Unified telemetry for AI agents, wherever they run.
Docs · Discord · Install · For Security & IT Teams · Dashboard · Commands
Agent Beacon is the world's first open-source telemetry layer for AI agents wherever they run: locally, in CI, or in the cloud.
The problem is that AI agent activity is fragmented across runtimes, leaving teams without a consistent way to get visibility into what agents are doing. Agent Beacon solves this by extending the OpenTelemetry GenAI standard and normalizing runtime events into a unified data model.
Beacon is built to be easy to deploy for Security and IT teams through MDM deployment, CI workflows, and cloud-agent setup paths, and to emit agent harness telemetry logs to all the major enterprise-grade SIEMs.
Learn more in the Agent Beacon Documentation.
Beacon keeps endpoint collection, processing, and inspection local by default, while extending the same normalized event model to CI and cloud-agent telemetry paths under customer control.
- Agent runtime layer: Hooks, OpenTelemetry sources, CI wrappers, and SDKs capture supported activity from AI agent harnesses wherever they run.
- Beacon endpoint layer: Local processing normalizes events, applies retention and redaction settings, and writes durable endpoint telemetry.
- Output layer: Teams inspect events in the local dashboard, retain JSONL, or forward records into all the major enterprise-grade SIEMs.
Beacon captures supported agent harness activity across local endpoints, CI jobs, and cloud-agent surfaces, then writes normalized events that teams can inspect in place or forward into customer-managed security pipelines.
Agent Beacon supports the most popular enterprise agent harnesses across local, CI, and cloud surfaces.
| Agent harness | Collection path | Telemetry coverage |
|---|---|---|
| Antigravity CLI | Native hooks | Prompt, pre-tool, post-tool, stop, invocation, command, and file telemetry where Antigravity exposes hook payloads |
| Claude Code | Local OTLP export plus optional hooks | Prompt, command, tool, file, lifecycle, subagent, and permission telemetry where emitted through OTLP or hooks |
| Codex CLI | Local OTLP logs | Session, prompt, approval, and tool-result activity from Codex semantic logs |
| Cursor | Native hooks | Prompt, tool, shell command, MCP-like, approval, and file edit telemetry |
| Devin CLI | Native hooks | Session, prompt, pre-tool, post-tool, permission request, stop, session-end, approval, and file telemetry |
| Devin Desktop | Cascade/Windsurf hooks | Prompt, command, MCP tool, file read, and file write telemetry where Desktop exposes Cascade hook payloads |
| Factory Droid | OTLP HTTP plus optional hooks | Session, prompt, write/edit/create tool use, stop, session-end, and available OTLP telemetry |
| Gemini CLI | Opt-in local OTLP | Prompts, tool calls, MCP activity, file operations, and approval-related events emitted through OTLP |
| GitHub Copilot CLI | MDM-managed OTLP HTTP | Prompt, session, tool, and approval-like activity emitted through Copilot CLI spans |
| Grok Build | Native hooks | Session, prompt, pre-tool, post-tool, failed tool, stop, session-end, command, and file telemetry |
| OpenCode | Managed plugin hooks | Chat messages, session events, command execution, permission activity, diffs, and errors |
| VS Code | Copilot Chat OTel plus optional preview hooks | Copilot session, prompt, model, and tool activity through OTel; optional hooks for extra lifecycle and cross-agent detail |
| Agent harness | Collection path | Telemetry coverage |
|---|---|---|
| Claude Cowork | Admin-configured OTLP | Prompt, command, tool, and file telemetry when emitted through Claude Cowork OTLP |
| Hermes Agent | Shell hooks | Prompt, observed tool, command, file, approval request and response, session lifecycle, and subagent stop telemetry |
| OpenClaw Gateway | Gateway-configured OTLP/HTTP | OTLP logs, traces, and metrics from the Gateway diagnostics plugin |
| Harness | Collection path | Telemetry coverage |
|---|---|---|
| CI agent telemetry | Temporary local collector through beacon ci exec or beacon ci start / beacon ci finish |
Supported agent prompt, tool, command, file, and run context where emitted during the job |
| Cloud surface | Collection path | Telemetry coverage |
|---|---|---|
| Anthropic | OpenLLMetry instrumentation through @asymptote/sdk |
Supported Anthropic model call spans, errors, and OpenTelemetry attributes |
| Claude Agent SDK | Query wrapper through Observe.wrapClaudeAgentQuery() |
Query root spans with Beacon-compatible prompt attributes |
| Claude Code Cloud Agents | Cloud sandbox hooks with GCS upload | Session, prompt, tool, command, file, and lifecycle telemetry where Claude Code cloud hook payloads expose it |
| Cursor Cloud Agents | Cloud sandbox hooks with GCS upload | Tool, shell command, file, subagent, and compaction telemetry where Cursor cloud hook payloads expose it |
| Devin Cloud Agents | Org-wide API poll via beacon cloud devin pull, with GCS upload |
Session, prompt, agent message, status, pull request, and ACU usage telemetry the Devin sessions API exposes (message-level; the autonomous agent runs no in-sandbox hooks) |
| OpenAI | OpenLLMetry instrumentation through @asymptote/sdk |
Supported OpenAI model call spans, errors, and OpenTelemetry attributes |
| Vercel AI SDK | Tracer handoff through experimental_telemetry |
AI SDK model call and tool spans where telemetry is enabled |
Agent Beacon writes endpoint telemetry to local JSONL by default and supports customer-controlled forwarding into common security information and event management (SIEM), log aggregation, and object storage destinations.
