Install Zeek step by step

In the lab we will deploy Zeek as a cluster with two agents, the agents get data by duplicating traffic by setting up a port span for servers switch and Users stations switch, all network traffic that passes through the span ports is analyzed by Zeek agents, after analyzing the traffics, each agent Transferring the logs to the zeek management server and then the logs are sent by Filebeat to the elasticsearch SIEM we deployed in the previous steps of the Elasticsearch lap phases, all network traffic logs will analyzed by Kibana.

Zeek Cluster Architecture

Zeek Cluster Architecture with elasticsearch SIEM
Zeek Cluster Architecture with Elasticsearch

Zeek System Requirements

Zeek IDS supported by Linux platforms like Red Hat, Debian, FreeBSD in our lab, all Zeek servers are installed on the Ubuntu 20.04 server.

Server Name System RequirementsPort/Service server role
Zeek Control8GB memory + 4 cores + 100GB disk size
Zeek cluster management server, receiving logs from the agents (sensors) and transferring them to SIEM
Sensor_users8GB memory + 4 cores + 100GB disk size9200 -Request
9300 -Cluster
SSH – Management
User station switch monitoring, cluster member, managed by zeek control
Sensor_Servers8GB memory + 4 cores + 100GB disk size9200 -Request
9300 -Cluster
SSH – Management
Monitoring a server switch, the server is a member of a cluster managed by Zeek control
Zeek System Requirements and server role

Installing Ubuntu server for Zeek

  • Setting a static IP address
  • static DNS address
  • server name
  • user information
zeek IDS install on ubuntu server

Installing SSH Server

zeek ssh requirement for all servers

Firewall requirements

enable firewall

sudo ufw enable

Opening a management port for Zeek

sudo ufw allow ssh comment “Management port”

* SSH enabling is required to manage agents from a manager server.

it also required to open the following ports for management server only.

sudo ufw allow 47761 comment “Zeek sensors”

sudo ufw allow 47762 comment “zeek Sensors”

Software requirements

net tools is require for each server

apt install net-tools

* After installing net-tools, you can connect remotely to all servers by putty

installing Prerequisites for Zeek for all servers

sudo apt-get install cmake make gcc g ++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev

Download and install Zeek

Download latest version from github

git clone –recursive

cd zeek /

Installing a Zeek can take quite a while, so it’s a good time to grab a cup of coffee 🙂

make install

zeek installing process
Zeek installed with default settings

Create a Zeek user

to manage all agents from a manager server, it is required to set up a user with the same password on all servers (Manager + sensors)

best security practices is to create a user with specific permissions, these permissions allow Zeek server manager to manage all zeek agents remotely.

Create a user named Zeek and grant permissions to the user, by the following commands:

Create a group called Infosec

groupadd ‘Infosec’

Create a user named zeek

sudo adduser zeek

Add a zeek user to an infosec group

usermod -a -G Infosec search

Add permissions to the zeek user

chown -R zeek / usr / local / zeek /

setting up the agents (sensors_users, sensors_servers)

The first step for each agent, is to make sure that each server have two network interface connected, one network interface used to access and manage the server from eek manager server and the second required for monitor traffic from switch span port.

it is necessary to set the network interface in promiscuous mode.

promiscuous mode

For each agent, we will create a new service that will load automatically when the server start, thus ensuring that the promiscuous mode setting is met after restart as well.

Checking network interface status

ip link show

ip link show

As you can see in the image below, there are two network cards, one up called enp0s3 and the other down called enp0s8

check for promiscuous mode

If necessary, set up the interface

ip link set enp0s8 up

We will set the enp0s3 interface in promiscuous mode automatically when the system is up, by creating a new service

nano /etc/systemd/system/promisc.service

Description = Control promiscuous mode for sensors interface enp0s8 # change it for your interface name
After =

Type = oneshot
ExecStart = / sbin / ip link set promisc on dev enp0s8
TimeoutStartSec = 0
RemainAfterExit = yes

WantedBy =

Add running permissions of the new service

chmod u + x /etc/systemd/system/promisc.service

systemctl daemon reload

Start promisc.service with server upgrade

systemctl enable promisc.service

Starting promisc.service

systemctl start promisc.service

As you can see in the image below, promiscuous mode has been successfully set up for the enp0s8 interface

Setting up Raw packet capture

For each agent we will enable the following permissions, the permissions allow the logs to be sent to a management server.

setcap cap_net_raw, cap_net_admin = eip / usr / local / zeek / bin / zeek

setcap cap_net_raw, cap_net_admin = eip / usr / local / zeek / bin / zeekctl

Create SSH keys

In order to allow a management server to manage the agents, it is necessary to generate a private key without a password that will be stored on the management server.

