For advanced use cases, this article will show you how to use the underlying features of the agent locally, such as osquery.

Launcher Interactive

Kolide’s agent ships with both a fully functional osquery agent and an extension that extends osquery’s querying capabilities.

When developing queries, you may find it easier and faster to iterate by querying the agent locally than via the Kolide service. To enable this, Kolide’s agent provides an interactive osquery shell that will also load Kolide’s virtual tables.

To use this feature, follow these instructions:

macOS / Linux

1. Open the Terminal application (macOS Instructions).

2. Type or copy & paste the following command:

   sudo /usr/local/kolide-k2/bin/launcher interactive
   

3. You will be prompted for your computer password. Type it in when prompted and press enter. As a security precaution, your password will not be displayed as you type it into the terminal.

Windows

1. Access the Power User Menu by right-clicking the Start Menu (The Windows Icon).

2. When the menu appears, select Windows Powershell (Admin)

3. When the PowerShell terminal appears, type or copy and paste the following commands:

   cd $HOME
   & "C:\Program Files\Kolide\Launcher-kolide-k2\bin\launcher.exe" interactive
   

Using the Interactive Shell

Once you have an interactive shell open, you will see the following prompt.

Using a virtual database. Need help, type '.help'
osquery>

From here, you can do things like directly query osquery’s tables, including the ones Kolide registers via its extension.

osquery> SELECT * FROM kolide_filevault;
+------------------+
| status           |
+------------------+
| FileVault is On. |
+------------------+