{"id":8751,"date":"2021-04-26T10:32:24","date_gmt":"2021-04-26T07:32:24","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8751"},"modified":"2024-03-18T22:51:13","modified_gmt":"2024-03-18T19:51:13","slug":"install-and-setup-velociraptor-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-velociraptor-on-ubuntu-20-04\/","title":{"rendered":"Install and Setup Velociraptor on Ubuntu 20.04"},"content":{"rendered":"\n<p>Welcome to our tutorial on how to install and setup Velociraptor on Ubuntu 20.04. <a aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/Velocidex\/velociraptor\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">Velociraptor<\/a> is an endpoint monitoring open source tool that allows collection of host based state information of various end points using Velocidex Query Language (VQL) queries for monitoring. It is based on GRR, OSQuery and Google&#8217;s Rekall tool.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Velociraptor on Ubuntu 20.04<\/h2>\n\n\n\n<p>There are different methods of deploying Velociraptor as outlined on <a aria-label=\"getting started page (opens in a new tab)\" href=\"https:\/\/www.velocidex.com\/docs\/getting-started\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">getting started page<\/a>.<\/p>\n\n\n\n<p>In this tutorial, we will deploy Velociraptor using the standalone deployment method. This method employs server-client deployment model. Agents are installed on clients systems to be monitored.<\/p>\n\n\n\n<p>Velociraptor has six main components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Frontend<\/strong> &#8211; Frontend receives connections from clients.<\/li>\n\n\n\n<li><strong>Gui<\/strong> &#8211; Web UI for accessing velociraptor.<\/li>\n\n\n\n<li><strong>Client<\/strong> &#8211; Velociraptor endpoint agents<\/li>\n\n\n\n<li><strong>VQL Engine (VFilter)<\/strong> &#8211; Velociraptor Query Language used to query.<\/li>\n\n\n\n<li><strong>Data store<\/strong> &#8211; locations where Velociraptor is going to save its files.<\/li>\n\n\n\n<li><strong>File store<\/strong> &#8211; used by velociraptor for long term storage<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Download Linux binary Installer<\/strong><\/h3>\n\n\n\n<p>Get the latest Velociraptor Linux binary from the official <a aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/Velocidex\/velociraptor\/releases\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">Velociraptor Github releases<\/a> page and save it to system binary directory.<\/p>\n\n\n\n<p>Download the current release version of Velociraptor from the Github repository page above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>VER=0.5.8<\/code><\/pre>\n\n\n\n<p>Replace the value of the VER variable above with the current release version number.<\/p>\n\n\n\n<p>Then run the command below to download Velociraptor installer;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/Velocidex\/velociraptor\/releases\/download\/v$VER\/velociraptor-v$VER-linux-amd64 -O \/usr\/local\/bin\/velociraptor<\/code><\/pre>\n\n\n\n<p>This downloads the binary and save it as <code><strong>\/usr\/local\/bin\/velociraptor<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Make the Velociraptor Binary executable<\/strong><\/h3>\n\n\n\n<p>Once the download of the binary installer is complete, make it executable by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chmod +x \/usr\/local\/bin\/velociraptor<\/code><\/pre>\n\n\n\n<p>The binary should now be available on the current PATH.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>which velociraptor<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/local\/bin\/velociraptor<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Generate Velociraptor Server Config File<\/strong><\/h3>\n\n\n\n<p><em>Velociraptor uses a pair of configuration files to control the server and endpoints<\/em>.&nbsp;To generate server configuration file,  you can use the command <code><strong>velociraptor config generate<\/strong><\/code>.<\/p>\n\n\n\n<p>To obtain help about this command, run;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>velociraptor config generate --help<\/code><\/pre>\n\n\n\n<p>You can run the command interactively or you can run it non-interactively and later customize the auto-generated configuration file.<\/p>\n\n\n\n<p>Before we proceed, create a configuration directory for Velociraptor;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/etc\/velociraptor<\/code><\/pre>\n\n\n\n<p>To run the Velociraptor configuration generation command interactively;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> velociraptor config generate -i<\/code><\/pre>\n\n\n\n<p>When run, you will be prompted to provides some required details.