Creating keys on a management server, we will agree to the default and keep the key without a password!

su zeek


Copy a public key to the two servers (sensor_users, sensor_servers)

ssh-copy-id zeek@

copy ssh public key

Checking an SSH connection without a password from Zeek management server

ssh zeek@

*Repeat and test the ssh connection without any password for each agent deployed

Zeek Mangement server

Zeek default mode is set as a standalone server, to set Zeek as a cluster it is necessary to edit the node.cfg file on a management server

nano /usr/local/zeek/etc/node.cfg

pay attention! The network interface defined for each agent is the network interface we set up with promiscuous mode.

Cluster test

It’s time to check if all the settings in place and our Zeek cluster work as expected,

from zeek manager run the below commands

zeekctl deploy

*you can use “deploy” command to update agents with any policies or cluster changes

test if all servers are running by run command:

zeekctl status

As you can see in the picture below, the cluster is working properly! If you get an error, you need to go back to the previous steps and make sure everything is set up for each server in the cluster.

Zeek logs files

Each agent analyzes the traffic that arrives from span switch and passes the logs to a management server as files with different names.

if no log files are created under logs folder, it is required to make sure ports 47762 and 47761 are open on a management server.

Zeek Logs location
Zeek Logs location

Network Analysis by Zeek

Each log file contains information for a network packet analyzed and reviewed by Zeek, we will discuss in detail what the log files contain and how risks such as malware on the network can be identified through them.


installing a beat called Filebeat on a management server to collect all eek logs to elasticseach siem, Filebeat allows logging to be sent directly to Elasticsearch servers without using Logstash servers.

Filebeat software requirements

Import PGP keys

wget -qO – | sudo apt-key add –

Installing Transport-https

sudo apt-get install apt-transport-https

Add a new source for downloads

echo “deb stable main” | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

Installing filebeat version 7.14.2 by apt

sudo apt-get update && sudo apt-get install filebeat = 7.14.2

Save elastic user password in keystore

To keep your passwords secure, create a Keystore if it does not exist by following command:

filebeat keystore create

We keep the elastic user password we received when we enabled minimum security for Elasticsearch in keystore

filebeat keystore add ES_PWD

Change Filebeat settings

To send data to elasticsearch it is necessary to edit the filebeat default settings file

nano /etc/filebeat/filebeat.yml

Modify the following values ​​in the filebeat.yml file

output.elasticsearch.password: “$ {ES_PWD}” setup.kibana:
host: “”

# Authentication credentials – either API key or username / password.
#api_key: “id: api_key”
username: “elastic”
password: “$ {ES_PWD}”

# Array of hosts to connect to.
hosts: [“192.168.0,180: 9200”] #cluster host / ip

Run the Filebeat Zeek module

Running a Zeek module in Filebeat is simple, by following command:

sudo filebeat modules enable zeek

Add Zeek path to zeek.yml

Editing a model file, selecting the log paths we want to transfer to elasticsearch

nano /etc/filebeat/modules.d/zeek.yml

You can add paths as needed, for example, collecting a dns.log file by


enabled: true

var.paths: [“/usr/local/zeek/logs/current/dns.log”]

Zeek logs for JSON output

change Zeek logs format to JSON, from Zeek management server

Edit a local.zeek file


Adding JSON Policies

@load policy / tuning / json-logs.zeek

After modifying the local.zeek file update the changes for the cluster by running

sudo zeekctl deploy

Set up filebeat as a system service

Check if the system uses systemd or sysvinit

ps –no-headers -o comm 1

Start filebeat with server boot

sudo / bin / systemctl daemon-reload
sudo / bin / systemctl enable filebeat

Enabling filebeat

service filebeat start

service filebeat info

If everything works fine, we will get “INFO” status

Build Kibana dashboard for Zeek IDS

Once we have successfully set up Zeek’s log collection by filebeat, it’s time to use kibana

from zeek managemet server run the flowing command:

filebeat setup -e

If everything went smoothly, you can access Kibana and view the data coming from the Zeek management server

Zeek Rules


Choosing Zeek as a free open source IDS solution for network traffic analysis is a winning security solution for many reasons, multiple protocol analysis options, integration options with other systems such as Intel, sandbox making the system Invincible.

we recommended you continue reading about Zeek in the article C2 Malware Detection and Network Anomaly by Elasticsearch

Like this article?

You may also enjoy these articles

SearchSploit: Guide to Exploit Database Search

Searchsploit is a command-line tool that allows users to search the Exploit Database, which is a repository of publicly disclosed vulnerabilities and exploitation techniques. It

fuzzing with ffuf tool

Guide to FFUF tool – Web Application Fuzzing

FFUF is a powerful and flexible open-source tool for performing web application fuzzing. Whether you’re a security professional looking to identify vulnerabilities or a developer

Guide to sqlmap tool – sql injection

SQLmap is an powerful open source tool used by hackers to detect and exploit SQL
injection flaws. SQLmap automates the process of detecting and


Hydra tool make password cracking to easy task, hydra can brute Force multiple protocols and services like ftp irc ldap2[s] ldap3 mongodb mssql mysql

Scroll to Top