Velociraptor Syslog Monitor Tool
35 views
Skip to first unread message
Abed Sidani
Apr 25, 2025, 10:30:57 PMApr 25
to velociraptor-discuss
Hello Everyone,
Basically, I had a hard time creating Wazuh decoders for Velociraptor Syslog messages, and i somehow found it easier to make a velociraptor syslog program from scratch.
you can find it on my github repo:
Velociraptor-Syslog/LICENSE at main · DrPwner/Velociraptor-Syslog
Velociraptor-Syslog/LICENSE at main · DrPwner/Velociraptor-Syslog
In Short, this program monitors Velociraptor's syslog messages for specific actions performed by users within the Velociraptor DFIR platform. When certain patterns are detected, it sends detailed email notifications to designated recipients, providing enhanced visibility into user activities and potential security events.
Abed Sidani
Apr 25, 2025, 10:33:38 PMApr 25
to velociraptor-discuss
The program understands, parses, and notifies about the following Operations:
- CMD Shell Commands
- Powershell Commands
- Endpoint Isolation
- Endpoint Isolation Removal
- Label Added to Host
- Label Removed from Host
- Directory Traversal across VFS
- Recursive Directory Traversal across VFS
- Recursive Download across VFS
- User Creating Hunt
- User Running Hunt
- User Canceling Hunt
- User Deleting Hunt
- User Creating New Artifact
- User Deleting Artifact
- User Creating New Org
- User Creating a User
- User Resetting Own Password
-User Resetting Another User's Password
All of these Syslog events are sent via Email to the desired recipient.
The Email notification of any event/operation always contains the following key information:
- The Username of the user performing any Operation
- The Operation Performed
- The endpoint on which the Operation is being applied on.
- The Hunt ID (depending on the Operation Performed)
- The timestamp of the Operation.
- CMD Shell Commands
- Powershell Commands
- Endpoint Isolation
- Endpoint Isolation Removal
- Label Added to Host
- Label Removed from Host
- Directory Traversal across VFS
- Recursive Directory Traversal across VFS
- Recursive Download across VFS
- User Creating Hunt
- User Running Hunt
- User Canceling Hunt
- User Deleting Hunt
- User Creating New Artifact
- User Deleting Artifact
- User Creating New Org
- User Creating a User
- User Resetting Own Password
-User Resetting Another User's Password
All of these Syslog events are sent via Email to the desired recipient.
The Email notification of any event/operation always contains the following key information:
- The Username of the user performing any Operation
- The Operation Performed
- The endpoint on which the Operation is being applied on.
- The Hunt ID (depending on the Operation Performed)
- The timestamp of the Operation.
NOTE: Velociraptor Audit Events do not send syslog messages regarding User Logons, neither does any other Velociraptor Syslog Source (VelociraptorGUI, VelociraptorError, VelociraptorFrontend, etc...).
Mike Cohen
Apr 26, 2025, 12:18:07 AMApr 26
to Abed Sidani, velociraptor-discuss
Thanks for this.
Velociraptor audit events can be forwarded in a structured manner which probably makes this project not really necessary. For example running this event artifact https://docs.velociraptor.app/artifact_references/pages/elastic.events.upload/ will upload audit events to elastic automatically.
In a similar way you can watch any audit events using watch_monitoring() and forward to anywhere (e.g. slack, discord, etc).
This is probably simpler than parsing syslog messages.
Thanks
Mike
|
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/21012ef8-06ef-4455-bf2b-fdaff825fd05n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages