AlmaLinuxRHEL Based

How To Install Zeek Network Security on AlmaLinux 10

r00t

Install Zeek Network Security on AlmaLinux 10

Network security monitoring has become an essential component of modern infrastructure defense strategies. Organizations need powerful tools to analyze network traffic patterns, detect anomalies, and respond to potential threats in real-time. Zeek, formerly known as Bro, stands as one of the most powerful open-source network security monitoring solutions available today. This comprehensive guide will walk through the complete installation and configuration of Zeek Network Security Monitor on AlmaLinux 10, providing detailed step-by-step instructions that enable system administrators to deploy this robust security tool successfully.

AlmaLinux 10 offers a stable, enterprise-grade platform that provides binary compatibility with Red Hat Enterprise Linux, making it an excellent choice for production environments. The combination of Zeek’s advanced traffic analysis capabilities with AlmaLinux’s reliability creates a formidable network security monitoring solution. Whether managing a small business network or enterprise infrastructure, this tutorial provides everything needed to get Zeek operational.

What is Zeek Network Security Monitor?

Understanding Zeek’s Core Functionality

Zeek operates as a passive network traffic analyzer that interprets what it sees on network interfaces and creates comprehensive logs describing the traffic. Unlike traditional intrusion detection systems that rely primarily on signature matching, Zeek takes a fundamentally different approach by focusing on network traffic analysis and behavioral anomaly detection. The tool monitors network activity in real-time, converting observed traffic into high-level events that can trigger custom scripts and generate detailed logs for forensic analysis.

The evolution from Bro to Zeek marked a significant milestone in the project’s history, but the core functionality remained focused on providing deep visibility into network communications. Zeek excels at protocol analysis, supporting dozens of network protocols out of the box, including HTTP, DNS, SSL/TLS, SSH, SMTP, and many others. This comprehensive protocol support enables security teams to gain unprecedented insight into network behavior patterns and potential security incidents.

Key Features and Capabilities

Zeek generates extensive logs that capture detailed information about network connections, HTTP sessions, DNS queries, SSL certificate data, file transfers, and countless other network activities. The conn.log file alone provides valuable connection metadata including timestamps, source and destination addresses, ports, protocols, and data volumes. HTTP logs capture complete details of web traffic, enabling reconstruction of browsing sessions and identification of potentially malicious web-based attacks.

The event-driven architecture distinguishes Zeek from many competitors by allowing administrators to write custom detection logic using Zeek’s powerful scripting language. This flexibility enables organizations to develop detection rules tailored to specific environments and threat models. File extraction capabilities allow Zeek to extract files from HTTP sessions for malware analysis, providing another layer of security monitoring. Integration with SIEM platforms and threat intelligence feeds extends Zeek’s value by enabling correlation with other security data sources.

Why Use Zeek on AlmaLinux 10?

Benefits of Zeek for Network Security

Deep traffic analysis capabilities make Zeek invaluable for detecting sophisticated threats that signature-based systems might miss. The tool excels at identifying behavioral anomalies, unusual protocol usage, and suspicious patterns that indicate compromise or reconnaissance activity. Rich forensic capabilities enable security teams to investigate incidents thoroughly, with detailed logs providing the evidence needed to understand attack timelines and impact.

Customizable detection rules allow organizations to implement security policies specific to their environment and risk profile. The active community surrounding Zeek provides extensive documentation, plugins, and shared detection scripts that enhance the tool’s capabilities. Organizations benefit from community-contributed packages that extend Zeek’s functionality without requiring extensive custom development.

AlmaLinux 10 as the Ideal Platform

AlmaLinux 10 delivers enterprise-grade stability and reliability essential for production security monitoring systems. The distribution maintains binary compatibility with Red Hat Enterprise Linux, ensuring compatibility with enterprise tools and workflows. Long-term support commitments from the AlmaLinux community provide confidence that the platform will receive security updates and bug fixes for years to come.

Performance optimizations built into AlmaLinux make it well-suited for demanding server workloads like network traffic analysis. The community-driven development model ensures responsiveness to user needs while maintaining the stability required for critical infrastructure. System administrators familiar with RHEL-based distributions will find AlmaLinux intuitive and straightforward to manage.

