Endpoint Status Button & Syslog Configuration issues.
36 views
Skip to first unread message
Abed Sidani
Mar 23, 2025, 8:07:22 AMMar 23
to velociraptor-discuss
Hello Velociraptor Team,
Hope this message finds you well.
Upon the Pilot Deployment process of velociraptor across a large network, i have realised that the endpoint status for all endpoints is inactive, while they are actually up and running:
If i press the "status" button to filter for the Active endpoints, i get the same view, since they are actually all active. What could be the cause of that ?
Additionally, the "server" endpoint has suddenly appeared, upon shell interaction with this endpoint, it turns out to be the Velociraptor server. Is this supposed to be shown in the endpoint view?
On another note, i have added the necessary configurations to the server.config.yaml file in order to configure the remote syslog functionality as mentioned at https://github.com/Velocidex/velociraptor/blob/master/docs/references/server.config.yaml#L934, and nothing works. Is there a new format to be added to the server.config.yaml ? or is that related to another issue ?
My environment: Utilizing a user with root org privileges, using the linux binary velociraptor version 0.73.4, deployed on ubuntu server, and the client agents are the windows executable version of velociraptor (0.73.4).
Any assist would be greatly appreciated, hopefully i was clear with everything that must be provided.
Any assist would be greatly appreciated, hopefully i was clear with everything that must be provided.
Mike Cohen
Mar 23, 2025, 8:15:30 AMMar 23
to Abed Sidani, velociraptor-discuss
Its not possible to view the screenshot for some reason but if you endpoints are not connecting properly you should go through the troubleshooting steps
The server is also a client and sometimes appears in the search index but this is now suppressed as it is a bit confusing.
It is not a problem though - clicking on it just takes you the server artifact metadata page as normal. (that link is already in the welcome page).
To forward the audit logs to syslog you need something like this:
```
Logging:
....
remote_syslog_server: 192.168.1.5
remote_syslog_protocol: "udp"
remote_syslog_components:
- VelociraptorAudit
```
remote_syslog_server: 192.168.1.5
remote_syslog_protocol: "udp"
remote_syslog_components:
- VelociraptorAudit
```
You should configure your remote syslog server to accept messages over the network. You can google how to do that for example https://www.debuntu.org/how-to-remote-syslog-logging-on-debian-and-ubuntu/
Thanks
Mike
|
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/40b12e0f-0bfb-4ea1-8dbd-6339dd99fda9n%40googlegroups.com.
Abed Sidani
Mar 23, 2025, 8:40:00 AMMar 23
to velociraptor-discuss
Thanks for your reply, i will look into the example provided concerning the syslog config.
Concerning the image, hopefully its visible now, kindly find it attached.
For additional context, 5 of the endpoints are actually active, and one is inactive, so it should only flash the warning for one, instead its doing that for all.
is this a common issue? or has a quick-fix ?
is this a common issue? or has a quick-fix ?
Mike Cohen
Mar 23, 2025, 11:08:12 AMMar 23
to Abed Sidani, velociraptor-discuss
Are you saying the endpoints are actually online but the GUI is showing them as offline?
This is likely because your browser's time is incorrect - the GUI indication relies on the current time (according to the browser) less the last seen time as reported by the server - if it is more that 10 min it will show the offline icon. I would check that both the server time and the browser times are correct.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/0a5bd720-c3a5-4863-a17f-a429731be22dn%40googlegroups.com.
Abed Sidani
Apr 12, 2025, 10:00:17 AMApr 12
to velociraptor-discuss
Apologies for the delayed response.
You were absolutely right—that was exactly the issue. I'm not sure how it slipped my mind to check the system time!
As mentioned earlier, I'm deploying Velociraptor in a critical network environment. As part of this pilot deployment, I’ve created a few custom artifacts aimed at securing the Velociraptor process and associated files. You can find them here:
I hope these prove helpful and provide some value to the community.
Thanks again for your support!
Reply all
Reply to author
Forward
0 new messages