DebianDebian Based

How To Install Zeek Network Security Monitor on Debian 13

r00t
9 minutes read

Install Zeek Network Security Monitor on Debian 13

Network threats do not announce themselves. They hide inside legitimate traffic, move laterally across subnets, and leave traces that only deep protocol analysis can catch. If you want real visibility into what is crossing your network, Zeek Network Security Monitor is one of the most powerful open-source tools available for the job. This guide walks you through exactly how to install Zeek Network Security Monitor on Debian 13, configure it for standalone monitoring, and verify it is capturing live traffic on your Linux server.

Zeek, formerly known as Bro, is a passive network analysis framework that records structured logs for every protocol it observes: DNS queries, HTTP requests, SSL handshakes, file transfers, and more. Unlike signature-based intrusion detection systems, Zeek does not just alert on known bad patterns. It records everything, giving you the raw material for threat hunting, forensic investigation, and compliance reporting. Security teams at national research labs, universities, and enterprise environments rely on it daily.

This tutorial targets Debian 13 (Trixie) specifically, using the official Zeek binary packages served through the openSUSE Build Service (OBS). You will not need to compile anything from source. By the end, you will have a running Zeek instance logging traffic from your network interface with ZeekControl managing the process.

Prerequisites

Before you start, confirm the following are in place on your system:

  • Operating System: Debian 13 (Trixie), fresh install preferred
  • User Privileges: A non-root user with sudo access, or direct root access
  • Minimum Hardware: 2 CPU cores, 2 GB RAM, 20 GB free disk space (scale up for busy networks)
  • Network Interface: At least one interface that supports promiscuous mode (check with ip link show)
  • Internet Access: Required to reach the OBS repository during installation
  • Basic Familiarity: Comfortable running commands in a Linux terminal

Step 1: Update Your Debian 13 System

The first thing to do before installing any new package is bring your system up to date. Outdated package indexes can cause dependency resolution failures, and pending kernel updates can interfere with network interface behavior after Zeek starts.

Run the following two commands:

sudo apt update
sudo apt upgrade -y

apt update refreshes the local package index against all configured repositories. apt upgrade -y applies every available update without asking for confirmation at each step. If the upgrade includes a kernel update, reboot before continuing:

sudo reboot

After reboot, log back in and confirm the system is running the expected kernel:

uname -r

You should see a 6.x kernel version reflecting the Debian 13 base. This matters because Zeek reads from network interfaces at the kernel level, and running on a fresh, updated kernel avoids known driver conflicts.

Step 2: Install Required Dependencies

Zeek’s OBS repository setup requires a small set of tools that may not be present on a minimal Debian 13 installation. These utilities handle downloading and verifying the signing key, and enable APT to use HTTPS-based sources.

Install them all in one command:

sudo apt install curl gnupg2 wget apt-transport-https -y

Here is what each package does:

  • curl: Fetches the Zeek GPG signing key from the OBS server
  • gnupg2: Processes and stores the key in APT’s trusted keyring
  • wget: Useful for manual package downloads if needed
  • apt-transport-https: Allows APT to communicate with HTTPS-based sources securely

Confirm curl and gpg are available after installation:

curl --version
gpg --version

Both commands should return version information without errors. If either fails, re-run the apt install command above before proceeding.

Step 3: Add the Official Zeek Repository for Debian 13

This step is where most tutorials for other distributions break down when applied to Debian 13. The repository path is specific to Debian 13 (Trixie), and using a Debian 12 or Ubuntu path will result in dependency errors or a failed installation.

Add the GPG Signing Key

APT verifies every package it downloads against a cryptographic signing key. You need to add Zeek’s key to the trusted keyring before APT will accept packages from the OBS repository.

Run this exact command:

curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_13/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null

Breaking down what this does:

  • curl -fsSL fetches the key silently and follows redirects; -f makes curl fail on HTTP errors rather than saving an error page as the key
  • gpg --dearmor converts the ASCII-armored PGP key to a binary format that APT expects
  • sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg writes the result to the correct location with root privileges
  • > /dev/null suppresses the duplicate terminal output from tee

Add the APT Repository Source

Now add the Zeek Debian 13 repository to your APT sources:

echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_13/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list

This writes a new .list file under /etc/apt/sources.list.d/. APT automatically picks up any .list file in that directory the next time you run apt update.

Update the package index to pull in the Zeek repository metadata:

sudo apt update

If you see the Zeek repository listed in the output without errors, the repository is correctly configured and ready to use.