Prerequisites and System Requirements

Hardware Requirements for AlmaLinux 10

Zeek on AlmaLinux 10 requires a 64-bit processor architecture (x86_64) with a minimum clock speed of 1.1 GHz, though faster processors significantly improve traffic analysis performance. RAM requirements start at a minimum of 2 GB, but production deployments should provision at least 4 GB or more depending on network traffic volume. High-traffic environments benefit from 8 GB or more of RAM to handle intensive packet processing.

Disk space requirements include at least 20 GB for the operating system and Zeek installation, with additional storage allocated for log retention based on traffic volume and retention policies. A dedicated network interface card for monitoring traffic is essential, with consideration given to whether monitoring will occur on a mirrored/SPAN port or inline.

Software Prerequisites

A fresh installation of  stable release provides the cleanest foundation for Zeek deployment. Root or sudo user privileges are necessary to install packages, modify system configurations, and manage network interfaces. An active internet connection enables downloading packages from repositories and resolving dependencies.

Basic command-line familiarity helps administrators navigate the installation process, though this guide provides explicit commands for each step. Understanding of network fundamentals, including IP addressing and subnetting, aids in proper configuration of Zeek’s network definitions.

Network Configuration Requirements

Identifying the correct network interface for monitoring is crucial before beginning installation. Use commands like ip addr or ifconfig to list available network interfaces. Knowing the network subnet information for local networks enables proper configuration of Zeek’s networks.cfg file. Firewall considerations must account for Zeek’s operation, though Zeek itself operates as a passive monitoring tool that doesn’t require inbound connections.

Step 1: Update AlmaLinux 10 System

System updates ensure the latest security patches and bug fixes are installed before adding new software. Open a terminal with root or sudo access and execute the update command:

sudo dnf update -y

This command refreshes the package repository metadata and downloads available updates. Follow up with an upgrade command to apply all pending updates:

sudo dnf upgrade -y

Verify the system update completed successfully by checking for errors in the output. If kernel updates were applied, reboot the system to ensure the new kernel loads:

sudo reboot

After reboot, confirm the AlmaLinux version with:

cat /etc/almalinux-release

This verification step ensures the system is running AlmaLinux 10 and ready for Zeek installation.

Step 2: Install Required Dependencies

Zeek requires various development tools and libraries for compilation and operation. Install the Development Tools group package:

sudo dnf groupinstall "Development Tools" -y

This group package includes essential build utilities like gcc, g++, and make. Install additional required packages:

sudo dnf install curl wget gnupg2 cmake libpcap libpcap-devel openssl openssl-devel python3 python3-devel -y

Each package serves specific purposes – curl and wget download files from repositories, gnupg2 verifies package signatures, cmake manages the build process, libpcap provides packet capture capabilities, and openssl libraries enable SSL/TLS analysis. Verify successful installation by checking package installation status:

rpm -qa | grep -E "cmake|libpcap|openssl"

This command lists installed packages matching the search criteria, confirming dependencies are present.

Step 3: Add Zeek Repository to AlmaLinux 10

Official Zeek repositories provide the most reliable and up-to-date packages for installation. The OpenSUSE Build Service hosts Zeek packages for various Linux distributions. Import the Zeek GPG key for package verification:

curl -fsSL https://download.opensuse.org/repositories/security:zeek/AlmaLinux_10/Release.key | gpg --dearmor | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-zeek > /dev/null

This command downloads the GPG key and stores it in the system’s trusted keyring. Create a repository configuration file:

sudo tee /etc/yum.repos.d/zeek.repo <<EOF
[zeek]
name=Zeek Network Security Monitor
baseurl=https://download.opensuse.org/repositories/security:/zeek/AlmaLinux_10/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zeek
EOF

Update the repository cache to include the new Zeek repository:

sudo dnf update -y

Verify repository addition by listing available repositories:

dnf repolist | grep zeek

The output should show the Zeek repository as active and enabled.

Step 4: Install Zeek Network Security Monitor

With repositories configured, install Zeek using the DNF package manager. For long-term support releases, execute:

sudo dnf install zeek-lts -y

Alternatively, install the latest feature release with:

sudo dnf install zeek -y

The LTS version provides stability for production environments, while the feature release includes the newest capabilities. The installation process downloads Zeek and any remaining dependencies, then installs everything to /opt/zeek/.

