Hide velociraptor traces #4529
Description
Dear community,
is there a way to suppress printed traces during the execution of Velociraptor and obtain exclusively the JSON output generated by the tool?
I’m developing an automated infrastructure that dynamically generates offline collectors, and I need to deserialize the output JSON produced during the collector creation phase.
For example, the expected result is as follows:
E.g.:
[
{
"Repacked": {
"Path": "/tmp/gui_datastore/Collector_velociraptor-v0.75.1-linux-amd64-musl",
"Size": 72406232,
"sha256": "71a4628b6eca4e1438531e4810689e8b9f7597b7b0f637b6c0120dca33b007b5",
"md5": "4c511498321dd1bcd0e8effcf0ec80c5",
"Components": [
"Collector_velociraptor-v0.75.1-linux-amd64-musl"
],
"UploadId": 0
},
"_Source": "Server.Utils.CreateCollector"
}
]However, when I run the command:
./velociraptor-v0.75.1-linux-amd64 collector ~/GitHub/CyberSleuth/collector-profiles/linux.spec.yaml --no-debug --nobanner --no-trace_vql
I still receive numerous traces that are not relevant to me, such as:
.....
Running query LET _ <= SELECT name FROM artifact_definitions()
[INFO] 2025-11-06T09:08:27Z Compiled all artifacts.
[]Running query LET Spec <= parse_yaml(filename=SPECFILE)
[]Running query LET _K = SELECT _key FROM items(item=Spec.Artifacts)
[]Running query SELECT * FROM Artifact.Server.Utils.CreateCollector(OS=Spec.OS, artifacts=serialize(item=_K._key), parameters=serialize(item=Spec.Artifacts), target=Spec.Target, target_args=Spec.TargetArgs, encryption_scheme=Spec.EncryptionScheme, encryption_args=Spec.EncryptionArgs, opt_verbose=Spec.OptVerbose, opt_banner=Spec.OptBanner, opt_prompt=Spec.OptPrompt, opt_admin=Spec.OptAdmin, opt_tempdir=Spec.OptTempdir, opt_level=Spec.OptLevel, opt_concurrency=Spec.OptConcurrency, opt_filename_template=Spec.OptFilenameTemplate, opt_collector_filename=Spec.OptCollectorTemplate, opt_format=Spec.OptFormat, opt_output_directory=Spec.OptOutputDirectory, opt_cpu_limit=Spec.OptCpuLimit, opt_progress_timeout=Spec.OptProgressTimeout, opt_timeout=Spec.OptTimeout, opt_version=Spec.OptVersion, opt_delete_at_exit=Spec.OptDeleteAtExit)
artifact_definitions: artifact Linux.DeadDisk.Forensic.Timeline not known
artifact_definitions: artifact Linux.Sys.ZshHistory not known
artifact_definitions: artifact Linux.Detection.SSHKeyFileCmd not known
artifact_definitions: artifact Linux.Collection.Autoruns not known
artifact_definitions: artifact Linux.System.PAM not known
artifact_definitions: GetDependentArtifacts: Artifact Linux.DeadDisk.Forensic.Timeline not found
artifact_definitions: artifact Linux.DeadDisk.Forensic.Timeline not known
artifact_definitions: artifact Linux.Sys.ZshHistory not known
artifact_definitions: artifact Linux.Detection.SSHKeyFileCmd not known
artifact_definitions: artifact Linux.Collection.Autoruns not known
artifact_definitions: artifact Linux.System.PAM not known
artifact_definitions: GetDependentArtifacts: Artifact Linux.DeadDisk.Forensic.Timeline not found
client_repack: Will Repack the Velociraptor binary with 7302 bytes of config
Uploaded /tmp/gui_datastore/Collector_velociraptor-v0.75.1-linux-amd64-musl (72406232 bytes)
[
{
"Repacked": {
"Path": "/tmp/gui_datastore/Collector_velociraptor-v0.75.1-linux-amd64-musl",
"Size": 72406232,
"sha256": "71a4628b6eca4e1438531e4810689e8b9f7597b7b0f637b6c0120dca33b007b5",
"md5": "4c511498321dd1bcd0e8effcf0ec80c5",
"Components": [
"Collector_velociraptor-v0.75.1-linux-amd64-musl"
],
"UploadId": 0
},
"_Source": "Server.Utils.CreateCollector"
}
]DEBUG:Query Stats: {"RowsScanned":440,"PluginsCalled":3,"FunctionsCalled":3,"ProtocolSearch":0,"ScopeCopy":883}
[INFO] 2025-11-06T09:08:27Z Exiting notification service for Org <root> (root)!
[INFO] 2025-11-06T09:08:27Z Exiting notification service for Org ACME Inc (O123)!
/I also tried to redirect the stdout and the stderr but I can't resolve the problem.
My ultimate goal is to be able to process the JSON output directly using the jq tool.
Thanks in advance.