Step 4: Install Zeek on Debian 13

With the repository in place, you now have several Zeek package options available. Understanding the difference between them saves you from an unplanned upgrade down the line.

Choose Your Package Version

Package Name Description Recommended Use
zeek-8.0 Pinned to the 8.0.x stable line Production environments
zeek-7.0 Previous stable release line Legacy compatibility
zeek Latest feature release (auto-updates) Dev/test environments
zeek-nightly Nightly development builds Developers only

Important: The older zeek-lts meta-package is deprecated and no longer supported. Do not use it on new installations.

For most production and learning deployments, zeek-8.0 is the right choice. It gives you a stable, well-tested build without automatically jumping to a future major version.

Run the Installation

sudo apt install zeek-8.0 -y

APT will resolve all dependencies and install Zeek to /opt/zeek. Expect to download approximately 50-100 MB depending on the package version and your existing installed libraries.

Add Zeek to Your PATH

Zeek installs to /opt/zeek/bin, which is not in the default $PATH. Without adding it, every Zeek command requires typing the full path. Fix this permanently:

echo 'export PATH=$PATH:/opt/zeek/bin' >> ~/.bashrc
source ~/.bashrc

Verify the installation and PATH update worked:

which zeek
zeek --version

Expected output:

/opt/zeek/bin/zeek
zeek version 8.0.x

If which zeek returns a path and zeek --version shows a version number, installation is complete.

Step 5: Configure Zeek Network Security Monitor on Debian 13

Zeek does not work out of the box without pointing it at your network interface and defining your local address space. There are three configuration files to edit, all located under /opt/zeek/etc/.

Configure the Monitored Network Interface

First, identify your active network interface:

ip link show

Look for an interface in the UP state. On Debian 13, predictable interface names are standard. You will typically see names like ens3, enp1s0, or eth0 depending on your hardware and hypervisor.

Open the Zeek node configuration file:

sudo nano /opt/zeek/etc/node.cfg

For a standalone deployment (single machine, single interface), the configuration should look like this:

[zeek]
type=standalone
host=localhost
interface=ens3

Replace ens3 with your actual interface name. Save and exit the file (Ctrl+O, Enter, Ctrl+X in nano).

Define Your Local Networks

Open the networks configuration file:

sudo nano /opt/zeek/etc/networks.cfg

Add your internal subnet CIDR ranges at the bottom of the file. The standard RFC1918 private ranges cover most internal deployments:

10.0.0.0/8          Private RFC1918 range
172.16.0.0/12       Private RFC1918 range
192.168.0.0/16      Private RFC1918 range

Zeek uses these entries to classify traffic as internal or external inside its log files. Without accurate network definitions, Zeek cannot correctly distinguish between inbound threats and internal host communication.

Review ZeekControl Settings

Open the main ZeekControl configuration:

sudo nano /opt/zeek/etc/zeekctl.cfg

Key settings to review and adjust:

  • LogRotationInterval: How often logs rotate, in seconds (default: 3600 for hourly rotation)
  • LogExpireInterval: How many days to keep archived logs (default: 0, which means logs never expire and can fill your disk)
  • MailTo: Email address for ZeekControl alert notifications

Set LogExpireInterval to a reasonable value based on available disk space. For a server with 20 GB allocated to Zeek logs, setting this to 30 (days) is a solid starting point.

Step 6: Deploy and Start Zeek with ZeekControl

ZeekControl (zeekctl) is the command-line management interface for Zeek. It handles starting, stopping, restarting, and checking the status of Zeek processes. You run it either interactively as a shell or by passing commands directly.

Launch the interactive ZeekControl shell:

sudo /opt/zeek/bin/zeekctl

You will see the ZeekControl prompt:

Welcome to ZeekControl 2.x
[ZeekControl] >

Run the deploy Command

The deploy command is the standard way to start Zeek for the first time. It runs install (which applies your configuration) followed by start (which launches the Zeek processes):

[ZeekControl] > deploy

You will see output similar to:

installing nodes ...
starting nodes ...
zeek    standalone  localhost  running  12345

Verify Running Status

[ZeekControl] > status

Each configured node should show a running status. Exit the shell when done:

[ZeekControl] > exit

You can also check status directly from your regular shell without entering the interactive prompt:

sudo /opt/zeek/bin/zeekctl status

Step 7: Verify Zeek Is Capturing Network Traffic

Once Zeek is running, it immediately starts writing log files. The active logs go to /opt/zeek/logs/current/.

