Installing Zeek

To run Zeek, grab our official Docker images, download our Linux binary packages, install via Homebrew on your Mac, use the ports collections on FreeBSD and OpenBSD. See the Building from Source section to build Zeek yourself. For details about our release cadence and the significance of Zeek’s version numbers, please refer to our Release Cadence wiki page.

Docker Images

We provide official Docker images on Docker Hub at https://hub.docker.com/u/zeek

  • For the latest feature release: docker pull zeek/zeek:latest

  • For the latest LTS release: docker pull zeek/zeek:lts

  • For the latest release in a given series: docker pull zeek/zeek:7.2

  • For a specific release: docker pull zeek/zeek:7.0.8

  • For the nightly build: docker pull zeek/zeek-dev:latest

Additionally, we push these images to Amazon’s Public Elastic Container Registry (ECR) in the Zeek Project public gallery. To use Amazon’s container registry instead of Docker Hub, prefix images with public.ecr.aws/zeek instead of zeek.

  • For instance, to pull the latest feature release: docker pull public.ecr.aws/zeek/zeek:latest

The images are Debian-based and feature a complete Zeek installation with zeek, zkg, and the Spicy toolchain, but are otherwise minimal to avoid bloat in derived images. For example, if you’d like to install Zeek plugins in those images, you’ll need to install their needed toolchain, typically at least g++ for compilation, cmake and make as build tools, and libpcap-dev to build against Zeek headers. Similarly, you’ll need g++ for Spicy’s JIT compilation, as well as cmake and make to build Spicy analyzer packages.

apt-get update
apt-get install -y --no-install-recommends g++ cmake make libpcap-dev

The source files used to create the container images are on GitHub.

Binary Packages

Linux

We provide binary packages for a wide range of Linux distributions via the openSUSE Build Service. To install, first add the relevant OBS package repository to your system, then use your system’s package manager as usual.

We provide the following groups of packages:

For example, for the latest Zeek 7.0 LTS release on Ubuntu 22.04 the steps look as follows:

echo 'deb https://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek-7.0

Note

Our motivation for this approach is twofold. First, it guarantees LTS users that they won’t unexpectedly end up on a newer LTS line when it comes out. For example, when you install the zeek-6.0 packages, you will not end up on Zeek 7.0 until you decide to switch. Second, it reflects the fact that we consider our x.1 and x.2 feature release lines transient, because they go out of support immediately once we move to the next line of feature releases. Therefore, users of the zeek packages automatically obtain the latest releases as we publish them.

In the past our binary packages also automatically transitioned our LTS users to newer versions, via the older zeek-lts packages. These remain visible on OBS but are no longer supported.

The primary install prefix for binary packages is /opt/zeek (depending on which version you’re using), and includes a complete Zeek environment with zeek itself, the zkg package manager, the Spicy toolchain, etc.

See our Binary Packages wiki page for the latest updates on binary releases.

macOS

The Zeek Homebrew formula provides binary packages (“bottles”). To install:

brew install zeek

These packages are not maintained by the Zeek project.

FreeBSD

Zeek is available from the FreeBSD ports collection. To install:

sudo pkg install -y zeek

These packages are not maintained by the Zeek project.

OpenBSD

Zeek is available from the OpenBSD ports collection. To install:

sudo pkg_add zeek

These packages are not maintained by the Zeek project.