Error when using collect_client

17 views
Skip to first unread message

martinl...@gmail.com

unread,
Nov 10, 2021, 6:37:41 PM11/10/21
to velociraptor-discuss
Hi,

I'm trying to run a custom artifact against a client (Velo version 0.6.0) and I'm getting an "Command can only run on the server" error. I'm connecting using the API both using the client program and pyvelociraptor. The query is based on that in the doco for collect_client and is :

"SELECT collect_client(client_id='C.blahblahblah', artifacts=['OurCustomArtifact'], env=dict(command='command!/arg1!/arg2!arg2value')) FROM scope()"

I'm pretty sure that this used to work for us previously. Do you have any idea on what we can do to resolve this?

Thanks,
Martin.

Michael Cohen

unread,
Nov 10, 2021, 7:00:20 PM11/10/21
to martinl...@gmail.com, velociraptor-discuss
You can't run this plugin on a client because it is trying to schedule a
Collection on another client. So it can only really run on the server.

Or are you saying that you are connecting to the server using the API and sending the below vql?

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/b0b830a4-1621-4ce9-8d13-46896cbeb787n%40googlegroups.com.

martinl...@gmail.com

unread,
Nov 10, 2021, 7:15:20 PM11/10/21
to mi...@velocidex.com, velociraptor-discuss

Hi Mike,

 

Yes, I am connecting to the server using the API and sending the VQL shown.

Message has been deleted

Michael Cohen

unread,
Nov 10, 2021, 10:45:39 PM11/10/21
to martinl...@gmail.com, velociraptor-discuss
Thanks Martin - great to hear!

On Thu, 11 Nov 2021 at 13:34, martinl...@gmail.com
<martinl...@gmail.com> wrote:
>
> I upgraded to 0.6.2 and I didn't get the error, so it's not an issue for me anymore :-)
> To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/2887ed96-3fff-4db1-9c6d-c00525cc3939n%40googlegroups.com.

martinl...@gmail.com

unread,
Nov 11, 2021, 6:22:31 PM11/11/21
to velociraptor-discuss
It seems I jumped the gun, I run it up again and noticed that the error was present again. The previous time the error definitely wasn't there as it created a flow as expected, which doesn't happen when the error is present.

On another topic, when I went into the server and client to check to make sure I was running the version that I thought I was, when I run  "velociraptor version" on the client I get:

velociraptor@Gateway:~$  velociraptor version
'/etc/velociraptor/server.config.yaml' is not readable, you will need to run this as the velociraptor user ('sudo -u velociraptor bash').

But since it is on the client I presume it doesn't have the server.config.yaml file:

velociraptor@Gateway:~$ ls /etc/velociraptor/
client.config.yaml

Thanks,
Martin.

Michael Cohen

unread,
Nov 11, 2021, 8:31:59 PM11/11/21
to martinl...@gmail.com, velociraptor-discuss
When you install the server from a deb it adds a launcher bash script
that makes sure the config file is readable

https://github.com/Velocidex/velociraptor/blob/8784f3ef477f56b9032a13ede25d75473dafe8a2/bin/debian.go#L106


This should not normally be present in the client deb - possibly you
installed the server deb instead?

Thanks
Mike
> To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/6dfa8914-6b14-46e5-b473-3f01c3bd0dedn%40googlegroups.com.

martinl...@gmail.com

unread,
Nov 11, 2021, 10:18:07 PM11/11/21
to velociraptor-discuss
I discovered that the VM had originally been used as a Velo server and is used as a client. So I uninstalled the server and the client works as expected.

Thanks,
Martin.

Reply all
Reply to author
Forward
0 new messages