Are there any current efforts to add "plug-and-play" log aggregation/shipping from the Kolide UI? One can always configure a third party forwarder from the host running Kolide; however it would be pretty handy from the UI. It would be convenient for Fleet deployments on Kubernetes.

Fleet can log directly to AWS Firehose and soon to GCP Pubsub. You can't configure through the UI but it's pretty easy to configure through CLI/config file.

Splunk and Elkstack were the two I had in mind. Also, I mentioned Kubernetes, because I'd like to keep the fleet docker images as simple as possible. I know I can configure them with a Splunk forwarder, but it would make Kubernetes deployments so much easier to integrate log shipping in fleet itself, as you mention with firehose. AWS and GCP is nice, but only cover a segment of the market. Would be ideal to have more choices, such as on premise log aggregators.

I'm happy to review PRs implementing other log aggregation systems, and I am also available for hire to build implementations.