Sentinel (Beacon)
Headless daemon for unattended remote access to servers and kiosks. Install with a single command, runs as a system service.
Overview
The Sentinel (also called Beacon) is a minimal headless daemon — approximately 500KB on disk and ~2MB RAM at rest. It requires no GUI and is designed for servers, kiosks, and other unattended machines.
The beacon acts as a "doorbell" — it listens for authenticated, signed wake requests from the Syslok server. When a request arrives, it downloads and launches the ephemeral agent with pre-authorized credentials. The beacon itself cannot control anything on the machine. It only listens and wakes the agent on demand.
Installation
Install the beacon with a single command. There are two registration methods:
Using a pre-registered token (from the dashboard)
Using an enrollment code (self-registration)
--token uses a beacon token that was pre-registered in the Syslok dashboard. The device is already known to the server before installation.
--enroll uses an enrollment code for self-registration. The device registers itself with the server during installation. Useful for bulk deployments where you distribute a shared enrollment code.
What the Installer Does
- Detects platform — Identifies the operating system (Linux, macOS, FreeBSD) and CPU architecture (x86_64, aarch64, armv7).
- Downloads beacon binary — Fetches the correct binary for the detected platform and verifies its signature.
- Creates config file — Writes the configuration to /opt/syslok-beacon/config/config.json with the server URL and credentials.
- Creates service user — On Linux, creates a dedicated syslok-beacon user with minimal privileges.
- Installs system service — Registers the beacon as a system service (systemd, launchd, or rc.d depending on platform).
- Starts and verifies — Starts the service and confirms it is running and connected to the server.
Service Management
Linux (systemd)
macOS (launchd)
FreeBSD (rc.d)
Configuration
The beacon configuration file is located at /opt/syslok-beacon/config/config.json.
Configuration can also be set via CLI arguments or environment variables:
| Config Key | Environment Variable |
|---|---|
| server_url | SYSLOK_SERVER_URL |
| beacon_token | SYSLOK_BEACON_TOKEN |
| heartbeat_interval | SYSLOK_HEARTBEAT_INTERVAL |
How Unattended Access Works
- The beacon sends a heartbeat to the server every 30 seconds (configurable) to signal that the machine is online.
- When an operator initiates a session from the dashboard, the server sends a signed wake command to the beacon.
- The beacon verifies the signature, then downloads and runs the ephemeral agent with pre-authorized credentials.
- No consent prompt is displayed — this is unattended access by design. The machine owner authorized it when they installed the beacon.
- The ephemeral agent auto-expires based on the session TTL. When the session ends, the agent self-destructs as usual.
Supported Platforms
| Platform | Architectures | Service Manager |
|---|---|---|
| Linux | x86_64, aarch64, armv7 | systemd |
| macOS | Apple Silicon, Intel | launchd |
| FreeBSD | x86_64 | rc.d |
Uninstall
To completely remove the beacon from a machine, run the installer script with the --uninstall flag:
The uninstaller performs the following steps:
- Stops the beacon service
- Removes the service registration (systemd unit, launchd plist, or rc.d script)
- Deletes the binary and configuration files from /opt/syslok-beacon/
- Removes the syslok-beacon service user (Linux)