The default installation directory structure includes:

  • /opt/zeek/bin/ – Zeek binaries and executables
  • /opt/zeek/etc/ – Configuration files
  • /opt/zeek/logs/ – Log file directory
  • /opt/zeek/share/zeek/ – Zeek scripts and policies

Verify installation completion by checking the Zeek directory:

ls -la /opt/zeek/

Step 5: Configure System PATH for Zeek

Adding Zeek to the system PATH allows executing Zeek commands from any directory without specifying the full path. Export the PATH variable for the current session:

export PATH=$PATH:/opt/zeek/bin

Make this change permanent by adding it to the bash configuration file:

echo 'export PATH=$PATH:/opt/zeek/bin' >> ~/.bashrc

This appends the PATH export command to the .bashrc file, which loads every time a new terminal session starts. Reload the bash configuration to apply changes immediately:

source ~/.bashrc

Verify PATH configuration by displaying the PATH variable:

echo $PATH

The output should include /opt/zeek/bin. Test Zeek accessibility by checking the version:

zeek --version

This command should display Zeek version information, confirming successful installation and PATH configuration.

Step 6: Configure Network Interface in node.cfg

The node.cfg file defines Zeek’s deployment topology and which network interfaces to monitor. Identify the active network interface using:

ip addr show

Or alternatively:

ifconfig

Note the interface name (e.g., eth0, enp0s3, ens33). Edit the node.cfg file:

sudo nano /opt/zeek/etc/node.cfg

For standalone deployments on a single server, configure the file as follows:

[zeek]
type=standalone
host=localhost
interface=eth0

Replace eth0 with your actual network interface name. The standalone type indicates Zeek runs as a single process rather than a distributed cluster. For cluster deployments across multiple interfaces or hosts, use worker, manager, logger, and proxy node types.

Save the file and exit the editor. Validate the configuration syntax:

zeek -N /opt/zeek/etc/node.cfg

Step 7: Define Local Networks in networks.cfg

The networks.cfg file tells Zeek which IP address ranges constitute local networks versus external networks. This distinction enables Zeek to properly classify traffic direction and apply appropriate analysis policies. Edit the networks.cfg file:

sudo nano /opt/zeek/etc/networks.cfg

Define local network subnets using CIDR notation:

192.168.1.0/24      Private networks
10.0.0.0/8          Private networks
172.16.0.0/12       Private networks

Customize these entries to match your actual network topology. Comment out any default networks that don’t apply to your environment by adding a # symbol at the beginning of the line. Multiple subnet definitions enable Zeek to properly handle complex network environments with multiple segments. Save and close the file after completing network definitions.

Step 8: Configure ZeekControl Settings

ZeekControl provides a management interface for deploying, starting, stopping, and monitoring Zeek instances. The zeekctl.cfg file contains optional configuration settings that enhance operational capabilities. Edit the configuration file:

sudo nano /opt/zeek/etc/zeekctl.cfg

Key configuration options include the MailTo parameter for email notifications when Zeek crashes or encounters errors:

MailTo = admin@example.com

The LogRotationInterval setting controls how frequently logs rotate:

LogRotationInterval = 3600

This value represents seconds, so 3600 equals one hour. Additional performance tuning options include CPU affinity settings for binding Zeek processes to specific processor cores and memory allocation parameters for high-traffic environments. Save configuration changes and exit the editor.

Step 9: Deploy Zeek Configuration

ZeekControl’s deploy command validates configuration files and initializes the Zeek deployment. Launch the ZeekControl interactive shell:

sudo zeekctl

The ZeekControl prompt appears. For first-time installation, run the install command:

[ZeekControl] > install

This command validates configuration syntax, generates necessary policy files, and prepares Zeek for operation. The installation process displays progress messages indicating successful completion of each step. Configuration validation checks for errors in node.cfg, networks.cfg, and other configuration files. Common installation errors include invalid interface names, syntax errors in configuration files, or permission issues.

Review the installation output for any warning or error messages. Exit the ZeekControl shell:

[ZeekControl] > exit

Step 10: Start and Verify Zeek Service

Starting Zeek activates network traffic monitoring and log generation. Launch ZeekControl again:

sudo zeekctl

Start Zeek with the deploy command:

[ZeekControl] > deploy

The deploy command combines installation and startup, making it suitable for initial deployment and subsequent configuration updates. Alternatively, use the start command:

[ZeekControl] > start

Check Zeek’s operational status:

[ZeekControl] > status

The output displays running Zeek instances with process IDs, startup times, and status information. Verify processes are running with:

ps aux | grep zeek

This command shows active Zeek processes with their PIDs and resource usage. Exit ZeekControl:

