Kolide Side Dishes

At Kolide, we typically ship changes and improvements to the product multiple times a day. The vast majority of these changes are modest improvements not worthy of their own change-log post, but together, they can make a big difference.

While we are working on some 25-pound-turkey sized features we plan on announcing soon, we thought we'd let you dig into some of these side-dishes first! Enjoy.

UX Improvements

Tools Menu

Depending on your level of access to Kolide, you may notice a new item in the main navigation called "Tools". This menu now houses all of the useful features of the product that don't quite need top-billing, but also do not belong in the "settings" section of the website.

Speaking of tools, the "Reporting DB" feature listed here is a feature we are currently beta testing with a few customers. If you are interested in being able to programmatically access all of the data we collect about a device in inventory, and eventually build your own reports on that data with SQL, please reach out to us via Intercom or support@kolide.co and we'd be happy to include you in our next round of testers!

Log Pipeline

The biggest change here is Log Pipeline, a feature that allows you to unlock the full power of the osquery daemon we deploy in the Kolide agent. This feature is now easier to find and users with access to it can also access other related features like creating FIM categories, configuring osquery options, and setting up your own custom decorators! 

As users of the Log Pipeline ourselves, we think all these items living together is a much more intuitive experience. Let us know what you think!

Improved Context For Slack Notifications

When an end-user successfully fixes a failing check, Kolide shows them a congratulatory message. Sometimes though, depending on the timing of the message, or where the message appeared, there might be some confusion about what device this message is referencing.

After a customer pointed this out, we decided to add some additional context to these messages so it's always clear which device Kolide is congratulating you about!

Search By Device and Person ID

If you are a regular user of our API (or are just really good a remembering numbers you see in your browser's location bar), you may have tried to lookup a device or person by their Kolide generated ID in our global search bar. Starting today, searching for both devices or people by their ID will now function as you would expect!

Performance Improvements

Live Query

If you are a regular user of Live Query, you may have noticed that devices now return up to 10x faster after querying them, and present any informational warnings or errors without requiring a page reload! Kolide now better leverages websockets to deliver this information at a much faster pace.

Device CSV Exports

We had reports from several customers that exporting the list of devices via CSV could take a long time. After investigating the issue we were able to improve the speed of this export by over 100x!

Improved User To Device Association

We've made some changes to how we build custom package and optimized our initial device data population routines to improve the accuracy and the speed in which we are able to assign users to a device. Additionally, the file names we generate for the custom packages are also now much shorter!

API Changes

Based on a customer request, we've now added a product_image_url following field to the device API endpoint. In many cases (and in all cases on Apple products), this new field features the visage of the exact hardware model enrolled in Kolide. For those of you creating your own internal experiences, these device images can help give you and your end-users the confidence that they are viewing the right device.

Speaking of product images, we've also now added updated product images for all of the new M1 Macs released by Apple earlier this months, and we've changed many of the icons on the widgets featured in the device detail pages to match the changes in macOS Big Sur!

On the log pipeline side, we've also now added the remote_ip, device_owner_email, and device_owner_type, to the kolide_decorations object in the logs emitted by our product in the log pipeline. This will allow you to easily correlate device activity with specific individual for potential integrations with IDP and authentication services.

We at Kolide hope you are all having a safe, healthy, and joyful holiday season. As always, please reach out with suggestions and feedback. Many of the improvements here were generated from customers just like you!

Log Pipeline - Splunk HEC Support Now Available

Earlier this year, we launched our Log Pipelinea feature that allows you to tap into the full benefit of osquery—the core component of Kolide's open-source agent.

The Log Pipeline allows your Kolide team members to create a custom osquery scheduleor use the great queries we already run today to populate Inventoryand send the resulting logs to one or many supported Log Destinations.

Customers are already using the Log Pipeline to:

  • Perform File Integrity Monitoring on Windows, Linux, and Macs
  • Collect timestamped data from one of many of osquery's event-style tables (ex: process_events, process_file_events, hardware_events, syslog_events, etc.)
  • Collect a rich history of device state that can be imported and searched in a SIEM or Log aggregation tool.

Due to popular demand, we are excited to announce the availability of new Log destinationthe Splunk HTTP Event Collector (HEC).

To learn more about the Splunk HTTP Event Collector (HEC) and how you can add as a new destination to your existing Log Pipeline, please visit our help article.

As always, please let us know if you have feedback or questions about this new destination or other improvements you'd like to see in the Log Pipeline feature.

Live Log Viewer Now Supports Device Filtering

If you use Kolide's Log Pipeline Feature, you may be familiar with the Live Log Viewer, which enables you to preview logs that are streaming from the agent into the pipeline in real-time.

This viewer is useful for testing log output when you have a handful of devices enrolled, but becomes unwieldy quickly when you have many devices reporting logs at once.

To improve the feature for our customers who have many devices, the Live Log Viewer now supports filtering by Device. Simply click the Devices dropdown, and choose individual devices or device platforms you want to stream into the viewer.

We hope this changes makes the Live Log Viewer much more useful for many of our customers! 

Inventory and Live Query Performance Improvements

If you have thousands of devices enrolled in Kolide, you may have noticed some modest speed improvements when browsing Inventory and using Live Query last week.

These speed boosts are part of a major initiative we rolled out last week to speed up the application. These improvements include:

  • JS, CSS, and other assets are now served via a CDN
  • Live Query is much smoother when querying thousands of devices at the same time
  • The global search bar now renders results much faster
  • Sorting and Filtering on the Devices table based on owner name and primary username is faster

There are still many areas to improve, but the performance improvements we have implemented should make browsing Inventory a more pleasant experience for organizations with many thousands of devices.

New: Run Live Queries Continuously

Ever write a useful Live Query and wish you could run it continuously to keep the results up-to-date? With the newly released Continuous Live Query option, you can now run those queries on a scheduled interval so you can always have the latest data.

About Live Query

When we launched Live Query last November, it introduced a way for you and your team to quickly run osquery SQL on all the devices in your fleet, and receive an instantaneous response from online devices.

When we launched the feature though, it contained two major limitations:

  1. You could only target specific devices in your fleet
  2. The query would only run once on the devices you targeted

With this update, both of these limitations are eliminated, and Live Query is now a much more powerful tool for regularly collecting device data your organization cares about.

New Target Selector

When you run queries continuously, it is very important to be able to select devices by their platform so that newly enrolled devices will be targeted by the query in future runs.

In anticipation of Continuous Live Query, we have rebuilt the target selector to now make this group selection possible.

Running Queries Continuously

To run write a query that will run continuously, simply write a new query and press Save/Run. Once you are happy the query returns the data you are looking for, you can click the "Draft" button, and in the modal that appears, select Published under visibility options. This should reveal an option where you can choose the desired continuous interval you would like to run the query.

Additional Published Query Protection

When you publish a Live Query, you allow others on your team to see it. Unfortunately, even well-meaning team members may not realize that when they modify that query, they may be erasing/modifying important information that others rely on.

To help mitigate this, users will now notice the Save & Run button turns orange when either the SQL or targets are modified.

If they click the orange Save & Run button, they will now be presented with a helpful dialog that gives them a number of options that clarifies their intent.


These changes represent just a small portions of the plans we have for improving Live Query this year.

We hope you find these improvements useful, and we welcome any feedback or suggestions on how we can make them even better.