<\/p>\n\n\n\n<p>Choose the operating system, which in this setup is Linux, press ENTER to proceed<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>? \nWelcome to the Velociraptor configuration generator\n---------------------------------------------------\n\nI will be creating a new deployment configuration for you. I will\nbegin by identifying what type of deployment you need.\n\n\nWhat OS will the server be deployed on?\n  &#91;Use arrows to move, type to filter]\n<strong>&gt; linux\n<\/strong>  windows\n  darwin<\/code><\/pre>\n\n\n\n<p>Choose data store directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>? Path to the datastore directory. (\/opt\/velociraptor) <strong>\/var\/tmp\/velociraptor<\/strong><\/code><\/pre>\n\n\n\n<p>Choose the kind of SSL\/TLS certs to use, we use self signed in this setup.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>&gt; Self Signed SSL\n<\/strong>  Automatically provision certificates with Lets Encrypt\n  Authenticate users with SSO<\/code><\/pre>\n\n\n\n<p>Set the frontend domain name that you can use to access Velociraptor;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>? What is the public DNS name of the Frontend (e.g. www.example.com): &#91;? for help] (localhost) <strong>vraptor.kifarunix-demo.com<\/strong><\/code><\/pre>\n\n\n\n<p>Set the Frontend and GUI ports;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>? Enter the frontend port to listen on. 8000\n? Enter the port for the GUI to listen on. 8889\n? Are you using Google Domains DynDNS? No<\/code><\/pre>\n\n\n\n<p>Set the frontend login credentials. Press enter once you have set the users to end the user creation prompt;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>? GUI Username or email address to authorize (empty to end): <strong>kifarunix-demo-admin<\/strong>\n? Password <strong>******<\/strong><\/code><\/pre>\n\n\n\n<p>Sample output after user creation;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;INFO] 2021-04-26T18:16:59Z  _    __     __           _                  __ \n&#91;INFO] 2021-04-26T18:16:59Z | |  \/ \/__  \/ \/___  _____(_)________ _____  \/ \/_____  _____ \n&#91;INFO] 2021-04-26T18:16:59Z | | \/ \/ _ \\\/ \/ __ \\\/ ___\/ \/ ___\/ __ `\/ __ \\\/ __\/ __ \\\/ ___\/ \n&#91;INFO] 2021-04-26T18:16:59Z | |\/ \/  __\/ \/ \/_\/ \/ \/__\/ \/ \/  \/ \/_\/ \/ \/_\/ \/ \/_\/ \/_\/ \/ \/ \n&#91;INFO] 2021-04-26T18:16:59Z |___\/\\___\/_\/\\____\/\\___\/_\/_\/   \\__,_\/ .___\/\\__\/\\____\/_\/ \n&#91;INFO] 2021-04-26T18:16:59Z                                   \/_\/ \n&#91;INFO] 2021-04-26T18:16:59Z Digging deeper!                  https:\/\/www.velocidex.com \n&#91;INFO] 2021-04-26T18:16:59Z This is Velociraptor 0.5.8 built on 2021-04-11T22:09:54Z (e468f54c) \n&#91;INFO] 2021-04-26T18:16:59Z Generating keys please wait.... <\/code><\/pre>\n\n\n\n<p>Set the logging directory;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>? Path to the logs directory. (\/var\/tmp\/velociraptor\/logs) <strong>\/var\/log\/velociraptor<\/strong><\/code><\/pre>\n\n\n\n<p>Set the path to write the configuration files to;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>? Where should i write the server config file? (server.config.yaml) <strong>\/etc\/velociraptor\/server.config.yaml<\/strong><\/code><\/pre>\n\n\n\n<p>Client configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>? Where should i write the client config file? (client.config.yaml) <strong>\/etc\/velociraptor\/client.config.yaml<\/strong><\/code><\/pre>\n\n\n\n<p>And that is it. If you want to manaully generate the configuration file for later customization, simply run<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>velociraptor config generate<\/code><\/pre>\n\n\n\n<p>This generates the config to the standard output.<\/p>\n\n\n\n<p>To save to a file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code> velociraptor config generate &gt; \/etc\/velociraptor\/server.config.yaml<\/code><\/pre>\n\n\n\n<p>Update the Velociraptor API, GUI, Monitoring bind addresses which is set to loopback address by default;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sed -e '\/bind_address:\/{s\/127.0.0.1\/192.168.59.14\/}' -i \/etc\/velociraptor\/server.config.yaml<\/code><\/pre>\n\n\n\n<p>Optionally you can change the <em>server url<\/em>, the Frontend bind address etc.