Kolide offers an audit log that records when certain changes have been made by administrators in the app. You can view the audit logs for administrator with full access only, as this excludes limited users, such as Billing-Only, or Restricted Access.
You can see the audit logs by going to Settings, and selecting Audit Log on the left-hand menu of the Settings page.
What actions are logged?
The audit log captures when:
A device display name is changed manually by an administrator,
A device is manually assigned, manually reassigned, or manually unassigned
A device is removed from Kolide
A device is marked private
A Kolide admin creates/cancels an online notification for an offline device
The default privacy setting is changed for new devices
Global feature restrictions are changed (e.g. Location Data Access)
Per-User feature restrictions are changed (e.g. whether an individual restricted-access user is allowed to access location data)
An API token is created or rotated
External integrations are added, removed or updated
A webhook endpoint is created, deleted or is updated to point to a new URL
A webhook endpoint's secret is rolled
A webhook endpoint is enabled or disabled
A Check is enabled or disabled
A Check's notification settings are changed
What data is collected?
When an event is logged, Kolide will collect the following information:
The user ID of the user that performed the action
The full name of the user at the time the event was recorded (in case the user was archived or deleted)
A descriptive action that includes what happened, and the previous value of any data changes.
The date and time the action was recorded
The browser's user agent, IP address, and geolocation data associated with that IP address of the web browser that performed the action.
The SHA1 HASH of the code running on our web servers