[ZeekControl] > exit

Step 11: Verify Zeek Installation and Logging

Log generation confirms Zeek is successfully capturing and analyzing network traffic. Navigate to the current logs directory:

cd /opt/zeek/logs/current/

List available log files:

ls -la

Zeek generates various log file types:

  • conn.log – Connection summaries showing source/destination addresses, ports, protocols, and data volumes
  • http.log – HTTP request and response details including URLs, methods, user agents, and status codes
  • dns.log – DNS query and response information
  • ssl.log – SSL/TLS certificate details and encryption parameters
  • weird.log – Unusual network behavior and protocol violations

View live connection logs with:

tail -f conn.log

Generate test traffic to verify Zeek is monitoring correctly. Open another terminal and execute network commands like ping, curl, or web browsing. Examine log entries for proper timestamp formats and data capture. Each log entry should contain current timestamps indicating active monitoring. Check file permissions to ensure logs are readable:

ls -l conn.log

Basic Zeek Management Commands

Understanding essential ZeekControl commands enables effective Zeek management. Launch the ZeekControl shell and use these commands:

Start Zeek:

[ZeekControl] > start

This command initiates all configured Zeek nodes.

Stop Zeek:

[ZeekControl] > stop

Gracefully shuts down running Zeek instances.

Restart Zeek:

[ZeekControl] > restart

Stops and restarts Zeek, useful for applying configuration changes.

Check Status:

[ZeekControl] > status

Displays operational status of all Zeek nodes.

Deploy Configuration:

[ZeekControl] > deploy

Updates configuration and restarts nodes with changes.

Check for Crashes:

[ZeekControl] > diag

Generates diagnostic information useful for troubleshooting.

Post-Installation Configuration Tips

Log Rotation and Management

Zeek generates substantial log volumes in busy networks, making log management critical. ZeekControl automatically rotates logs based on the LogRotationInterval setting. Rotated logs move to dated directories under /opt/zeek/logs/. Archived logs compress as .gz files to conserve disk space.

Integration with system log rotation tools provides additional control. Monitor disk space usage regularly:

du -sh /opt/zeek/logs/

Implement log forwarding to centralized logging systems for long-term retention and analysis.

Performance Tuning

CPU affinity binds Zeek processes to specific processor cores, improving performance in multi-core systems. Memory allocation optimization helps Zeek handle high traffic volumes without exhausting system resources. Network buffer size adjustments prevent packet drops during traffic spikes. Load balancing distributes traffic analysis across multiple worker processes in high-traffic environments.

Security Hardening

Proper file permissions protect Zeek directories and configuration files from unauthorized access. Create dedicated user accounts for running Zeek rather than using root. Configure firewall rules to restrict access to Zeek management interfaces. Consider SELinux policies specific to AlmaLinux 10 that may affect Zeek operation.

Common Troubleshooting Issues

Installation Problems

Repository access errors typically stem from network connectivity issues or incorrect repository URLs. Verify internet connectivity and DNS resolution. Dependency conflicts may arise from incompatible package versions – review error messages carefully and resolve conflicts by updating or removing conflicting packages.

GPG key verification failures indicate problems importing the repository key. Re-import the key using the commands provided in Step 3. Insufficient disk space prevents package installation – ensure adequate free space before installing.

Configuration Issues

Network interface not found errors occur when node.cfg specifies an interface that doesn’t exist. Verify interface names with ip addr and update node.cfg accordingly. Invalid node.cfg syntax prevents deployment – carefully check brackets, equals signs, and parameter names.

Permission denied errors indicate insufficient privileges – ensure commands run with sudo or as root. PATH configuration problems prevent accessing Zeek commands – verify PATH includes /opt/zeek/bin.

Runtime Problems

Zeek failure to start often relates to configuration errors or missing dependencies. Check log files in /opt/zeek/logs/ for error messages. High CPU or memory usage suggests insufficient resources for traffic volume – consider upgrading hardware or implementing load balancing.

Missing log files indicate Zeek isn’t monitoring traffic properly. Verify the correct interface is specified and the interface is receiving traffic. Network traffic not being captured may result from promiscuous mode issues or incorrect interface configuration.

Congratulations! You have successfully installed Zeek. Thanks for using this tutorial to install the latest version of the Zeek network traffic analyzer on the AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official Zeek website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button