Deploying an effective network security monitoring solution is essential for any modern infrastructure, and Zeek stands out as a powerful tool in this space. Formerly known as Bro, Zeek is an open-source network analysis framework designed to capture network traffic, detect anomalies, and provide extensive logs for security investigations. In this tutorial, we focus on installing and configuring Zeek on an Ubuntu 24.04 server, covering everything from adding required repositories to parsing output logs efficiently. Whether you’re managing a small network or preparing for large-scale deployments, understanding Zeek on Ubuntu 24.04 is vital for proactive network monitoring and incident response.
Adding the Official Zeek Repository and Installing the Software
Ubuntu 24.04 is the latest LTS release, and while Zeek might not be available in the default repositories, the OpenSUSE Build Service maintains an up-to-date repository for Zeek packages specifically built for Ubuntu 24.04. Adding this repository ensures you get the latest stable Zeek version without manual compilation.
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_24.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_24.04/ /
This command writes the Zeek repository URL into a new APT sources list file so your system knows where to retrieve Zeek packages.
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_24.04/Release.key | \ gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null No output indicates the key was added successfully
Downloading and adding the repository GPG key ensures your system trusts the packages, preventing installation from unverified sources.
sudo apt update Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease Get:2 http://download.opensuse.org/repositories/security:/zeek/xUbuntu_24.04/ InRelease [unknown size] Fetched 10.5 kB in 1s (8,500 B/s) Reading package lists... Done
Updating APT refreshes your package cache to include new repository metadata, which is critical before installing new packages.
sudo apt search zeek Sorting... Done Full Text Search... Done zeek/unknown 5.2.0-lts amd64 Powerful network analysis framework
Searching for ‘zeek’ confirms availability and versioning. Always check this before installation to confirm the package source and versions.
sudo apt install zeek Reading package lists... Done Building dependency tree... Done The following NEW packages will be installed: zeek 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 25.4 MB of archives. After this operation, 120 MB of additional disk space will be used. Do you want to continue? [Y/n] Y
This standard APT installation command grabs Zeek and all required dependencies, making it ready for immediate use. A mistake I often see is skipping this step of confirming the package source which might lead to installing unexpected or outdated versions.
Configuring Zeek for Cluster Mode on a Single Ubuntu 24.04 Server
Real-world Zeek deployments often run in cluster mode, distributing workload across nodes. However, for testing or smaller environments, a single server cluster setup provides an ideal balance of functionality and simplicity. It involves segregating Zeek components such as the logger, manager, proxy, and worker on the same machine.
First, identify your active network interface and IP, because proper binding ensures Zeek monitors the correct network traffic.
ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.10.60/24 brd 192.168.10.255 scope global dynamic eth0
This command lists network interfaces and shows current IP addresses. Replace ‘eth0’ and IP with your actual interface and IP. In complex networks, failure to assign the right interface can cause Zeek to monitor no or irrelevant traffic.
Next, declare your monitored network in the networks configuration file, which Zeek references for scope and context in traffic analysis.
sudo nano /opt/zeek/etc/networks.cfg 192.168.10.0/24 Local Network
Defining your subnet here ensures Zeek recognizes varying IP addresses within your local network, enabling comprehensive logging.
Turn off the default standalone mode in the node configuration to allow the cluster mode components to operate correctly.
sudo nano /opt/zeek/etc/node.cfg # Comment existing standalone config by prefixing each line with '#' #[zeek] #type=standalone #host=localhost #interface=eth0 # Add cluster component definitions as: [zeek-logger] type=logger host=192.168.10.60 [zeek-manager] type=manager host=192.168.10.60 [zeek-proxy] type=proxy host=192.168.10.60 [zeek-worker] type=worker host=192.168.10.60 interface=eth0 [zeek-worker-lo] type=worker host=localhost interface=lo
This configures Zeek to run all cluster roles locally. Using cluster mode improves modularity and scalability even within a single server. One useful trick many administrators overlook is setting up ‘worker-lo’ on the loopback interface for internal traffic monitoring or testing.
Validate Zeek configuration syntax for correctness before deployment.
zeekctl check checking config files... scripts are ok
Running zeekctl check ensures no mistakes in syntax or configuration logic which can cause runtime errors later.
Finally, deploy and start Zeek services with:
zeekctl deploy Initial Zeek deployment starting... starting zeek-manager (pid 1598)... starting zeek-logger (pid 1601)... starting zeek-proxy (pid 1604)... starting zeek-worker (pid 1607)... Zeek deployment successfully completed.
This command launches all components according to your cluster configuration. In production environments, this deployment step typically ties into monitoring and orchestration tooling to maintain state by auto-restarts on failure.
Leveraging zeek-cut for Efficient Log Parsing
Zeek generates detailed logs which can quickly become massive. Understanding how to efficiently parse and analyze these logs is fundamental for timely threat detection and incident response. The zeek-cut utility excels at extracting specific fields from tab-separated logs.
First, check available Zeek logs in the current logging directory.
ls -ah /opt/zeek/logs/current/ -rw-r--r-- 1 zeek zeek 204800 Dec 15 11:00 conn.log -rw-r--r-- 1 zeek zeek 102400 Dec 15 11:00 dns.log -rw-r--r-- 1 zeek zeek 51200 Dec 15 11:00 http.log -rw-r--r-- 1 zeek zeek 25600 Dec 15 11:00 ssh.log -rw-r--r-- 1 zeek zeek 12800 Dec 15 11:00 ssl.log
Each log conveniently categorizes different protocol or event types, making it easier to filter for specific investigations.
