How to Install and Configure Velociraptor on Ubuntu

Velociraptor is an open-source tool that can be used for collecting host-based state information using Velocidex Query Language. It is based on GRR, OSQuery, and Google’s Rekall tool. It can scale thousands of hosts using the Velociraptor Query Language. VQL is an expressive query language that allows you to gather information without deploying any software.

Velociraptor is made from six components including Frontend, Gui, Client, VQL Engine, Data Store, and File Store.

In this guide, we will explain how to install Velociraptor on an Ubuntu server. This procedure is compatible with Ubuntu 20.04 and Ubuntu 22.04.

Step 1 – Install and Configure Velociraptor

By default, Velociraptor is not included in the Ubuntu default repository, so you will need to download it from the Git repository. You can download it with the following command:

wget https://github.com/Velocidex/velociraptor/releases/download/v0.5.9/velociraptor-v0.5.9-linux-amd64

Once the download is completed, copy the downloaded binary to the system location with the following command:

cp velociraptor-v0.5.9-linux-amd64 /usr/local/bin/velociraptor

Next, set proper permission with the following command:

chmod +x /usr/local/bin/velociraptor

Next, run the following command to configure Velociraptor:

velociraptor config generate -i

Answer all questions as shown below:

? 
Welcome to the Velociraptor configuration generator
---------------------------------------------------

I will be creating a new deployment configuration for you. I will
begin by identifying what type of deployment you need.


What OS will the server be deployed on?
 linux
? Path to the datastore directory. /opt/velociraptor
?  Self Signed SSL
? What is the public DNS name of the Master Frontend (e.g. www.example.com): 45.58.43.227
? Enter the frontend port to listen on. 8000
? Enter the port for the GUI to listen on. 8889
? Are you using Google Domains DynDNS? No
? GUI Username or email address to authorize (empty to end): admin
? GUI Username or email address to authorize (empty to end): 
[INFO] 2021-06-20T07:09:48Z  _    __     __           _                  __ 
[INFO] 2021-06-20T07:09:48Z | |  / /__  / /___  _____(_)________ _____  / /_____  _____ 
[INFO] 2021-06-20T07:09:48Z | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/ 
[INFO] 2021-06-20T07:09:48Z | |/ /  __/ / /_/ / /__/ / /  / /_/ / /_/ / /_/ /_/ / / 
[INFO] 2021-06-20T07:09:48Z |___/\___/_/\____/\___/_/_/   \__,_/ .___/\__/\____/_/ 
[INFO] 2021-06-20T07:09:48Z                                   /_/ 
[INFO] 2021-06-20T07:09:48Z Digging deeper!                  https://www.velocidex.com 
[INFO] 2021-06-20T07:09:48Z This is Velociraptor 0.5.9 built on 2021-05-10T19:48:17+10:00 (fbe594c5) 
[INFO] 2021-06-20T07:09:48Z Generating keys please wait.... 
? Path to the logs directory. /opt/velociraptor/logs
? Where should i write the server config file? /etc/velociraptor.config.yaml
? Where should i write the client config file? /etc/client.config.yaml

Next, edit the Velociraptor configuration file with the following command:

nano /etc/velociraptor.config.yaml

Find all instances of the following line:

bind_address: 127.0.0.1

Replace them with the following line:

bind_address: your-server-ip

Save and close the file when you are finished.

Step 2 – Create a Systemd Service File for Velociraptor

Next, you will need to create a systemd service file for Velociraptor. You can create it with the following command:

nano /lib/systemd/system/velociraptor.service

Add the following lines:

[Unit]
Description=Velociraptor linux amd64
After=syslog.target network.target

[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v

[Install]
WantedBy=multi-user.target

Save and close the file, then reload the systemd daemon:

systemctl daemon-reload

Next, start the Velociraptor service and enable it to start at system reboot:

systemctl enable --now velociraptor

You can now check the status of Velociraptor with the following command:

systemctl status velociraptor

Output:

● velociraptor.service - Velociraptor linux amd64
     Loaded: loaded (/lib/systemd/system/velociraptor.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-06-20 07:15:36 UTC; 5s ago
   Main PID: 1074 (velociraptor)
      Tasks: 6 (limit: 2353)
     Memory: 32.5M
     CGroup: /system.slice/velociraptor.service
             └─1074 /usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v

Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Starting VFS writing service.
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Watching for events from System.Flow.Completion
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Watching for events from System.Flow.Completion
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Starting Server Artifact Runner Service
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Watching for events from Server.Internal.ClientDelete
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Throttling connections to 100 QPS
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Starting gRPC API server on 45.58.43.227:8001
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Launched Prometheus monitoring server on 45.58.43.227:8003
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z GUI is ready to handle TLS requests on https://45.58.43.227:8889/
Jun 20 07:15:37 ubuntu2004 velociraptor[1074]: [INFO] 2021-06-20T07:15:37Z Frontend is ready to handle client TLS requests at https://45.58.43>
lines 1-19/19 (END)

Step 3 – Access Velociraptor Web UI

At this point, Velociraptor is installed and listen on port 8889. You can check the listening port with the following command:

ss -antpl | grep 8889

Output:

LISTEN 0 4096 45.58.43.227:8889 0.0.0.0:* users:(("velociraptor",pid=1074,fd=27))

You can now access it using the URL https://your-server-ip:8889. You should see the Velociraptor dashboard on the following screen:

Provide your admin username, password and click on the Sign in. You should see the Velociraptor dashboard on the following page:

Conclusion

Congratulations! You have successfully installed and configured Velociraptor on Ubuntu. You can now configure Velociraptor clients and monitor them from the Velociraptor dashboard. Get started on dedicated hosting from Atlantic.Net.