The guide walks readers through installing Velociraptor, an open source endpoint monitoring tool, on Debian based Linux systems such as Ubuntu, Mint and Raspberry Pi. It stresses downloading the latest release directly from GitHub with curl, verifying its SHA256 checksum to guard against tampering, and extracting it into a dedicated home directory before making the binary executable. Users can bootstrap a minimal JSON configuration, optionally deploy the service via systemd under their own user account for persistence, and then confirm the server is running by curling localhost or opening a browser window. The article also points out common pitfalls like missing libraries, SELinux blocks or misconfigured units, gives quick fixes, and explains when Velociraptor might be overkill compared to simpler log‑grab methods.

Install Velociraptor on Linux – A Straight‑Ahead Guide for Forensics Buffs

If you’re hunting for a lightweight, open‑source endpoint monitoring tool that can pull logs from anywhere in your network, Velociraptor is worth the time. This post shows how to get it up and running on a fresh Debian‑based box (Ubuntu, Mint, or even a Raspberry Pi). I’ll point out where you can run into snags and why each step matters.

1. Get the Latest Release

Velociraptor ships as a single binary per architecture. Grab it with curl so you’re not stuck in a package repo that lags behind.

curl -L https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor_$(uname -s)_$(uname -m).tar.gz \
  -o velociraptor.tar.gz

The GitHub releases page always has the newest stable build. Skipping a mirror keeps you from pulling in an outdated, potentially vulnerable version.

2. Verify the Checksum

I once installed Velociraptor on a production server without checking its hash and later discovered a man‑in‑the‑middle had swapped out the binary for one that dropped a backdoor. Never repeat that mistake.

# Get the SHA256SUM file from GitHub
curl -L https://github.com/Velocidex/velociraptor/releases/latest/download/SHA256SUMS \
  -o SHA256SUMS

sha256sum -c --ignore-missing <(grep velociraptor_ $(uname -s)_$(uname -m).tar.gz <<< "$(cat SHA256SUMS)")

If the output says “OK”, you’re good. If not, stop and fetch again.

3. Unpack & Set Permissions

mkdir ~/velociraptor && tar xzf velociraptor.tar.gz -C ~/velociraptor --strip-components=1
chmod +x ~/velociraptor/velociraptor

Extracting to a dedicated directory keeps the binary isolated from other system tools. Making it executable is trivial but sometimes overlooked; without it, you’ll see “Permission denied” when trying to start the server.

4. Configure the Server

Velociraptor uses a JSON config file for all its settings. The easiest way to bootstrap one is:

~/velociraptor/velociraptor init --config ~/velociraptor/config.json

This writes a minimal config.json in your home folder. Open it and tweak the HTTP port or TLS settings if you need HTTPS. I usually leave it on the default 8000 for local testing, because setting up certificates is a whole other adventure.

5. Run as a Service (Optional but Recommended)

If you want Velociraptor to survive reboots, create a systemd unit:

sudo tee /etc/systemd/system/velociraptor.service > /dev/null <<EOF
[Unit]
Description=Velociraptor Endpoint Forensics Server
After=network.target

[Service]
ExecStart=/home/$USER/velociraptor/velociraptor --config /home/$USER/velociraptor/config.json serve
Restart=on-failure
User=$USER
WorkingDirectory=/home/$USER/velociraptor

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable velociraptor
sudo systemctl start velociraptor

Running it under your own user avoids the pitfalls of running as root (like accidental privilege escalation). Systemd keeps an eye on it and restarts if something crashes.

6. Test the Server

Open a browser or hit the API with curl:

curl -s http://localhost:8000 | head

You should see JSON output describing the server’s status. If you get a 404, double‑check that your config points to the right port.

7. Common Pitfalls

Symptom	Likely Cause	Fix
“Cannot find library …” when launching	Missing shared libs on minimal installs (e.g., Debian slim)	sudo apt-get install libssl1.1 or newer version
SELinux blocks the binary	Policy denies execution in /home	Move binary to /usr/local/bin or adjust SELinux context
Service won’t start after reboot	Unit file points to wrong user	Ensure $USER variable matches the account that owns the files

8. When Velociraptor is Overkill

If all you need is a quick log grab from a single machine, a simple ssh and cat /var/log/syslog might do the trick. Velociraptor shines when you want to run queries across hundreds of endpoints or store artifacts in a searchable index.

That’s it—Velociraptor up and running on Linux, ready for your first forensic query. If you hit a snag, drop a comment or check the GitHub issues; the community is surprisingly helpful.