List the directory to confirm logs are being generated:

ls /opt/zeek/logs/current/

You should see files including:

  • conn.log — All TCP, UDP, and ICMP connections
  • dns.log — DNS queries and responses
  • notice.log — Internal Zeek policy alerts
  • weird.log — Protocol anomalies and unexpected behaviors

Watch conn.log update in real time to confirm Zeek is actively capturing traffic:

tail -f /opt/zeek/logs/current/conn.log

Each line in the output is a tab-separated record with fields like ts (timestamp), uid (unique connection ID), id.orig_h (source IP), id.resp_h (destination IP), proto (protocol), and duration. If lines are appearing and the timestamp matches the current time, Zeek is working correctly.

Understanding Zeek Log Files

Log File What It Records
conn.log All network connections with duration, bytes transferred, and TCP state
dns.log DNS request and response pairs, query types, and answer records
http.log HTTP method, URI, status code, user agent, and response body size
ssl.log TLS handshake metadata, certificate subject, and cipher suite
files.log Every file transferred over the network with MD5 and SHA1 hashes
notice.log Alerts generated by Zeek’s built-in and custom detection scripts
weird.log Unexpected protocol behavior that may indicate scanning or evasion

Zeek rotates these logs hourly (based on your LogRotationInterval setting) into timestamped subdirectories under /opt/zeek/logs/. These structured logs feed directly into SIEM tools like the Elastic Stack, Splunk, and Graylog for centralized analysis and alerting.

Configure Zeek as a systemd Service (Recommended)

By default, Zeek does not start automatically after a server reboot. You manage it manually via zeekctl. For any production or long-term monitoring setup, creating a systemd service is the right move.

Create the service unit file:

sudo nano /etc/systemd/system/zeek.service

Paste the following content:

[Unit]
Description=Zeek Network Security Monitor
After=network.target

[Service]
Type=forking
ExecStart=/opt/zeek/bin/zeekctl start
ExecStop=/opt/zeek/bin/zeekctl stop
Restart=on-failure

[Install]
WantedBy=multi-user.target

Save the file, then enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable zeek
sudo systemctl start zeek
sudo systemctl status zeek

The status output should show active (running). From this point forward, Zeek will restart automatically after any reboot or unexpected crash without manual intervention.

Troubleshooting Common Issues

Even a straightforward installation can run into a few snags. Here are the five most common problems and how to fix them.

1. zeek: command not found after installation

This means /opt/zeek/bin is not in your current PATH. Run:

source ~/.bashrc

If that does not work, verify the export line was written correctly:

grep zeek ~/.bashrc

You should see export PATH=$PATH:/opt/zeek/bin. If it is missing, add it manually and source the file again.

2. Zeek fails to start with an interface error

The interface name in node.cfg does not match any active interface on your system. Confirm the real name with:

ip link show

Update /opt/zeek/etc/node.cfg to match the exact interface name shown. Debian 13 uses predictable naming (enp1s0, ens3), not always eth0.

3. GPG key error during apt update

OBS signing keys occasionally expire or change. Re-fetch the key with the same curl command from Step 3:

curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_13/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null

Then run sudo apt update again.

4. No log files appearing in /opt/zeek/logs/current/

Zeek may not have permission to read the network interface in promiscuous mode. Ensure you run zeekctl with sudo. Alternatively, validate your configuration before attempting to start:

sudo zeekctl check

This validates your configuration and reports errors before attempting to start.

5. deploy returns a crash or “failed” status

Run the built-in diagnostic command immediately after a failed deploy:

sudo /opt/zeek/bin/zeekctl diag

This outputs the Zeek crash log and the last few lines of stderr from the failed run. Common causes include a missing or misnamed interface, a syntax error in local.zeek, or insufficient memory for the configured packet buffer size.

Congratulations! You have successfully installed Zeek. Thanks for using this tutorial to install the latest version of Zeek open-source network traffic analyzer on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official Zeek website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
9 minutes read
Photo of r00t

r00t

r00t is a dedicated and highly skilled Linux Systems Administrator with over a decade of progressive experience in designing, deploying, and maintaining enterprise-grade Linux infrastructure. His professional journey began in the telecommunications industry, where early exposure to Unix-based operating systems ignited a deep and enduring passion for open-source technologies and server administration.​ Throughout his career, r00t has demonstrated exceptional proficiency in managing large-scale Linux environments, overseeing more than 300 servers across development, staging, and production platforms while consistently achieving 99.9% system uptime. He holds advanced competencies in Red Hat Enterprise Linux (RHEL), Debian, and Ubuntu distributions, complemented by hands-on expertise in automation tools such as Ansible, Terraform, Bash scripting, and Python.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button