Installing Zeek

To run Zeek, grab our official Docker images, download our Linux binary packages, install via Homebrew on your Mac, use the ports collection on FreeBSD, or build Zeek yourself.

Docker Images

We provide official Docker images on Docker Hub at https://hub.docker.com/u/zeekurity.

  • For the latest feature release: docker pull zeekurity/zeek:latest

  • For the latest LTS release: docker pull zeekurity/zeek:lts

  • For a specific release: docker pull zeekurity/zeek:5.0.0-rc1

  • For the nightly build: docker pull zeekurity/zeek-dev:latest

The images run Debian and feature a complete Zeek installation with zeek, zkg, and the Spicy toolchain, but are otherwise minimal to avoid bloat in derived images. For example, if you’d like to install Zeek plugins in those images, you’ll need to install their needed toolchain, typically at least g++ for compilation, cmake and make as build tools, and libpcap-dev to build against Zeek headers. Similarly, you’ll need g++ for Spicy’s JIT compilation, as well as cmake and make to build Spicy analyzer packages.

apt-get update
apt-get install -y --no-install-recommends g++ cmake make libpcap-dev

The Dockerfile lives here.

Binary Packages

Linux

We provide binary packages for a wide range of Linux distributions via the openSUSE Build Service. To install, first add the relevant OBS package repository to your system, then use your system’s package manager as usual.

We provide packages for:

For example, for the latest feature release on CentOS Stream 8 you’d run the following as root:

cd /etc/yum.repos.d/
wget https://download.opensuse.org/repositories/security:/zeek/CentOS_8_Stream/security:zeek.repo
dnf install zeek

For the LTS release on Ubuntu 22.04 the steps look as follows:

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek-lts

The primary install prefix for binary packages is /opt/zeek (depending on which version you’re using), and includes a complete Zeek environment with zeek itself, the zkg package manager, the Spicy toolchain, etc.

See our Binary Packages wiki page for the latest updates on binary releases.

macOS

The Zeek Homebrew formula provides binary packages (“bottles”). To install:

brew install zeek

These packages are not maintained by the Zeek project.

FreeBSD

Zeek is available from the ports collection. To install:

sudo pkg install -y zeek

These packages are not maintained by the Zeek project.

Building from Source

Building Zeek from source provides the most control over your build and is the preferred approach for advanced users. We support a wide range of operating systems and distributions. Our support policy is informed by what we can run in our CI pipelines with reasonable effort, with the current status captured in our support matrix.

Required Dependencies

Building Zeek from source requires the following dependencies, including development headers for libraries:

To install these, you can use:

  • RPM/RedHat-based Linux:

    sudo dnf install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python3 python3-devel swig zlib-devel
    

    On pre-dnf systems, use yum instead. Additionally, on RHEL/CentOS 7, you can install and activate a devtoolset to get access to recent GCC versions. You will also have to install and activate CMake 3. For example:

    sudo yum install cmake3 devtoolset-7
    scl enable devtoolset-7 bash
    
  • DEB/Debian-based Linux:

    sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev
    
  • FreeBSD:

    Most required dependencies should come with a minimal FreeBSD install except for the following.

    sudo pkg install -y bash git cmake swig bison python3 base64
    pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'`
    sudo pkg install -y $pyver-sqlite3
    
  • macOS:

    Compiling source code on Macs requires first installing either Xcode or the “Command Line Tools” (which is a much smaller download). To check if either is installed, run the xcode-select -p command. If you see an error message, then neither is installed and you can then run xcode-select --install which will prompt you to either get Xcode (by clicking “Get Xcode”) or to install the command line tools (by clicking “Install”).

    macOS comes with all required dependencies except for CMake, SWIG, Bison, and OpenSSL (OpenSSL headers were removed in macOS 10.11, therefore OpenSSL must be installed manually for macOS versions 10.11 or newer).

    Distributions of these dependencies can likely be obtained from your preferred macOS package management system (e.g. Homebrew, MacPorts, or Fink). Specifically for Homebrew, the cmake, swig, openssl, and bison packages provide the required dependencies. For MacPorts, the cmake, swig, swig-python, openssl, and bison packages provide the required dependencies.

Optional Dependencies

Zeek can make use of some optional libraries and tools if they are found at build time:

Geolocation is probably the most interesting and can be installed on most platforms by following the instructions for installing the GeoIP library and database.

The zkg package manager, included in the Zeek installation, requires two external Python modules:

These install easily via pip (pip3 install GitPython semantic-version) and also ship with some distributions:

  • RPM/RedHat-based Linux:

    sudo yum install python3-GitPython python3-semantic_version
    
  • DEB/Debian-based Linux:

    sudo apt-get install python3-git python3-semantic-version
    

zkg also requires a git installation, which the above system packages pull in as a dependency. If you install via pip, remember that you also need git itself.

Retrieving the Sources

Zeek releases are bundled into source packages for convenience and are available on the downloads page. The source code can be manually downloaded from the link in the .tar.gz format to the target system for installation.

If you plan to contribute to Zeek or just want to try out the latest features under development, you should obtain Zeek’s source code through its Git repositories hosted at https://github.com/zeek:

git clone --recurse-submodules https://github.com/zeek/zeek

Note

If you choose to clone the zeek repository non-recursively for a “minimal Zeek experience”, be aware that compiling it depends on several of the other submodules as well, so you’ll likely have to build/install those independently first.

Configuring and Building

The typical way to build and install from source is as follows:

./configure
make
make install

If the configure script fails, then it is most likely because it either couldn’t find a required dependency or it couldn’t find a sufficiently new version of a dependency. Assuming that you already installed all required dependencies, then you may need to use one of the --with-* options that can be given to the configure script to help it locate a dependency. To find out what all different options ./configure supports, run ./configure --help.

The default installation path is /usr/local/zeek, which would typically require root privileges when doing the make install. A different installation path can be chosen by specifying the configure script --prefix option. Note that /usr, /opt/bro/, and /opt/zeek are the standard prefixes for binary Zeek packages to be installed, so those are typically not good choices unless you are creating such a package.

OpenBSD users, please see our FAQ if you are having problems installing Zeek.

Depending on the Zeek package you downloaded, there may be auxiliary tools and libraries available in the auxil/ directory. Some of them will be automatically built and installed along with Zeek. There are --disable-* options that can be given to the configure script to turn off unwanted auxiliary projects that would otherwise be installed automatically. Finally, use make install-aux to install some of the other programs that are in the auxil/zeek-aux directory.

Finally, if you want to build the Zeek documentation (not required, because all of the documentation for the latest Zeek release is available at https://docs.zeek.org), there are instructions in doc/README in the source distribution.

Cross Compiling

Prerequisites

You need three things on the host system:

  1. The Zeek source tree.

  2. A cross-compilation toolchain, such as one built via crosstool-NG.

  3. Pre-built Zeek dependencies from the target system. This usually includes libpcap, zlib, OpenSSL, and Python development headers and libraries.

Configuration and Compiling

You first need to compile a few build tools native to the host system for use during the later cross-compile build. In the root of your Zeek source tree:

./configure --builddir=../zeek-buildtools
( cd ../zeek-buildtools && make binpac bifcl )

Next configure Zeek to use your cross-compilation toolchain (this example uses a Raspberry Pi as the target system):

./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../zeek-buildtools/auxil/binpac/src/binpac --with-bifcl=$(pwd)/../zeek-buildtools/src/bifcl

Here, the RaspberryPi-toolchain.cmake file specifies a CMake toolchain. In the toolchain file, you need to point the toolchain and compiler at the cross-compilation toolchain. It might look something the following:

# Operating System on which CMake is targeting.
set(CMAKE_SYSTEM_NAME Linux)

# The CMAKE_STAGING_PREFIX option may not work.
# Given that Zeek is configured:
#
#   `./configure --prefix=<dir>`
#
# The options are:
#
#   (1) `make install` and then copy over the --prefix dir from host to
#       target system.
#
#   (2) `DESTDIR=<staging_dir> make install` and then copy over the
#       contents of that staging directory.

set(toolchain /home/jon/x-tools/arm-rpi-linux-gnueabihf)
set(CMAKE_C_COMPILER   ${toolchain}/bin/arm-rpi-linux-gnueabihf-gcc)
set(CMAKE_CXX_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-g++)

# The cross-compiler/linker will use these paths to locate dependencies.
set(CMAKE_FIND_ROOT_PATH
    /home/jon/x-tools/zeek-rpi-deps
    ${toolchain}/arm-rpi-linux-gnueabihf/sysroot
)

set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)

If that configuration succeeds you are ready to build:

make

And if that works, install on your host system:

make install

Once installed, you can copy/move the files from the installation prefix on the host system to the target system and start running Zeek as usual.

Configuring the Run-Time Environment

You may want to adjust your PATH environment variable according to the platform/shell/package you’re using since neither /usr/local/zeek/bin/ nor /opt/zeek/bin/ will reside in the default PATH. For example:

Bourne-Shell Syntax:

export PATH=/usr/local/zeek/bin:$PATH

C-Shell Syntax:

setenv PATH /usr/local/zeek/bin:$PATH

Or substitute /opt/zeek/bin instead if you installed from a binary package.

Zeek supports several environment variables to adjust its behavior. Take a look at the zeek --help output for details.