<\/p>\n\n\n\n<p>Additionally Datastore location can be edited to change the location where Velociraptor is going to save its files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Datastore:\n  implementation: FileBaseDataStore\n  location: \/var\/tmp\/velociraptor\n  filestore_directory: \/var\/tmp\/velociraptor<\/code><\/pre>\n\n\n\n<p>Its important to note client &#8211; server communications are encrypted over HTTPS. The keys are embedded in the configuration file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Create Additional GUI user<\/strong>s<\/h3>\n\n\n\n<p>You can create additional user to access the GUI by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>velociraptor --config  \/etc\/velociraptor\/server.config.yaml user add admin --role administrator<\/code><\/pre>\n\n\n\n<p>Enter a password for the user when prompted:<\/p>\n\n\n\n<p>The above command adds the user <strong><em><code>admin<\/code><\/em><\/strong> with the <em><code>administrator<\/code><\/em> role. Other available roles are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>reader<\/li>\n\n\n\n<li>analyst<\/li>\n\n\n\n<li>investigator<\/li>\n\n\n\n<li>artifact_writer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Start Velociraptor Frontend<\/strong><\/h3>\n\n\n\n<p>You can run Velociraptor in standalone mode or as a service.<\/p>\n\n\n\n<p>To run in standalone mode, use the <code><strong>frontend<\/strong><\/code> command as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>velociraptor -c  \/etc\/velociraptor\/server.config.yaml frontend -v<\/code><\/pre>\n\n\n\n<p><code>-v<\/code> flag is used to show verbose output on the terminal.<\/p>\n\n\n\n<p>Sample output:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;INFO] 2021-04-26T18:49:30Z  _    __     __           _                  __ \n&#91;INFO] 2021-04-26T18:49:30Z | |  \/ \/__  \/ \/___  _____(_)________ _____  \/ \/_____  _____ \n&#91;INFO] 2021-04-26T18:49:30Z | | \/ \/ _ \\\/ \/ __ \\\/ ___\/ \/ ___\/ __ `\/ __ \\\/ __\/ __ \\\/ ___\/ \n&#91;INFO] 2021-04-26T18:49:30Z | |\/ \/  __\/ \/ \/_\/ \/ \/__\/ \/ \/  \/ \/_\/ \/ \/_\/ \/ \/_\/ \/_\/ \/ \/ \n&#91;INFO] 2021-04-26T18:49:30Z |___\/\\___\/_\/\\____\/\\___\/_\/_\/   \\__,_\/ .___\/\\__\/\\____\/_\/ \n&#91;INFO] 2021-04-26T18:49:30Z                                   \/_\/ \n&#91;INFO] 2021-04-26T18:49:30Z Digging deeper!                  https:\/\/www.velocidex.com \n&#91;INFO] 2021-04-26T18:49:30Z This is Velociraptor 0.5.8 built on 2021-04-11T22:09:54Z (e468f54c) \n&#91;INFO] 2021-04-26T18:49:30Z Loading config from file \/etc\/velociraptor\/server.config.yaml \n&#91;INFO] 2021-04-26T18:49:30Z Starting Frontend. {\"build_time\":\"2021-04-11T22:09:54Z\",\"commit\":\"e468f54c\",\"version\":\"0.5.8\"}\n&#91;INFO] 2021-04-26T18:49:31Z Increased open file limit to 999999 \n&#91;INFO] 2021-04-26T18:49:31Z Starting Journal service. \n&#91;INFO] 2021-04-26T18:49:31Z Starting the notification service. \n&#91;INFO] 2021-04-26T18:49:31Z Starting Inventory Service \n&#91;INFO] 2021-04-26T18:49:31Z Loaded 250 built in artifacts in 64.41334ms \n&#91;INFO] 2021-04-26T18:49:31Z Selected frontend configuration vraptor.kifarunix-demo.com:8000 \n&#91;INFO] 2021-04-26T18:49:31Z Starting Label service. \n&#91;INFO] 2021-04-26T18:49:31Z Starting Client Monitoring Service \n&#91;INFO] 2021-04-26T18:49:31Z Reloading client monitoring tables from datastore \n&#91;INFO] 2021-04-26T18:49:31Z Creating default Client Monitoring Service \n&#91;INFO] 2021-04-26T18:49:31Z Initial user kifarunix-demo-admin not present, creating ...\n...\n&#91;INFO] 2021-04-26T18:49:31Z Compiled all artifacts. \n&#91;INFO] 2021-04-26T18:49:31Z Starting the hunt manager service. \n&#91;INFO] 2021-04-26T18:49:31Z server_monitoring: Starting Server Monitoring Service \n&#91;INFO] 2021-04-26T18:49:31Z Closing Server Monitoring Event table \n&#91;INFO] 2021-04-26T18:49:31Z server_monitoring: Updating monitoring table \n&#91;INFO] 2021-04-26T18:49:31Z server_monitoring: Collecting Server.Monitor.Health\/Prometheus \n&#91;INFO] 2021-04-26T18:49:31Z Starting VFS writing service. \n&#91;INFO] 2021-04-26T18:49:31Z Starting Server Artifact Runner Service \n&#91;INFO] 2021-04-26T18:49:31Z Starting Hunt Dispatcher Service. \n&#91;INFO] 2021-04-26T18:49:31Z Starting Enrollment service. \n&#91;INFO] 2021-04-26T18:49:31Z server_monitoring: Finished collecting Server.Monitor.Health\/Prometheus \n&#91;INFO] 2021-04-26T18:49:31Z Query Stats: {\"RowsScanned\":1,\"PluginsCalled\":1,\"FunctionsCalled\":0,\"ProtocolSearch\":0,\"ScopeCopy\":5} \n&#91;INFO] 2021-04-26T18:49:32Z Starting gRPC API server on 192.168.59.14:8001  \n&#91;INFO] 2021-04-26T18:49:32Z Launched Prometheus monitoring server on 192.168.59.14:8003  \n&#91;INFO] 2021-04-26T18:49:32Z GUI is ready to handle TLS requests on https:\/\/192.168.59.14:8889\/ \n&#91;INFO] 2021-04-26T18:49:32Z Frontend is ready to handle client TLS requests at https:\/\/vraptor.kifarunix-demo.com:8000\/<\/code><\/pre>\n\n\n\n<p>The output indicates which port the GUI and Front-end are listening on.