Zeek (formerly known as Bro) is a powerful open-source network analysis framework ideal for network security monitoring. This guide provides a step-by-step approach to installing and configuring Zeek on a Debian 12 server.
📋 Prerequisites
Before proceeding, ensure you have:
- A Debian 12 server.
- A non-root user with sudo privileges.
🔧 Step 1: Add Zeek Repository
Zeek isn’t available in the default Debian repositories, so you’ll need to add the official Zeek repository:
curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_12/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_12/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
sudo apt update📥 Step 2: Install Zeek
Install the Long-Term Support (LTS) version of Zeek:
sudo apt install zeek-ltsAfter installation, Zeek will be located in /opt/zeek. Add Zeek to your system’s PATH:
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
source ~/.bashrcVerify the installation:
which zeek
zeek --version
zeek --help⚙️ Step 3: Configure Zeek
3.1 Define Network Interfaces
Identify your network interfaces:
ip aEdit the networks configuration file:
sudo nano /opt/zeek/etc/networks.cfgAdd your internal network subnets:
10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space
192.168.0.0/16 Private IP space3.2 Configure Zeek in Cluster Mode
Edit the node configuration:
sudo nano /opt/zeek/etc/node.cfgComment out the standalone configuration:
#[zeek]
#type=standalone
#host=localhost
#interface=eth0Add the following cluster configuration (replace 192.168.10.15 with your server’s IP address):
# logger
[zeek-logger]
type=logger
host=192.168.10.15
# manager
[zeek-manager]
type=manager
host=192.168.10.15
# proxy
[zeek-proxy]
type=proxy
host=192.168.10.15
# worker
[zeek-worker]
type=worker
host=192.168.10.15
interface=eth0
# worker localhost
[zeek-worker-lo]
type=worker
host=localhost
interface=loCheck the configuration:
zeekctl
checkDeploy the configuration:
deployCheck the status:
status📄 Step 4: Analyze Zeek Logs
Zeek stores logs in /opt/zeek/logs/current. Navigate to this directory:
cd /opt/zeek/logs/currentUse zeek-cut to parse logs. For example, to extract specific fields from dns.log:
zeek-cut id.orig_h query answers < dns.log🛠️ Step 5: Configure Zeek to Output JSON Logs
Edit the local Zeek script:
sudo nano /opt/zeek/share/zeek/site/local.zeekAdd the following line to enable JSON logging:
@load tuning/json-logsRedeploy Zeek:
zeekctl deploy📊 Step 6: Analyze JSON Logs with jq
Install jq:
sudo apt install jq -yNavigate to the logs directory:
cd /opt/zeek/logs/currentUse jq to parse JSON logs. For example, to view dns.log:
jq . dns.logFor a compact view:
jq -c . dns.logTo extract specific fields:
jq -c '[."id.orig_h", ."query", ."answers"]' dns.log✅ Conclusion
You’ve successfully installed and configured Zeek on Debian 12, enabling powerful network security monitoring capabilities. By analyzing logs in both TSV and JSON formats, you can gain deep insights into your network’s activities.
Meta Description: Learn how to install and configure Zeek Network Security Monitoring Tool on Debian 12. This step-by-step guide covers repository setup, installation, configuration, and log analysis using zeek-cut and jq.
SEO Keywords: Zeek installation Debian 12, configure Zeek cluster mode, Zeek JSON logs, analyze Zeek logs with jq, network security monitoring Debian
Hướng dẫn cài đặt Cluster Kafka trên Ubuntu
https://forum.congdonglinux.com
Add Comment