surfaces, then writes normalized events that teams can inspect in place or forward into customer-managed security pipelines.
Agent Beacon supports the most popular enterprise agent harnesses across local, CI, and cloud surfaces.
| Agent harness | Collection path | Telemetry coverage |
|---|---|---|
| Antigravity CLI | Native hooks | Prompt, pre-tool, post-tool, stop, invocation, command, and file telemetry where Antigravity exposes hook payloads |
| Claude Code | Local OTLP export plus optional hooks | Prompt, command, tool, file, lifecycle, subagent, and permission telemetry where emitted through OTLP or hooks |
| Codex CLI | Local OTLP logs | Session, prompt, approval, and tool-result activity from Codex semantic logs |
| Cursor | Native hooks | Prompt, tool, shell command, MCP-like, approval, and file edit telemetry |
| Devin CLI | Native hooks | Session, prompt, pre-tool, post-tool, permission request, stop, session-end, approval, and file telemetry |
| Devin Desktop | Cascade/Windsurf hooks | Prompt, command, MCP tool, file read, and file write telemetry where Desktop exposes Cascade hook payloads |
| Factory Droid | OTLP HTTP plus optional hooks | Session, prompt, write/edit/create tool use, stop, session-end, and available OTLP telemetry |
| Gemini CLI | Opt-in local OTLP | Prompts, tool calls, MCP activity, file operations, and approval-related events emitted through OTLP |
| GitHub Copilot CLI | MDM-managed OTLP HTTP | Prompt, session, tool, and approval-like activity emitted through Copilot CLI spans |
| Grok Build | Native hooks | Session, prompt, pre-tool, post-tool, failed tool, stop, session-end, command, and file telemetry |
| OpenCode | Managed plugin hooks | Chat messages, session events, command execution, permission activity, diffs, and errors |
| VS Code | Copilot Chat OTel plus optional preview hooks | Copilot session, prompt, model, and tool activity through OTel; optional hooks for extra lifecycle and cross-agent detail |
| Agent harness | Collection path | Telemetry coverage |
|---|---|---|
| Claude Cowork | Admin-configured OTLP | Prompt, command, tool, and file telemetry when emitted through Claude Cowork OTLP |
| Hermes Agent | Shell hooks | Prompt, observed tool, command, file, approval request and response, session lifecycle, and subagent stop telemetry |
| OpenClaw Gateway | Gateway-configured OTLP/HTTP | OTLP logs, traces, and metrics from the Gateway diagnostics plugin |
| Harness | Collection path | Telemetry coverage |
|---|---|---|
| CI agent telemetry | Temporary local collector through beacon ci exec or beacon ci start / beacon ci finish |
Supported agent prompt, tool, command, file, and run context where emitted during the job |
| Cloud surface | Collection path | Telemetry coverage |
|---|---|---|
| Claude Code Cloud Agents | Cloud sandbox hooks with GCS upload | Session, prompt, tool, command, file, and lifecycle telemetry where Claude Code cloud hook payloads expose it |
| Cursor Cloud Agents | Cloud sandbox hooks with GCS upload | Tool, shell command, file, subagent, and compaction telemetry where Cursor cloud hook payloads expose it |
| Anthropic | OpenLLMetry instrumentation through @asymptote/sdk |
Supported Anthropic model call spans, errors, and OpenTelemetry attributes |
| Claude Agent SDK | Query wrapper through Observe.wrapClaudeAgentQuery() |
Query root spans with Beacon-compatible prompt attributes |
| OpenAI | OpenLLMetry instrumentation through @asymptote/sdk |
Supported OpenAI model call spans, errors, and OpenTelemetry attributes |
| Vercel AI SDK | Tracer handoff through experimental_telemetry |
AI SDK model call and tool spans where telemetry is enabled |
Cursor Cloud Agents load project hooks from .cursor/hooks.json at task start.
For reliable Cursor Cloud telemetry, commit the generated project hooks to the
target repository and use the cloud setup script only to install Beacon binaries
under /tmp/beacon/bin. Generate the project hook file locally with:
mkdir -p .cursor
beacon cloud cursor print-hooks \
--binary-path /tmp/beacon/bin/beacon-hooks \
--log-path /tmp/beacon/runtime.jsonl > .cursor/hooks.jsonAgent Beacon writes endpoint telemetry to local JSONL by default and supports customer-controlled forwarding into common security information and event management (SIEM), log aggregation, and object storage destinations.
| Destination | Support path |
|---|---|
| CrowdStrike Falcon LogScale HEC | Optional endpoint forwarding with LogScale ingest tokens during install or repair |
| Microsoft Sentinel | Azure Monitor Agent and Data Collection Rule content pack over local JSONL |
| Rapid7 InsightIDR | Custom Logs webhook content pack over local JSONL |
| Splunk HEC | Optional endpoint forwarding during install or repair |
| Sumo Logic | HTTP Logs & Metrics Source content pack over local JSONL |
| Wazuh | Localfile configuration and Beacon Wazuh content pack |
| Destination | Support path |
|---|---|
| AWS CloudWatch Logs | Vector content pack over local JSONL using customer-managed AWS credentials |
| Customer-managed log pipelines | Forwarding from local Beacon JSONL under customer control |
| Datadog | Datadog Agent custom log collection over local JSONL |
| Elastic | Filebeat or Elastic Agent content pack over local JSONL |
| Destination | Support path |
|---|---|
| AWS S3 | Vector content pack over local JSONL using customer-managed AWS credentials |
| Google Cloud Storage | Vector content pack over local JSONL using customer-managed Google credentials |
| Destination | Support path |
|---|---|
| Local JSONL | Default endpoint log and local dashboard source |
Agent Beacon is designed for Security and IT teams to deploy and validate through standard MDM workflows.
| MDM platform | Support path |
|---|---|
| Fleet | macOS package and user-context deployment helpers |
| Jamf Pro | macOS package, policy scripts, validation, and Extension Attributes |
Beacon includes a local, read-only dashboard for validating endpoint activity without a hosted backend. The overview screen summarizes recent runtime events and collection status, while log search helps teams inspect normalized event records during rollout, testing, and investigations.
Beacon writes endpoint activity to a stable local runtime.jsonl file. The
active file rotates at 10 MiB with five numbered local archives, keeping the
endpoint handoff file bounded while external SIEM forwarders continue tailing
the active path. The dashboard reads the active log plus retained numbered
archives for local triage; SIEM destinations remain the source of truth for
long-term retention and search.
- Beacon CLI docs — full documentation index.
- Installation — install Beacon locally.
- For Security & IT Teams — rollout, validation, and security workflows.
- Security review — review Beacon's architecture, data handling, and local-only posture.
- Endpoint agent — install, status, repair, and uninstall.
- Dashboard — inspect local runtime logs.
- Endpoint event schema — normalized JSONL event model.
- Supported surfaces — supported runtimes, destinations, and boundaries.
- Command reference — detailed CLI command docs.
See the Quickstart docs for the full setup paths.
Start with the security and IT quickstart and managed deployment guidance for rollout, validation, retention, and SIEM forwarding. For vendor review, see the security review.
Install the released Beacon CLI locally with Homebrew:
brew tap asymptote-labs/tap
brew install beacon
beacon versionOr build from source:
cd cli/beacon
make buildFor setup, deployment, integrations, and command details, see the Beacon CLI docs.