Velociraptor is an open-source tool that can be used for collecting host-based state information using Velocidex Query Language. It is based on GRR, OSQuery, and Google’s Rekall tool. It can scale thousands of hosts using the Velociraptor Query Language. VQL is an expressive query language that allows you to do anything without deploying any software.
Velociraptor is made from six components including, Frontend, Gui, Client, VQL Engine, Data Store, and File Store.
In this guide, we will explain how to install Velociraptor on Ubuntu 20.04 server.
- A fresh Ubuntu 20.04 server on the Atlantic.Net Cloud Platform
- A root password configured on your server
Step 1 – Create Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.
apt-get update -y
Step 2 – Install and Configure Velociraptor
By default, Velociraptor is not included in the Ubuntu default repository, so you will need to download it from the Git repository. You can download it with the following command:
Once the download is completed, copy the downloaded binary to the system location with the following command:
cp velociraptor-v0.5.9-linux-amd64 /usr/local/bin/velociraptor
Next, set proper permission with the following command:
chmod +x /usr/local/bin/velociraptor
Next, run the following command to configure Velociraptor:
velociraptor config generate -i
Answer all questions as shown below:
? Welcome to the Velociraptor configuration generator --------------------------------------------------- I will be creating a new deployment configuration for you. I will begin by identifying what type of deployment you need. What OS will the server be deployed on? linux ? Path to the datastore directory. /opt/velociraptor ? Self Signed SSL ? What is the public DNS name of the Master Frontend (e.g. www.example.com): 126.96.36.199 ? Enter the frontend port to listen on. 8000 ? Enter the port for the GUI to listen on. 8889 ? Are you using Google Domains DynDNS? No ? GUI Username or email address to authorize (empty to end): admin ? GUI Username or email address to authorize (empty to end): [INFO] 2021-06-20T07:09:48Z _ __ __ _ __ [INFO] 2021-06-20T07:09:48Z | | / /__ / /___ _____(_)________ _____ / /_____ _____ [INFO] 2021-06-20T07:09:48Z | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/ [INFO] 2021-06-20T07:09:48Z | |/ / __/ / /_/ / /__/ / / / /_/ / /_/ / /_/ /_/ / / [INFO] 2021-06-20T07:09:48Z |___/\___/_/\____/\___/_/_/ \__,_/ .___/\__/\____/_/ [INFO] 2021-06-20T07:09:48Z /_/ [INFO] 2021-06-20T07:09:48Z Digging deeper! https://www.velocidex.com [INFO] 2021-06-20T07:09:48Z This is Velociraptor 0.5.9 built on 2021-05-10T19:48:17+10:00 (fbe594c5) [INFO] 2021-06-20T07:09:48Z Generating keys please wait.... ? Path to the logs directory. /opt/velociraptor/logs ? Where should i write the server config file? /etc/velociraptor.config.yaml ? Where should i write the client config file? /etc/client.config.yaml
Next, edit the Velociraptor configuration file with the following command:
Find all instances of the following line:
Replace them with the following line:
Save and close the file when you are finished.
Step 3 – Create a Systemd Service File for Velociraptor
Next, you will need to create a systemd service file for Velociraptor. You can create it with the following command:
Add the following lines:
[Unit] Description=Velociraptor linux amd64 After=syslog.target network.target [Service] Type=simple Restart=always RestartSec=120 LimitNOFILE=20000 Environment=LANG=en_US.UTF-8 ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v [Install] WantedBy=multi-user.target
Save and close the file, then reload the systemd daemon:
Next, start the Velociraptor service and enable it to start at system reboot:
systemctl enable --now velociraptor
You can now check the status of Velociraptor with the following command:
systemctl status velociraptor
● velociraptor.service - Velociraptor linux amd64 Loaded: loaded (/lib/systemd/system/velociraptor.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-06-20 07:15:36 UTC; 5s ago Main PID: 1074 (velociraptor) Tasks: 6 (limit: 2353) Memory: 32.5M CGroup: /system.slice/velociraptor.service └─1074 /usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Starting VFS writing service. Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Watching for events from System.Flow.Completion Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Watching for events from System.Flow.Completion Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Starting Server Artifact Runner Service Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Watching for events from Server.Internal.ClientDelete Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Throttling connections to 100 QPS Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Starting gRPC API server on 188.8.131.52:8001 Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Launched Prometheus monitoring server on 184.108.40.206:8003 Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z GUI is ready to handle TLS requests on https://220.127.116.11:8889/ Jun 20 07:15:37 ubuntu2004 velociraptor: [INFO] 2021-06-20T07:15:37Z Frontend is ready to handle client TLS requests at https://45.58.43> lines 1-19/19 (END)
Step 4 – Access Velociraptor Web UI
At this point, Velociraptor is installed and listen on port 8889. You can check the listening port with the following command:
ss -antpl | grep 8889
LISTEN 0 4096 18.104.22.168:8889 0.0.0.0:* users:(("velociraptor",pid=1074,fd=27))
You can now access it using the URL https://your-server-ip:8889. You should see the Velociraptor dashboard on the following screen:
Provide your admin username, password and click on the Sign in. You should see the Velociraptor dashboard on the following page:
Congratulations! You have successfully installed and configured Velociraptor on Ubuntu 20.04. You can now configure Velociraptor clients and monitor them from the Velociraptor dashboard. Get started on dedicated hosting from Atlantic.Net.