docker-zeek

command module
v0.0.0-...-c112d92 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2026 License: GPL-3.0 Imports: 9 Imported by: 0

README

docker-zeek

Docker deployment and management tool for Zeek

Release CI Docker Pulls License

What's Included

The Docker image comes with:

  • Zeekctl cluster with AF_Packet
  • Automatic process recovery if a worker crashes
  • ja3 and ja4+ TLS fingerprinting
  • zeek-open-connections for logging long-lived connections

Quick Start

Requires Docker to be installed.

Download the CLI for your architecture from the latest release, then:

tar xzf zeek-linux-amd64.tar.gz
sudo mv zeek /usr/local/bin/zeek
sudo zeek start

On first run, the CLI will prompt you to pick a network interface and number of worker processes. Zeek logs are written to /opt/zeek/logs/.

Usage

Commands
zeek start       Start the Zeek container
zeek stop        Stop the Zeek container
zeek restart     Restart the Zeek container
zeek status      Show container and process status
zeek update      Pull the latest image and restart
zeek readpcap    Process a pcap file offline
Processing a Pcap
zeek readpcap /path/to/capture.pcap [output-dir]

Logs default to /opt/zeek/manual-logs/.

Sensor Setup

To re-run the interface selection:

sudo rm /opt/zeek/etc/node.cfg
zeek start
Installing Zeek Packages
docker exec -it zeek zkg install hassh
zeek restart
Custom Zeek Scripts

Drop .zeek files into the autoload directory. They get included alphabetically to build local.zeek on container start. local.zeek is regenerated every time the container starts, so don't edit it directly.

sudo cp custom.zeek /opt/zeek/share/zeek/site/autoload/210-custom.zeek
zeek restart

Logs

Zeek logs are written to /opt/zeek/logs/ (or $ZEEK_TOP_DIR/logs/ if customized). Logs are rotated hourly and organized into date-stamped directories.

Configuration

Host Directory

Zeek files live in /opt/zeek/ by default. Change it with:

export ZEEK_TOP_DIR=/your/path
Image Version

The CLI pulls the Docker image version it was built for. To use a different published version:

export ZEEK_RELEASE=8.0.6

Development

make build              # build the CLI
make test               # run unit tests
make test-integration   # run integration tests
make lint               # run linter
make docker-build       # build the Docker image
make release            # build release artifacts

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.