Velociraptor is an open-source tool that can be used for collecting host-based state information using Velocidex Query Language. It is based on GRR, OSQuery, and Google’s Rekall tool. It can scale thousands of hosts using the Velociraptor Query Language. VQL is an expressive query language that allows you to gather information without deploying any software.
Velociraptor is made from six components including Frontend, Gui, Client, VQL Engine, Data Store, and File Store.
In this guide, we will explain how to install Velociraptor on an Ubuntu server. This procedure is compatible with Ubuntu 20.04 and Ubuntu 22.04.
Step 1 – Install and Configure Velociraptor
By default, Velociraptor is not included in the Ubuntu default repository, so you will need to download it from the Git repository. You can download it with the following command:
wget https://github.com/Velocidex/velociraptor/releases/download/v0.5.9/velociraptor-v0.5.9-linux-amd64
Once the download is completed, copy the downloaded binary to the system location with the following command:
cp velociraptor-v0.5.9-linux-amd64 /usr/local/bin/velociraptor
Next, set proper permission with the following command:
chmod +x /usr/local/bin/velociraptor
Next, run the following command to configure Velociraptor:
velociraptor config generate -i
Answer all questions as shown below:
? Welcome to the Velociraptor configuration generator --------------------------------------------------- I will be creating a new deployment configuration for you. I will begin by identifying what type of deployment you need. What OS will the server be deployed on? linux ? Path to the datastore directory. /opt/velociraptor ? Self Signed SSL ? What is the public DNS name of the Master Frontend (e.g. www.example.com): 45.58.43.227 ? Enter the frontend port to listen on. 8000 ? Enter the port for the GUI to listen on. 8889 ? Are you using Google Domains DynDNS? No ? GUI Username or email address to authorize (empty to end): admin ? GUI Username or email address to authorize (empty to end): [INFO] 2021-06-20T07:09:48Z _ __ __ _ __ [INFO] 2021-06-20T07:09:48Z | | / /__ / /___ _____(_)________ _____ / /_____ _____ [INFO] 2021-06-20T07:09:48Z | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/ [INFO] 2021-06-20T07:09:48Z | |/ / __/ / /_/ / /__/ / / / /_/ / /_/ / /_/ /_/ / / [INFO] 2021-06-20T07:09:48Z |___/\___/_/\____/\___/_/_/ \__,_/ .___/\__/\____/_/ [INFO] 2021-06-20T07:09:48Z /_/ [INFO] 2021-06-20T07:09:48Z Digging deeper! https://www.velocidex.com [INFO] 2021-06-20T07:09:48Z This is Velociraptor 0.5.9 built on 2021-05-10T19:48:17+10:00 (fbe594c5) [INFO] 2021-06-20T07:09:48Z Generating keys please wait.... ? Path to the logs directory. /opt/velociraptor/logs ? Where should i write the server config file? /etc/velociraptor.config.yaml ? Where should i write the client config file? /etc/client.config.yaml
Next, edit the Velociraptor configuration file with the following command:
nano /etc/velociraptor.config.yaml
Find all instances of the following line:
bind_address: 127.0.0.1
Replace them with the following line:
bind_address: your-server-ip
Save and close the file when you are finished.
Step 2 – Create a Systemd Service File for Velociraptor
Next, you will need to create a systemd service file for Velociraptor. You can create it with the following command:
nano /lib/systemd/system/velociraptor.service
Add the following lines:
[Unit] Description=Velociraptor linux amd64 After=syslog.target network.target [Service] Type=simple Restart=always RestartSec=120 LimitNOFILE=20000 Environment=LANG=en_US.UTF-8 ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v [Install] WantedBy=multi-user.target
Save and close the file, then reload the systemd daemon:
systemctl daemon-reload
Next, start the Velociraptor service and enable it to start at system reboot:
systemctl enable --now velociraptor
You can now check the status of Velociraptor with the following command:
systemctl status velociraptor
Output:
● velociraptor.service - Velociraptor linux amd64
Loaded: loaded (/lib/systemd/system/velociraptor.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-06-20 07:15:36 UTC; 5s ago
Main PID: 1074 (velociraptor)
Tasks: 6 (limit: 2353)
Memory: 32.5M
CGroup: /system.slice/velociraptor.service
└─1074 /usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Starting VFS writing service.
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Watching for events from System.Flow.Completion
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Watching for events from System.Flow.Completion
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Starting Server Artifact Runner Service
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Watching for events from Server.Internal.ClientDelete
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Throttling connections to 100 QPS
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Starting gRPC API server on 45.58.43.227:8001
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Launched Prometheus monitoring server on 45.58.43.227:8003
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z GUI is ready to handle TLS requests on https://45.58.43.227:8889/
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Frontend is ready to handle client TLS requests at https://45.58.43>
lines 1-19/19 (END)
Step 3 – Access Velociraptor Web UI
At this point, Velociraptor is installed and listen on port 8889. You can check the listening port with the following command:
ss -antpl | grep 8889
Output:
LISTEN 0 4096 45.58.43.227:8889 0.0.0.0:* users:(("velociraptor",pid=1074,fd=27))
You can now access it using the URL https://your-server-ip:8889. You should see the Velociraptor dashboard on the following screen:
Provide your admin username, password and click on the Sign in. You should see the Velociraptor dashboard on the following page:
Conclusion
Congratulations! You have successfully installed and configured Velociraptor on Ubuntu. You can now configure Velociraptor clients and monitor them from the Velociraptor dashboard. Get started on dedicated hosting from Atlantic.Net.