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Accessing Velociraptor Web Interface<\/h3>\n\n\n\n<p>Access the server on <strong>https:\/\/SERVER-IP:8889<\/strong>. Use the user and password created earlier. GUI communications are authenticated with basic Auth.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Running Velociraptor as a service<\/strong><\/h3>\n\n\n\n<p>You can create systemd service to run Velociraptor as a service.<\/p>\n\n\n\n<p>Create the systemd service file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat &gt; \/etc\/systemd\/system\/velociraptor.service &lt;&lt; EOL\n&#91;Unit]\nDescription=Velociraptor linux amd64\nAfter=syslog.target network.target\n\n&#91;Service]\nType=simple\nRestart=always\nRestartSec=120\nLimitNOFILE=20000\nEnvironment=LANG=en_US.UTF-8\nExecStart=\/usr\/local\/bin\/velociraptor -c \/etc\/velociraptor\/server.config.yaml frontend -v\n\n&#91;Install]\nWantedBy=multi-user.target\nEOL<\/code><\/pre>\n\n\n\n<p>Reload systemd daemon:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>Start and enable velociraptor to start at boot time:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now velociraptor <\/code><\/pre>\n\n\n\n<p>Check the status of velociraptor.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status velociraptor<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\u25cf velociraptor.service - Velociraptor linux amd64\n     Loaded: loaded (\/etc\/systemd\/system\/velociraptor.service; enabled; vendor preset: enabled)\n     Active: active (running) since Mon 2021-04-26 19:00:49 UTC; 8s ago\n   Main PID: 1277 (velociraptor)\n      Tasks: 8 (limit: 2281)\n     Memory: 42.3M\n     CGroup: \/system.slice\/velociraptor.service\n             \u2514\u25001277 \/usr\/local\/bin\/velociraptor -c \/etc\/velociraptor\/server.config.yaml frontend -v\n\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Starting Server Artifact Runner Service\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Starting gRPC API server on 192.168.59.14:8001\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Launched Prometheus monitoring server on 192.168.59.14:8003\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z GUI is ready to handle TLS requests on https:\/\/192.168.59.14:8889\/\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Starting Hunt Dispatcher Service.\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Starting Enrollment service.\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Frontend is ready to handle client TLS requests at https:\/\/vraptor.kifarunix-dem&gt;\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z server_monitoring: Finished collecting Server.Monitor.Health\/Prometheus\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Query Stats: {\"RowsScanned\":1,\"PluginsCalled\":1,\"FunctionsCalled\":0,\"ProtocolSea&gt;\nApr 26 19:00:49 vraptor.kifarunix-demo.com velociraptor&#91;1277]: &#91;INFO] 2021-04-26T19:00:49Z Compiled all artifacts.<\/code><\/pre>\n\n\n\n<p>Access the GUI and login into the interface, you\u2019ll see Velociraptor GUI dashboard.<\/p>\n\n\n\n<p>If UFW is running, open the port in firewall;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow 8889\/tcp<\/code><\/pre>\n\n\n\n<p>Accept the self signed SSL warning and proceed to login to Velociraptor GUI.<\/p>\n\n\n\n<p>Login with the user credentials created before.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-welcome-dashboard.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1912\" height=\"794\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-welcome-dashboard.png\" alt=\"Install and setup Velociraptor on Ubuntu 20.04\" class=\"wp-image-8754\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-welcome-dashboard.png?v=1620161651 1912w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-welcome-dashboard-768x319.png?v=1620161651 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-welcome-dashboard-1536x638.png?v=1620161651 1536w\" sizes=\"(max-width: 1912px) 100vw, 1912px\" \/><\/figure><\/a><\/div>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-dashboard.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1909\" height=\"936\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-dashboard.png\" alt=\"Install and setup Velociraptor on Ubuntu 20.04\" class=\"wp-image-8755\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-dashboard.png?v=1620161662 1909w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-dashboard-768x377.png?v=1620161662 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/velociraptor-dashboard-1536x753.png?v=1620161662 1536w\" sizes=\"(max-width: 1909px) 100vw, 1909px\" \/><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"#configure-velociraptor-client\" class=\"rank-math-link\">Install and Configure Velociraptor Client<\/a><\/h3>\n\n\n\n<p>As stated before, Velociraptor server-client communication happens over an encrypted HTTPS channel. You can use self signed SSL or commercially trusted SSL certs.