DebianDebian Based

How To Install Zeek Network Security Monitor on Debian 12

Install Zeek Network Security Monitor on Debian 12

In this tutorial, we will show you how to install Zeek Network Security Monitor on Debian 12. Zeek, formerly known as Bro, is a powerful open-source network security monitor. It’s not just a typical intrusion detection system (IDS) but a robust network analysis framework that goes beyond traditional IDS functions. Zeek provides real-time insights into your network’s operations, helping you detect and prevent security incidents. The benefits of using Zeek for network security monitoring are numerous. It offers detailed logging of network traffic, scriptable event-driven analysis, and the ability to detect a wide range of network anomalies and security incidents.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Zeek open-source network traffic analyzer on a Debian 12 (Bookworm).


  • A server running one of the following operating systems: Debian 12 (Bookworm).
  • It’s recommended that you use a fresh OS install to prevent any potential issues.
  • SSH access to the server (or just open Terminal if you’re on a desktop).
  • You will need an active internet connection to download the Zeek Network Security Monitor package.
  • A user account with sudo privileges: sudo, or “superuser do,” is a powerful command that allows users to execute commands with the security privileges of another user (by default, the superuser).

Install Zeek Network Security Monitor on Debian 12 Bookworm

Step 1. Before installing Zeek, you need to update and refresh your Debian repository by executing the following command:

sudo apt update
sudo apt upgrade

 This command will update the package lists for upgrades and new package installations.

Step 2. Installing Zeek Network Security Monitor on Debian 12.

After updating the repository, you can start the Zeek installation. First, add the GPG key and repository for the Zeek package using the following commands:

curl -fsSL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
echo 'deb /' | sudo tee /etc/apt/sources.list.d/security:zeek.list

Next, update your Debian repository by executing the following command:

sudo apt update

Now, you can install Zeek by executing the following command:

sudo apt install zeek-lts

After the installation, you can check the location of the Zeek binary file, check the Zeek version, and print the Zeek help message using the following commands:

which zeek
zeek --version
zeek --help

Step 3. Configuring Zeek.

The first step in configuring Zeek in standalone mode is to set the network interface that Zeek will monitor. Open the node.cfg file located in the $PREFIX/etc/ directory, where $PREFIX is the Zeek installation root directory. By default, this is /usr/local/zeek if you installed from a source, or /opt/zeek if you installed from a binary package. For example, if your network interface is ‘eth0‘, the configuration would look like this:


If you plan to run Zeek in a cluster configuration, you need to define where the logger, manager, proxies, and workers will run. For a cluster configuration, comment out (or remove) the standalone node in the node.cfg file, and either uncomment or add node entries for each node in your cluster (logger, manager, proxy, and workers):

For example, to run five Zeek nodes (two workers, one proxy, a logger, and a manager) on a cluster consisting of three machines, the cluster configuration would look like this:






After configuring Zeek, you can start it using the zeekctl command:

zeekctl deploy

This command is equivalent to the install and start commands in Zeek. You can check the status of each component of your Zeek cluster by executing the status command:

zeekctl status

Congratulations! You have successfully installed Zeek. Thanks for using this tutorial to install the latest version of Zeek open-source network traffic analyzer on Debian 12 Bookworm. For additional help or useful information, we recommend you check the official Zeek website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!


r00t is a seasoned Linux system administrator with a wealth of experience in the field. Known for his contributions to, r00t has authored numerous tutorials and guides, helping users navigate the complexities of Linux systems. His expertise spans across various Linux distributions, including Ubuntu, CentOS, and Debian. r00t's work is characterized by his ability to simplify complex concepts, making Linux more accessible to users of all skill levels. His dedication to the Linux community and his commitment to sharing knowledge makes him a respected figure in the field.
Back to top button