| Destination | Support path |
|---|---|
| CrowdStrike Falcon LogScale HEC | Optional endpoint forwarding with LogScale ingest tokens during install or repair |
| Microsoft Sentinel | Azure Monitor Agent and Data Collection Rule content pack over local JSONL |
| Rapid7 InsightIDR | Custom Logs webhook content pack over local JSONL |
| Splunk HEC | Optional endpoint forwarding during install or repair |
| Sumo Logic | HTTP Logs & Metrics Source content pack over local JSONL |
| Wazuh | Localfile configuration and Beacon Wazuh content pack |
| Destination | Support path |
|---|---|
| AWS CloudWatch Logs | Vector content pack over local JSONL using customer-managed AWS credentials |
| Customer-managed log pipelines | Forwarding from local Beacon JSONL under customer control |
| Datadog | Datadog Agent custom log collection over local JSONL |
| Elastic | Filebeat or Elastic Agent content pack over local JSONL |
| Destination | Support path |
|---|---|
| AWS S3 | Vector content pack over local runtime and inventory JSONL using customer-managed AWS credentials |
| Google Cloud Storage | Vector content pack over local JSONL using customer-managed Google credentials |
| Destination | Support path |
|---|---|
| Local JSONL | Default endpoint log and local dashboard source |
Agent Beacon is designed for Security and IT teams to deploy and validate through standard MDM workflows.
| MDM platform | Support path |
|---|---|
| Fleet | macOS package and user-context deployment helpers |
| Jamf Pro | macOS package, policy scripts, validation, and Extension Attributes |
Beacon includes a local, read-only dashboard for validating endpoint activity without a hosted backend. See the dashboard docs for overview, log search, and runtime JSONL inspection.
Beacon writes endpoint activity to runtime.jsonl and periodic Cursor/Claude
Code configuration inventory metadata to the sibling inventory_state.jsonl.
Local log storage and retention behavior are summarized in the
local testing and logs docs.
For offline threat detection, beacon scan runs open threat rules over local
telemetry with no network access. See the
Threat Rules spec and generated
rule field reference for rule format, CEL
matching, fixtures, and supported event fields.
- Beacon CLI docs — full documentation index.
- Installation — install Beacon locally.
- For Security & IT Teams — rollout, validation, and security workflows.
- Security review — review Beacon's architecture, data handling, and local-only posture.
- Endpoint agent — install, status, repair, and uninstall.
- Dashboard — inspect local runtime logs.
- Endpoint event schema — normalized JSONL event model.
- Supported surfaces — supported runtimes, destinations, and boundaries.
- Command reference — detailed CLI command docs.
See the Quickstart docs for the full setup paths.
Start with the security and IT quickstart and managed deployment guidance for rollout, validation, retention, and SIEM forwarding. For vendor review, see the security review.
Install the released Beacon CLI locally with Homebrew:
brew tap asymptote-labs/tap
brew install beacon
beacon versionOr build from source:
cd cli/beacon
make buildFor setup, deployment, integrations, and command details, see the Beacon CLI docs.