<\/p>\n\n\n\n<p><strong>If you had generated the velociraptor config file manually <\/strong>and you are using the signed SSL certs, then edit the <strong><em>\/etc\/velociraptor\/server.config.yaml<\/em><\/strong> configuration file and append the directive <code><strong>use_self_signed_ssl: true<\/strong><\/code> in the block below the <em><strong>Frontentd<\/strong> <strong>URL CA certificate<\/strong><\/em> so as to use the self signed certificate.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/velociraptor\/server.config.yaml<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n  nonce: ERlmU1Ivj5w=\n<strong>  use_self_signed_ssl: true\n<\/strong>  writeback_darwin: \/etc\/velociraptor.writeback.yaml\n  writeback_linux: \/etc\/velociraptor.writeback.yaml\n...<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>If you had generated the configuration file manually, then generate the client configuration file<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> velociraptor -c \/etc\/velociraptor\/server.config.yaml config client &gt; \/etc\/velociraptor\/client.config.yaml<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote td_quote_box td_box_center is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong><em>NOTE:<\/em><\/strong><br><em>Client configuration file contains CA certificate that is used for authentication between the client\u2019s machine and the Velociraptor Server.<\/em><\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">Install Velociraptor Clients on Linux and Windows Machines<\/h4>\n\n\n\n<p>Velociraptor clients can be configured in two ways;<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>Using Velociraptor Binary<\/strong><\/h5>\n\n\n\n<p>This method involves using Velociraptor binary and client configuration file generated from the server. The client configuration file has to be copied to the client machine. This method is ideal for testing purposes, for large deployment the second method, below, is preferred.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>Using Velociraptor client packages<\/strong><\/h5>\n\n\n\n<p>This method packages the client configuration file on a Linux package or Windows installer which are then distributed to the clients target machines.<\/p>\n\n\n\n<p>Follow the link below to learn how to install and configure Velociraptor clients on Linux and Windows machines.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-velociraptor-client-on-linux-and-windows-systems\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install Velociraptor Client on Linux and Windows Systems<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion<\/h3>\n\n\n\n<p>That brings us to the end of our guide on how to install and configure Velociraptor on Ubuntu 20.04. Velociraptor is powerful open source tool that can be used to query hosts thus providing endpoint monitoring, digital forensic investigations and Threat Hunting.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.velocidex.com\/docs\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">Velociraptor Documentation<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-kolide-fleet-osquery-fleet-manager-on-debian-10\/\" class=\"rank-math-link\">Install Kolide Fleet Osquery Fleet Manager on Debian 10<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-osquery-on-debian-10-buster\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install Osquery on Debian 10 Buster<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-snort-3-nids-on-ubuntu-20-04\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install and Configure Snort 3 NIDS on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our tutorial on how to install and setup Velociraptor on Ubuntu 20.04. Velociraptor is an endpoint monitoring open source tool that allows collection<\/p>\n","protected":false},"author":3,"featured_media":9914,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72],"tags":[2978,2975,3483,3482,2979,3484],"class_list":["post-8751","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","tag-install-velociraptor","tag-install-velociraptor-ubuntu-linux","tag-setup-velociraptor-ubuntu","tag-ubuntu-20-04-velociraptor","tag-velociraptor","tag-velociraptor-install-ubuntu","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8751"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8751"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8751\/revisions"}],"predecessor-version":[{"id":21832,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8751\/revisions\/21832"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9914"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}