To extract useful fields such as source IP, DNS query, and answers from dns.log:
cat /opt/zeek/logs/current/dns.log | zeek-cut id.orig_h query answers 192.168.10.25 www.example.com www.example.com. 93.184.216.34 192.168.10.26 mail.google.com mail.google.com. 172.217.5.78
Alternatively, you can use input redirection:
zeek-cut id.orig_h query answers < /opt/zeek/logs/current/dns.log 192.168.10.25 www.example.com www.example.com. 93.184.216.34 192.168.10.26 mail.google.com mail.google.com. 172.217.5.78
zeek-cut strips logs down to essential fields, making bulk log analysis more manageable. A mistake I often see is administrators parsing raw log files without understanding the fields, which leads to noisy or irrelevant alerting.
Enabling JSON Log Outputs and Parsing Them with jq
While TSV is compact and efficient, JSON logs provide greater flexibility for integration with modern logging and SIEM systems like ELK or Graylog, where structured data is easier to query and visualize.
To enable JSON logging, modify Zeek’s policy configuration as follows:
sudo nano /opt/zeek/share/zeek/site/local.zeek # Uncomment the following line: @load policy/tuning/json-logs
By loading this policy, Zeek will start emitting JSON-formatted logs alongside TSV files. After saving, redeploy Zeek to apply changes:
zeekctl deploy Restarting Zeek cluster components... Deployment complete.
Inspect the dns.log file to confirm JSON formatting:
head -n 1 /opt/zeek/logs/current/dns.log
{"ts":"2025-01-02T10:15:30Z","uid":"C1fS05LqmGxy6zFzG","id.orig_h":"192.168.10.25","query":"www.example.com","answers":["93.184.216.34"]}
Using the lightweight JSON processor jq, extract and format fields with ease:
sudo apt install jq -y Reading package lists... Done Building dependency tree... Done The following NEW packages will be installed: jq 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Parse logs with:
jq . /opt/zeek/logs/current/dns.log
{
"ts": "2025-01-02T10:15:30Z",
"uid": "C1fS05LqmGxy6zFzG",
"id.orig_h": "192.168.10.25",
"query": "www.example.com",
"answers": [
"93.184.216.34"
]
}
For concise, line-delimited JSON output ideal for piping:
jq -c . /opt/zeek/logs/current/dns.log
{"ts":"2025-01-02T10:15:30Z","uid":"C1fS05LqmGxy6zFzG","id.orig_h":"192.168.10.25","query":"www.example.com","answers":["93.184.216.34"]}
Or extract specific keys in arrays to streamline data consumption:
jq -c '[."id.orig_h", ."query", ."answers"]' /opt/zeek/logs/current/dns.log ["192.168.10.25","www.example.com",["93.184.216.34"]]
In production, this capability enables automated scripts or security dashboards to consume precise parts of network events, improving visibility and response times.
Best Practices for Running Zeek in Ubuntu Server Environments
When running Zeek in production, especially on Ubuntu 24.04 or newer, consider these tips:
- Resource Allocation: Zeek is CPU and memory intensive under heavy network traffic. Assign sufficient resources and monitor system usage regularly.
- Interface Selection: Monitor only necessary interfaces to reduce noise and resource consumption. Use ‘ip a’ and ‘tcpdump’ to verify interface activity.
- Log Rotation: Implement log rotation policies, either with system tools like
logrotateor Zeek’s internal mechanisms, to avoid disk space exhaustion. - Use Cluster Mode: Even on single nodes, cluster mode helps modularize debugging and improves maintainability when scaling out later.
- Network Time Synchronization: Ensure host time is synchronized via NTP or Chrony because accurate timestamps are critical for correlating events.
- Security Defaults: Run Zeek as a non-root user with least privileges. Harden the host OS by disabling unnecessary services.
One useful trick many administrators overlook is automating Zeek deployments with configuration management tools like Ansible or Puppet to maintain consistency across environments.
Troubleshooting Scenario: Zeek Not Capturing Traffic on the Expected Interface
In one case, a colleague’s Zeek deployment on Ubuntu 24.04 was not reporting any DNS traffic despite DNS queries confirmed on the network. After checking configuration files and deployment status, the problem boiled down to incorrect network interface designation in node.cfg. The interface was set to ‘eth0’, while the active interface was ‘ens3’.
Running ip a helped identify the correct interface quickly.
ip a
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.10.60/24 brd 192.168.10.255 scope global dynamic ens3
Switching the configuration resolved the issue.
This highlights the importance of interface verification prior to deployment. Additionally, the zeekctl status command can check active status of components to identify if any crashed unexpectedly.
Conclusion
Installing and configuring Zeek on Ubuntu 24.04 offers an efficient and robust way to monitor network security with granular visibility. From repository setup to cluster mode configuration, and efficient log parsing using zeek-cut and jq, this tutorial has covered practical, real-world steps for administrators. Remember to verify network interfaces and maintain proper resource allocation to optimize Zeek’s performance. With these techniques, system administrators can implement scalable network monitoring solutions that integrate seamlessly with existing logging ecosystems for enhanced security insights.
