How to Install and Configure Zeek Network Security Monitor on Ubuntu

February 23, 2025 rootlogic ubuntu zeek security

Zeek is a powerful, open-source network security monitoring tool that provides deep insight into your network traffic. Unlike traditional intrusion detection systems that focus solely on pattern matching, Zeek analyzes network traffic at a semantic level, making it an invaluable tool for security professionals, system administrators, and network analysts.

In this guide, we'll walk through installing Zeek on Ubuntu, configuring it for optimal performance, and setting up basic monitoring capabilities. You'll learn not just the installation steps, but also best practices for deployment and essential configuration options.

Prerequisites

Before we begin, ensure your system meets the following requirements:

  • Ubuntu (20.04 or newer) with root or sudo privileges
  • At least 4GB of RAM
  • 20GB of free disk space
  • A network interface card in promiscuous mode
  • Basic familiarity with command-line operations

Installation Steps

1. Update System Packages

First, ensure your system is up to date:

sudo apt update
sudo apt upgrade -y

2. Install Required Dependencies

sudo apt install -y cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev

3. Install Zeek

sudo apt install -y zeek

4. Configure Environment Variables

echo 'export PATH="/opt/zeek/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

Basic Configuration

1. Configure Network Interface

Edit the Zeek network configuration file:

sudo vim /opt/zeek/etc/node.cfg

Modify the interface line to match your network interface:

[zeek]
type=standalone
host=localhost
interface=eth0  # Replace with your interface name

2. Configure Log Rotation

Create a log rotation configuration to manage Zeek's logs:

sudo vim /opt/zeek/etc/zeekctl.cfg

Add the following settings:

LogRotationInterval = 3600
LogExpireInterval = 30

Starting and Managing Zeek

1. Initialize and Start Zeek

sudo zeekctl deploy

2. Verify Installation

sudo zeekctl status

Log Analysis and Monitoring

Zeek generates various log files in /opt/zeek/logs/current/. Here are some important ones:

  • conn.log: Connection tracking information
  • http.log: HTTP traffic details
  • dns.log: DNS query and response information
  • files.log: File transfer tracking
  • weird.log: Unusual or suspicious activity

To view logs in real-time:

tail -f /opt/zeek/logs/current/conn.log

Troubleshooting Section

Common Issues and Solutions

1. Zeek Won't Start

Check system resources:

free -h
df -h

Verify interface configuration:

sudo zeekctl interfaces

2. Missing Logs

Check permissions:

sudo chown -R zeek:zeek /opt/zeek/logs/

Verify log path exists:

sudo mkdir -p /opt/zeek/logs/current/

3. High CPU Usage

Adjust the packet capture buffer:

sudo sysctl -w net.core.rmem_max=104857600
sudo sysctl -w net.core.rmem_default=104857600

Best Practices & Optimization Tips

Performance Optimization

  • Configure packet filtering to focus on relevant traffic
  • Implement log rotation to manage disk space
  • Use separate disk partitions for logs

Security Considerations

  • Run Zeek as a non-root user
  • Restrict access to log directories
  • Regularly update Zeek and its dependencies

Automation & Monitoring

Create a basic monitoring script:

#!/bin/bash
# Check Zeek status and restart if needed
if ! zeekctl status | grep -q "running"; then
    zeekctl deploy
    echo "Zeek restarted at $(date)" >> /var/log/zeek_monitor.log
fi

Add to crontab:

*/5 * * * * /path/to/monitor_zeek.sh

Conclusion

You've now successfully installed and configured Zeek on your Ubuntu system. This setup provides a solid foundation for network security monitoring. Remember to regularly check logs, update configurations based on your network's needs, and keep the system updated.

For more advanced configurations and custom scripts, refer to the official Zeek documentation. Consider integrating Zeek with other security tools like ELK Stack or Splunk for enhanced monitoring capabilities.

Regular maintenance and log analysis will help ensure your network remains secure and well-monitored. As your network grows, consider scaling your Zeek deployment using clustering and custom scripts to match your security requirements.