Zeek Documentation
Important
Make sure to read the appropriate documentation version.
The purpose of this document is to assist the Zeek community with implementing Zeek in their environments. The document includes material on Zeek’s unique capabilities, how to install it, how to interpret the default logs that Zeek generates, and how to modify Zeek to fit your needs. The document is the result of a volunteer community effort. If you would like to contribute, or want more information, please visit the Zeek web page for details on how to connect with the community.
- About Zeek
- Monitoring With Zeek
- Get Started
- Zeek Log Formats and Inspection
- Zeek Logs
- conn.log
- dns.log
- http.log
- files.log
- ftp.log
- ssl.log
- x509.log
- smtp.log
- ssh.log
- pe.log
- dhcp.log
- ntp.log
- SMB Logs (plus DCE-RPC, Kerberos, NTLM)
- irc.log
- rdp.log
- ldap.log and ldap_search.log
- quic.log
- traceroute.log
- tunnel.log
- dpd.log
- known_*.log and software.log
- weird.log and notice.log
- capture_loss.log and reporter.log
- Introduction to Scripting
- Frameworks
- Broker Communication Framework
- Cluster Framework
- Configuration Framework
- File Analysis Framework
- Input Framework
- Intelligence Framework
- Logging Framework
- Management Framework
- NetControl Framework
- Notice Framework
- Packet Analysis
- Signature Framework
- Summary Statistics
- Supervisor Framework
- Telemetry Framework
- TLS Decryption
- Popular Customizations
- Troubleshooting
- Script Reference
- Developer Guides
- Subcomponents
- Acknowledgements
Documentation Versioning
Attention
The Zeek codebase has three primary branches of interest to users so this document is also maintained as three different versions, one associated with each branch of Zeek. The default version of docs.zeek.org tracks Zeek’s latest Git development:
Git master branch: https://docs.zeek.org/en/master
If you instead use a Zeek Long-Term Support (LTS) or Feature release these are the appropriate starting points:
Long-Term Support Release: https://docs.zeek.org/en/lts
Current Feature Release: https://docs.zeek.org/en/current
To help clarify which release you are using, the version numbering scheme for the two release branches is described in the Release Cadence policy.
Documentation for older Zeek releases remains available for approximately one full major-version release cycle, i.e., about a year. You can browse recent versions via the fly-out menu in the bottom left, and find all available versions on the RTD website.