Velociraptor is a powerful digital forensics and incident response (DFIR) platform that allows security teams to collect, monitor, and hunt across endpoints. This guide will walk you through installing both the Velociraptor server and client components.

Part 1: Server Installation

Step 1: Download Velociraptor

Create a setup directory and download the latest Velociraptor binary:

1mkdir ~/velociraptor_setup && cd ~/velociraptor_setup
2
3# Download the latest version (check GitHub for the latest release)
4wget -O velociraptor https://github.com/Velocidex/velociraptor/releases/download/v0.74/velociraptor-v0.74.1-linux-amd64
5
6# Make it executable
7chmod +x velociraptor

Step 2: Create the Server Configuration File

Generate the server configuration interactively:

1./velociraptor config generate -i

This interactive wizard will prompt you for:

• Server name
• Organization name
• Data store location
• Frontend bind address and port
• GUI bind address and port
• Certificate configuration
• Authentication method

Follow the prompts and provide the required information. The configuration file server.config.yaml will be created in the current directory.

Step 3: Configure Network Bindings

Edit the generated server.config.yaml file to allow remote access:

1nano server.config.yaml

Change GUI bind address:

Find and modify:

1GUI:
2  bind_address: 127.0.0.1

To:

1GUI:
2  bind_address: 0.0.0.0

Change Frontend bind address:

Find and modify:

1Frontend:
2  bind_address: 127.0.0.1

To:

1Frontend:
2  bind_address: 0.0.0.0

Note: Binding to 0.0.0.0 allows access from any network interface. For production environments, consider binding to a specific IP address or using a reverse proxy.

Save and close the file.

Step 4: Create the Server Installation Package

For Debian/Ubuntu-based systems:

1./velociraptor debian server --config ./server.config.yaml

For RHEL/CentOS/RPM-based systems:

1./velociraptor rpm server --config ./server.config.yaml

This will create a .deb or .rpm package file in the current directory. Example output:

Creating amd64 server package at velociraptor_server_0.74.1_amd64.deb

Step 5: Install the Server Component

For Debian/Ubuntu:

1sudo dpkg -i velociraptor_server_0.74.1_amd64.deb

For RHEL/CentOS:

1sudo rpm -Uvh velociraptor_server_0.74.1_amd64.rpm

The installation will:

• Copy the Velociraptor binary to /usr/local/bin/velociraptor.bin
• Copy the configuration to /etc/velociraptor/server.config.yaml
• Create and enable a systemd service

Step 6: Verify Server Installation

Check the service status:

1sudo systemctl status velociraptor_server.service

The service should show as “active (running)”. If it’s not running, check the logs:

1sudo journalctl -u velociraptor_server.service -n 50

Step 7: Verify Network Ports

Verify that the GUI and Frontend ports are listening:

1# Check GUI port (default: 8889)
2nc -vz localhost 8889
3
4# Check Frontend port (default: 8000)
5nc -vz localhost 8000

Both commands should show successful connections.

Step 8: Access the Velociraptor Web Interface

The Velociraptor server is now available at:

https://<server-ip>:8889

Note: Replace <server-ip> with your server’s IP address or hostname.

Default credentials:

• Username: admin
• Password: The password you set during the interactive configuration

If you need to reset the admin password, you can use:

1sudo velociraptor --config /etc/velociraptor/server.config.yaml user reset --user admin

Part 2: Client Installation

Windows Client Installation

Method 1: Using the Web Interface

1. Log in to the Velociraptor web interface
2. Navigate to Server Artifacts → New Collection
3. Select Windows.Client.Installer artifact
4. Configure the collection parameters
5. Click Launch to start the collection
6. Download the generated installer file
7. Distribute and run the installer on Windows endpoints

Method 2: Using Command Line

You can also generate Windows installers from the command line:

1./velociraptor config client --config server.config.yaml > client.config.yaml
2./velociraptor --config server.config.yaml msiexec --config client.config.yaml

Linux Client Installation

For Debian/Ubuntu Systems

Step 1: Create Client Configuration

Generate a client configuration file from the server configuration:

1./velociraptor config client --org "root" --config server.config.yaml > client.root.config.yaml

Note: Replace "root" with your organization name if different.

Step 2: Create Client Installation Package

Generate the Debian package:

1./velociraptor debian client --config client.root.config.yaml

This will create a file like velociraptor_client_0.74.1_amd64.deb.

Step 3: Install on Client Machines

Transfer the .deb package to your Linux clients and install:

1sudo dpkg -i velociraptor_client_0.74.1_amd64.deb

Step 4: Verify Client Service

Check that the client service is running:

1sudo systemctl status velociraptor_client

The service should be active and connected to the server.

For RHEL/CentOS/RPM Systems

Step 1: Create Client Configuration

1./velociraptor config client --org "root" --config server.config.yaml > client.root.config.yaml

Step 2: Create Client Installation Package

1./velociraptor rpm client --config client.root.config.yaml

This will create a file like velociraptor_client_0.74.1_amd64.rpm.

Step 3: Install on Client Machines

Transfer the .rpm package to your Linux clients and install:

1sudo rpm -Uvh velociraptor_client_0.74.1_amd64.rpm

Step 4: Verify Client Service

1sudo systemctl status velociraptor_client

Verify Client Connection

After installing the client packages on your endpoints, they should appear in the Velociraptor dashboard under Hosts. You can verify the connection by:

1. Logging into the web interface
2. Navigating to Hosts
3. Confirming your endpoints are listed and showing as “Online”

Thank you for taking the time to read this article. I hope you find it useful.

Keep up the great work!