Install Velociraptor on Ubuntu 22.04

by

This article is going to take you through on how to Install Velociraptor on Ubuntu 22.04. Velociraptor is a sophisticated digital forensic and incident response tool that improves your endpoint visibility. It performs targeted gathering of digital forensic evidence across your endpoints with speed and precision at the touch of a (few) buttons.

It’s a free open source utility with a robust architecture, a library of customizable forensic evidence, and its own unique and versatile query language, known as the Velociraptor Query Language (VQL). VQL is an expressive query language comparable to SQL that enables you to rapidly and easily adjust Velociraptor to perform what you want it to accomplish without modifying the source code or installing extra software.

How to Install Velociraptor on Ubuntu 22.04

  • Start by updating your system so as to Install Velociraptor on Ubuntu 22.04.
sudo apt update -y
  • Next navigate to Velociraptor github page to check latest release version number and download the package using wget command as shown below.
wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.3/velociraptor-v0.6.3-1-linux-amd64
  • After downloading the binary package, use the command below to copy it to the system location.
sudo cp velociraptor-v0.6.3-1-linux-amd64 /usr/local/bin/velociraptor
  • Next give the binary file executable permissions using the following command.
sudo chmod +x /usr/local/bin/velociraptor
  • Then run the command below to configure it. You will be required to answer the questions according to your preference as shown in the sample output.
velociraptor config generate -i

Sample output

? 
Welcome to the Velociraptor configuration generator
---------------------------------------------------

I will be creating a new deployment configuration for you. I will
begin by identifying what type of deployment you need.


What OS will the server be deployed on?
 linux
? Path to the datastore directory. /opt/velociraptor
?  Self Signed SSL
? What is the public DNS name of the Master Frontend (e.g. www.example.com): [? for help? What is the public DNS name of the Master Frontend (e.g. www.example.com): localhost
? Enter the frontend port to listen on. 8000
? Enter the port for the GUI to listen on. 8889
? Are you using Google Domains DynDNS? No
? GUI Username or email address to authorize (empty to end): itnixpro
? GUI Username or email address to authorize (empty to end): 
[INFO] 2022-03-18T22:57:09+03:00  _    __     __           _                  __ 
[INFO] 2022-03-18T22:57:09+03:00 | |  / /__  / /___  _____(_)________ _____  / /_____  _____ 
[INFO] 2022-03-18T22:57:09+03:00 | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/ 
[INFO] 2022-03-18T22:57:09+03:00 | |/ /  __/ / /_/ / /__/ / /  / /_/ / /_/ / /_/ /_/ / / 
[INFO] 2022-03-18T22:57:09+03:00 |___/\___/_/\____/\___/_/_/   \__,_/ .___/\__/\____/_/ 
[INFO] 2022-03-18T22:57:09+03:00                                   /_/ 
[INFO] 2022-03-18T22:57:09+03:00 Digging deeper!                  https://www.velocidex.com 
[INFO] 2022-03-18T22:57:09+03:00 This is Velociraptor 0.6.3-1 built on 2022-03-02T14:03:42+10:00 (c795a57d) 
[INFO] 2022-03-18T22:57:09+03:00 Generating keys please wait.... 
? Path to the logs directory. /opt/velociraptor/logs
? Where should i write the server config file? (server.config.yaml) /etc/velociraptor.co? Where should i write the server config file? /etc/velociraptor.config.yaml
? Where should i write the client config file? (client.config.yaml) /etc/client.config.y? Where should i write the client config file? /etc/client.config.yaml
  • To bind Velociraptor with your server IP, open the configuration file using the following command.
sudo nano /etc/velociraptor.config.yaml
  • Under binding address, change 127.0.0.2 to your server IP.
bind_address: 127.0.0.1

Create Systemd Service File for Velociraptor

  • Run the following command to open the file.
sudo nano /lib/systemd/system/velociraptor.service
  • Then paste the following content into the file.
[Unit]
Description=Velociraptor linux amd64
After=syslog.target network.target

[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v

[Install]
WantedBy=multi-user.target
  • Press ctrl+s to save and ctrl+x to close the file.
  • Reload systemd daemon for changes to take effect.
sudo systemctl daemon-reload
  • Then run the following command to enable Velociraptor to start at boot time.
sudo systemctl enable --now velociraptor
  • Velociraptor should be running check its status using the command below.
systemctl status velociraptor

Sample output

● velociraptor.service - Velociraptor linux amd64
     Loaded: loaded (/lib/systemd/system/velocirapt>
     Active: active (running) since Fri 2022-03-18 >
   Main PID: 1070 (velociraptor)
      Tasks: 18 (limit: 4583)
     Memory: 80.0M
     CGroup: /system.slice/velociraptor.service
             ├─1070 /usr/local/bin/velociraptor --c>
             └─1140 /usr/local/bin/velociraptor --c>

Mar 18 23:10:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:10:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:10:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:10:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:10:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:10:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:10:56 chat.itnixpro.com velociraptor[1070>
Mar 18 23:20:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:30:55 chat.itnixpro.com velociraptor[1070>
Mar 18 23:40:55 chat.itnixpro.com velociraptor[1070>
lines 1-20/20 (END)
  • In case it’s not running, use the following command to start it.
systemctl start velociraptor
  • Or alternatively restart your system.
sudo reboot

Access Velociraptor Web UI on Ubuntu 22.04

  • Velociraptor listen on port 8889 by default, fire up your browser and navigate to https://localhost:8889/. Click advance if security warning appears and select accept security risk to continue. Note, the warning is due to lacking SSL certificate on your server.
  • The following pop window will appear, enter username and password created in the configuration file to log in.
  • When you click sign in you will be taken to the dashboard as shown below.
  • You have reached the end of the article, Congratulations. You have learned how to Install Velociraptor on Ubuntu 22.04.
    Read more on Velociraptor Documentation

Other Tutorials

Monitor Windows system metrics using Prometheus node exporter

Integrate Prometheus with Grafana for Monitoring

Monitor Linux host metrics using Prometheus node exporter

System administrator | Software Developer | DevOps

Leave a Comment