Atlantic.Net Blog

How to Install and Configure Velociraptor on Oracle Linux 8

Hitesh Jethva
by Atlantic.Net (447 posts) under Dedicated Server Hosting, Tutorials
0 Comments

Velociraptor is a free and open-source digital forensic and incident response tool that enhances your visibility into your endpoints. It is based on GRR, OSQuery, and Google’s Rekall tool and uses Velociraptor Query Language to collect host-based state information. It is a very powerful tool that is capable of collecting artifacts from thousands of endpoints in a matter of seconds. Velociraptor is made from six components such as GUI, Frontend, Client, VQL Engine, Datastore, and File store.

In this post, we will explain how to install Velociraptor on Oracle Linux 8.

Prerequisites

  • A fresh Oracle Linux 8 server on the Atlantic.Net Cloud Platform
  • A root password configured on your server

Step 1 – Create Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Oracle Linux 8 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged in to your Oracle Linux 8 server, run the following command to update your base system with the latest available packages.

dnf update -y

Step 2 – Install Velociraptor on Oracle Linux 8

First, download the latest version of the Velociraptor binary from the GitHub repository using the following command:

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.5-0/velociraptor-v0.6.5-2-linux-amd64 -O /usr/local/bin/velociraptor

Once the download is completed, set execution permissions to the downloaded binary:

chmod +x /usr/local/bin/velociraptor

You can now verify the Velociraptor version with the following command:

velociraptor version

Step 3 – Configure Velociraptor

First, create a configuration directory for Velociraptor with the following command:

mkdir /etc/velociraptor

Next, generate the Velociraptor configuration file with the following command:

velociraptor config generate -i

Answer all the questions as shown below:

Welcome to the Velociraptor configuration generator
---------------------------------------------------

I will be creating a new deployment configuration for you. I will
begin by identifying what type of deployment you need.


What OS will the server be deployed on?
  [Use arrows to move, type to filter]
> linux
  windows
  darwin
? Path to the datastore directory. (/opt/velociraptor) 
> Self Signed SSL
  Automatically provision certificates with Lets Encrypt
  Authenticate users with SSO

? What is the public DNS name of the Master Frontend (e.g. www.example.com): vraptor.example.com
? Enter the frontend port to listen on. 8000
? Enter the port for the GUI to listen on. 8889
? Are you using Google Domains DynDNS? (y/N) N

? GUI Username or email address to authorize (empty to end): [email protected]
? Password **********
? GUI Username or email address to authorize (empty to end): 
[INFO] 2022-09-01T08:16:10-04:00  _    __     __           _                  __ 
[INFO] 2022-09-01T08:16:10-04:00 | |  / /__  / /___  _____(_)________ _____  / /_____  _____ 
[INFO] 2022-09-01T08:16:10-04:00 | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/ 
[INFO] 2022-09-01T08:16:10-04:00 | |/ /  __/ / /_/ / /__/ / /  / /_/ / /_/ / /_/ /_/ / / 
[INFO] 2022-09-01T08:16:10-04:00 |___/\___/_/\____/\___/_/_/   \__,_/ .___/\__/\____/_/ 
[INFO] 2022-09-01T08:16:10-04:00                                   /_/ 
[INFO] 2022-09-01T08:16:10-04:00 Digging deeper!                  https://www.velocidex.com 
[INFO] 2022-09-01T08:16:10-04:00 This is Velociraptor 0.6.5-2 built on 2022-07-27T02:36:42+10:00 (795f9339) 
[INFO] 2022-09-01T08:16:10-04:00 Generating keys please wait.... 
? Path to the logs directory. /opt/velociraptor/logs
? Where should i write the server config file? /etc/velociraptor/server.config.yaml
? Where should i write the client config file? /etc/velociraptor/client.config.yaml

Next, edit the Velociraptor configuration file and define your bind address:

nano /etc/velociraptor/server.config.yaml

Change the following lines:

GUI:
  bind_address: your-server-ip

Monitoring:
  bind_address: your-server-ip
  bind_port: 8003

Save and close the file, then create an administrative user with the following command:

velociraptor --config  /etc/velociraptor/server.config.yaml user add admin --role administrator

Set your admin password as shown below:

Enter user's password: 

