Docker deployment and management tool for Zeek
The Docker image comes with:
- Zeekctl cluster with AF_Packet
- Automatic process recovery if a worker crashes
- ja3 and ja4+ TLS fingerprinting
- zeek-open-connections for logging long-lived connections
Requires Docker to be installed.
Download the CLI for your architecture from the latest release, then:
tar xzf zeek-linux-amd64.tar.gz
sudo mv zeek /usr/local/bin/zeek
sudo zeek startOn first run, the CLI will prompt you to pick a network interface and number of worker processes. Zeek logs are written to /opt/zeek/logs/.
zeek start Start the Zeek container
zeek stop Stop the Zeek container
zeek restart Restart the Zeek container
zeek status Show container and process status
zeek update Pull the latest image and restart
zeek readpcap Process a pcap file offline
zeek readpcap /path/to/capture.pcap [output-dir]Logs default to /opt/zeek/manual-logs/.
To re-run the interface selection:
sudo rm /opt/zeek/etc/node.cfg
zeek startdocker exec -it zeek zkg install hassh
zeek restartDrop .zeek files into the autoload directory. They get included alphabetically to build local.zeek on container start. local.zeek is regenerated every time the container starts, so don't edit it directly.
sudo cp custom.zeek /opt/zeek/share/zeek/site/autoload/210-custom.zeek
zeek restartZeek logs are written to /opt/zeek/logs/ (or $ZEEK_TOP_DIR/logs/ if customized). Logs are rotated hourly and organized into date-stamped directories.
Zeek files live in /opt/zeek/ by default. Change it with:
export ZEEK_TOP_DIR=/your/pathThe CLI pulls the Docker image version it was built for. To use a different published version:
export ZEEK_RELEASE=8.0.6make build # build the CLI
make test # run unit tests
make test-integration # run integration tests
make lint # run linter
make docker-build # build the Docker image
make release # build release artifacts