Skip to content
Agent Archaeology

Telltale

Telemetry Output

Telltale emits compact JSONL events for local review, forwarding, dashboards, and alerting. The default scan path writes one canonical JSON object per line to a local file; optional delivery paths can wrap the same event body for a specific sink without changing the event schema.

Default JSONL sink

By default, adr scan appends telemetry to logs/adr-events.jsonl:

Write events locally
SH 
cargo run -- scan --once --emit-activity --log-path logs/adr-events.jsonl

Use --dry-run when validating fixtures or command behavior without writing events.

Event families

Common event types include:

  • activity: redacted per-session activity summaries.
  • detection: rule matches, risk scores, categories, and response guidance.
  • session_risk_summary: optional per-session rollups from already-redacted activity and detection events.
  • scanner_health: source-discovery and scanner health status.
  • scanner_error: parser or scan errors that should be visible to operators.
  • correlation: cross-session patterns built from emitted telemetry.

Optional activity and session summaries

Enable optional activity and session summary events when dashboards need more than detection-only output:

Enable activity and session summaries
SH 
cargo run -- scan --once --emit-activity --emit-session-risk-summary --log-path logs/adr-events.jsonl

Session risk summaries provide one compact row per agent session for dashboards.

Privacy boundary

Telemetry should be useful without becoming a transcript dump. Telltale emits redacted excerpts, evidence hashes, rule IDs, risk scores, source metadata, and bounded context by default. It should not emit raw secrets, full auth files, raw private keys, complete .env values, or full session bodies.

Forwarding to SIEMs

Forward the JSONL file with the shipper or collector your environment already uses. A safe starter pattern:

  • Write events locally with --log-path.
  • Validate the event shape against the schema.
  • Configure the shipper to read only the JSONL event path.
  • Keep human-readable diagnostics, scanner state, credentials, and raw agent session stores outside the forwarded telemetry path.

Optional export and sink paths

The canonical event payload remains the same across delivery paths:

Export existing JSONL
SH 
adr export --format jsonl

Reads existing JSONL telemetry.

Export for Elasticsearch
SH 
adr export --format elastic-bulk

Writes Elasticsearch Bulk API pairs.

Splunk HEC
SH 
adr scan --splunk-hec-endpoint ... --splunk-hec-token ...

Posts events through a Splunk HEC envelope when a deployment explicitly opts in.