Velociraptor Versions

Shlomi Musseri

unread,

Dec 12, 2022, 4:52:30 AM12/12/22

to velocirapt...@googlegroups.com

Hi everyone,

I’m recently upgraded the velociraptor to release 0.6.7 from 0.6.5.2.

After the upgrade when I created offline collector package for Linux and run it, I get error with the version of glibc “/lib64/libc.so.6 version GLIBC_2.28 not found”.

The package in the old version works well.

How can I get it work properly without upgrading the glibc for each server?

Another question that I have if by any chance someone wrote a plug-in that change the configuration of auditd to more aggressive for a few minutes and collect the data.

Thanks.

Mike Cohen

unread,

Dec 12, 2022, 5:44:40 AM12/12/22

to Shlomi Musseri, velociraptor-discuss

You need to use the musl build for older Linux systems. For the offline collector you can manually override the binary it's using by clicking on the tool setup dialog during the offline collector setup and upload the musl binary.

Thanks

Mike

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/35FD7819-F4F7-40F2-AE1E-B80FD0C7BC61%40gmail.com.

Shlomi Musseri

unread,

Dec 12, 2022, 11:57:47 PM12/12/22

to Mike Cohen, velociraptor-discuss

Hi Mike,

Thanks a lot for the answer! It work great.

What about the plug-in of auditd?

Thanks.

On 12 Dec 2022, at 12:44, Mike Cohen <mi...@velocidex.com> wrote:

Mike Cohen

unread,

Dec 13, 2022, 2:11:49 AM12/13/22

to Shlomi Musseri, velociraptor-discuss

I'm not aware of any specific auditd Artifact but this artifact for example

https://docs.velociraptor.app/artifact_references/pages/linux.events.processexecutions/

Configures auditd to record process execution.

There is also this project

https://github.com/Neo23x0/auditd

Which has some curated rules which are nice.

Velociraptor also has the auditd() plugin which makes it act as basically an audit daemon (it connects directly to the kernel to read the messages) so it doesn't need any syslog configuration or auditd actually installed or configured.

https://docs.velociraptor.app/vql_reference/linux/audit/

Some of the challenges with using audit logs on Linux is that the same information is normally spread across multiple log lines so it's not so easy to tie them together (there is an audit id that ties related lines but you have to keep state). We have the parse_auditd() plugin to help with reassembly of audit logs into something reasonable.

https://docs.velociraptor.app/vql_reference/parsers/parse_auditd/

So it's recommended to use that rather than just syslog parser.

So to summarize, there is no complete solution right now but all the pieces are there for writing an artifact that does what you need