Step 4 – Start Velociraptor Frontend

You can now start the Velociraptor Frontend with the following command:

velociraptor -c  /etc/velociraptor/server.config.yaml frontend -v

If everything is fine, you will get the following output:

[INFO] 2022-09-01T08:20:36-04:00 Compiled all artifacts. 
[INFO] 2022-09-01T08:20:36-04:00 CryptoServerManager: Watching for events from Server.Internal.ClientDelete 
[INFO] 2022-09-01T08:20:36-04:00 Throttling connections to 100 QPS 
[INFO] 2022-09-01T08:20:36-04:00 Starting gRPC API server on 208.117.83.189:8001  
[INFO] 2022-09-01T08:20:36-04:00 Launched Prometheus monitoring server on 192.168.60.19:8003  
[ERROR] 2022-09-01T08:20:36-04:00 Prometheus monitoring server: listen tcp 192.168.60.19:8003: bind: cannot assign requested address 
[INFO] 2022-09-01T08:20:36-04:00 GUI is ready to handle TLS requests on https://208.117.83.189:8889/ 
[INFO] 2022-09-01T08:20:36-04:00 Frontend is ready to handle client TLS requests at https://vraptor.example.com:8000/ 

Press the STRL+C to stop Velociraptor. We will configure the systemd service for Velociraptor in the next step.

Step 5 – Create a Systemd Unit File for Velociraptor

It is a good idea to create a systemd service file to manage the Velociraptor service. You can create it with the following command:

nano /etc/systemd/system/velociraptor.service

Add the following lines:

[Unit]
Description=Velociraptor linux amd64
After=syslog.target network.target

[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/usr/local/bin/velociraptor -c /etc/velociraptor/server.config.yaml frontend -v

[Install]
WantedBy=multi-user.target

Save and close the file, then reload the systemd daemon to apply the changes:

systemctl daemon-reload

Next, start and enable the Velociraptor service with the following command:

systemctl enable --now velociraptor

You can check the status of Velociraptor with the following command:

systemctl status velociraptor

You will get the following output:

● velociraptor.service - Velociraptor linux amd64
   Loaded: loaded (/etc/systemd/system/velociraptor.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-09-01 08:34:56 EDT; 9s ago
 Main PID: 14679 (velociraptor)
    Tasks: 19 (limit: 49496)
   Memory: 65.7M
   CGroup: /system.slice/velociraptor.service
           ├─14679 /usr/local/bin/velociraptor -c /etc/velociraptor/server.config.yaml frontend -v
           └─14687 /usr/local/bin/velociraptor -c /etc/velociraptor/server.config.yaml frontend -v

Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 VFSService: Watching for events from System.Flow.Completion
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 Starting Server Artifact Runner Service
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 Converting legacy client index to new format
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 CryptoServerManager: Watching for events from Server.Inter>
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 Throttling connections to 100 QPS
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 Starting gRPC API server on 127.0.0.1:8001
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 Launched Prometheus monitoring server on 208.117.83.189:80>
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 GUI is ready to handle TLS requests on https://208.117.83.>
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 Frontend is ready to handle client TLS requests at https:/>
Sep 01 08:34:57 oraclelinux8 velociraptor[14679]: [INFO] 2022-09-01T08:34:57-04:00 Compiled all artifacts.

Step 6 – Access Velociraptor Web Interface

At this point, Velociraptor is installed, started, and listening on port 8889. You can now access it using the URL http://your-server-ip:8889. You should see the Velociraptor dashboard page:
Velociraptor dashboard page

Conclusion

Congratulations! You have successfully installed Velociraptor on Oracle Linux 8. You can now use Velociraptor for endpoint monitoring, digital forensic investigations, and threat hunting. For more information, visit the Velociraptor documentation page. Try it on dedicated hosting from Atlantic.Net!

Get A Free To Use Cloud VPS

Free Tier Includes:
G3.2GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Recent Posts

How to Install and Use Composer on Oracle Linux 8
How to Install Sails.js Framework with Nginx as a Reverse Proxy on Oracle Linux 8
Are Data Breaches In The Cloud Getting Better Or Worse?
How to setup HTTP Strict Transport Security (HSTS) for Apache on Oracle Linux 8
How to Install Kanban Kanboard on Oracle Linux 8

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2008 Lookout Dr,

Dallas, Texas 75044

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources