Version 8.1.1

Zeek Documentation

Important

Make sure to read the appropriate documentation version.

The purpose of this manual is to assist the Zeek community with implementing Zeek in their environments. It includes material on Zeek’s unique capabilities, how to install it, how to interpret the default logs that Zeek generates, and how to modify Zeek to fit your needs. This documentation is the result of a volunteer community effort. If you would like to contribute, or want more information, please visit the Zeek web page for details on how to connect with the community.

Table of Contents

• Get Started
  • Installing Zeek
  • Quick Start Guide
  • Zeek Cluster Setup
  • Building from Source
• About Zeek
  • What Is Zeek?
  • Why Zeek?
  • History
  • Architecture
• Monitoring With Zeek
  • Detection and Response Workflow
  • Instrumentation and Collection
  • Storage and Review
• Zeek Log Formats and Inspection
  • Working with a Sample Trace
  • Zeek TSV Format Logs
  • Zeek TSV Format and awk
  • Zeek TSV Format and zeek-cut
  • Zeek JSON Format Logs
  • Zeek JSON Format and jq
  • Log Schemas
• Zeek Logs
  • analyzer.log
  • conn.log
  • dns.log
  • http.log
  • files.log
  • ftp.log
  • ssl.log
  • x509.log
  • smtp.log
  • ssh.log
  • pe.log
  • dhcp.log
  • ntp.log
  • SMB Logs (plus DCE-RPC, Kerberos, NTLM)
  • irc.log
  • ldap.log and ldap_search.log
  • postgresql.log
  • quic.log
  • rdp.log
  • traceroute.log
  • tunnel.log
  • known_*.log and software.log
  • weird.log and notice.log
  • capture_loss.log and reporter.log
• Introduction to Scripting
  • The Basics
  • Finding Potential Usage Errors
  • Event Groups
  • Use of conn_id_ctx
  • Tracing Events
  • Script Optimization
  • JavaScript
• Frameworks
  • Broker Communication Framework
  • Cluster Framework
  • Configuration Framework
  • File Analysis Framework
  • Input Framework
  • Intelligence Framework
  • Logging Framework
  • Management Framework
  • NetControl Framework
  • Notice Framework
  • Packet Analysis
  • Signature Framework
  • Storage Framework
  • Summary Statistics
  • Supervisor Framework
  • Telemetry Framework
  • TLS Decryption
• Popular Customizations
  • Log Enrichment
  • Log Writers
  • Logging
  • Profiling and Debugging
• Troubleshooting
  • Memory Leaks and State Growth
  • CPU Profiling
  • Metrics and Stats
• Script Reference
  • Operators
  • Types
  • Attributes
  • Declarations and Statements
  • Directives
  • Log Files
  • Notices
  • Packet Analyzers
  • Protocol Analyzers
  • File Analyzers
  • Zeek Package Index
  • Zeek Script Index
  • Zeekygen Example Script
• Developer Guides
  • Writing Plugins
  • Writing Analyzers with Spicy
  • Interacting with Zeek using WebSockets
  • Contributor’s Guide
  • Maintainer’s Guide
  • ZeroMQ Cluster Backend
  • Connection Handling
• Subcomponents
• Acknowledgements

• Index

Documentation Versioning

Attention

Zeek publishes both feature and long-term support releases. By default, the Zeek documentation at docs.zeek.org points to whichever release is the most recent (or current). In the current documentation, you may also find a dropdown menu in the banner, which lets you select the documentation version. For your convenience, the most used versions are:

• Current release: docs.zeek.org/en/current

• Long-term support release: docs.zeek.org/en/lts

• Git master branch: docs.zeek.org/en/master

We typically keep the last version from each release cycle available. The current release cycle(s) (LTS and/or feature) will have all versions available, but some may be hidden in the UI dropdown menu.

Zeek’s version numbering scheme is described in the Release Cadence policy.