Installing Zeek¶
Prerequisites¶
Before installing Zeek, you’ll need to ensure that some dependencies are in place.
Required Dependencies¶
Zeek requires the following libraries and tools to be installed before you begin:
Libpcap (http://www.tcpdump.org)
OpenSSL libraries (https://www.openssl.org)
BIND8 library
Libz
Bash (for ZeekControl)
Python 3.5 or greater (https://www.python.org/)
To build Zeek from source, the following additional dependencies are required:
CMake 3.5 or greater (https://www.cmake.org)
Make
C/C++ compiler with C++17 support (GCC 7+ or Clang 4+)
SWIG (http://www.swig.org)
Bison 2.5 or greater (https://www.gnu.org/software/bison/)
Flex (lexical analyzer generator) (https://github.com/westes/flex)
Libpcap headers (http://www.tcpdump.org)
OpenSSL headers (http://www.openssl.org)
zlib headers (https://zlib.net/)
Python 3.5 or greater (https://www.python.org/)
To install the required dependencies, you can use:
RPM/RedHat-based Linux:
sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python3 python3-devel swig zlib-devel
Additionally, on RHEL/CentOS 7, you can install and activate a devtoolset to get access to recent GCC versions. You will also have to install and activate CMake 3. For example:
sudo yum install cmake3 devtoolset-7 scl enable devtoolset-7 bash
DEB/Debian-based Linux:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev
FreeBSD:
Most required dependencies should come with a minimal FreeBSD install except for the following.
sudo pkg install -y bash git cmake swig bison python3 base64 pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'` sudo pkg install -y $pyver-sqlite3
macOS:
Compiling source code on Macs requires first installing either Xcode or the “Command Line Tools” (which is a much smaller download). To check if either is installed, run the
xcode-select -p
command. If you see an error message, then neither is installed and you can then runxcode-select --install
which will prompt you to either get Xcode (by clicking “Get Xcode”) or to install the command line tools (by clicking “Install”).macOS comes with all required dependencies except for CMake, SWIG, Bison, and OpenSSL (OpenSSL headers were removed in macOS 10.11, therefore OpenSSL must be installed manually for macOS versions 10.11 or newer).
Distributions of these dependencies can likely be obtained from your preferred macOS package management system (e.g. Homebrew, MacPorts, or Fink). Specifically for Homebrew, the
cmake
,swig
,openssl
, andbison
packages provide the required dependencies. For MacPorts, thecmake
,swig
,swig-python
,openssl
, andbison
packages provide the required dependencies.
Optional Dependencies¶
Zeek can make use of some optional libraries and tools if they are found at build time:
libmaxminddb (for geolocating IP addresses)
sendmail (enables Zeek and ZeekControl to send mail)
curl (used by a Zeek script that implements active HTTP)
gperftools (tcmalloc is used to improve memory and CPU usage)
jemalloc (https://github.com/jemalloc/jemalloc)
PF_RING (Linux only, see PF_RING Cluster Configuration)
krb5 libraries and headers
ipsumdump (for trace-summary; https://github.com/kohler/ipsumdump)
Geolocation is probably the most interesting and can be installed on most platforms by following the instructions for installing the GeoIP library and database.
The zkg package manager, included in the Zeek installation, requires two external Python modules:
GitPython: https://pypi.org/project/GitPython/
semantic-version: https://pypi.org/project/semantic-version/
These install easily via pip (pip3 install GitPython
semantic-version
) and ship with some distributions:
RPM/RedHat-based Linux:
sudo yum install python3-GitPython python3-semantic_version
DEB/Debian-based Linux:
sudo apt-get install python3-git python3-semantic-version
Installing Zeek¶
Zeek can be downloaded as either pre-built binary packages for Linux, or in source code form. On many platforms, Zeek also comes already integrated into package management systems (e.g., Homebrew on macOS), Note, however, that such external packages may not always be fully up to date.
Using Pre-Built Binary Release Packages for Linux¶
We are providing prebuilt binary packages for a variety of Linux distributions. See the Binary-Packages wiki for the latest updates on binary releases and for more information.
You can download the packages for the latest feature release build here for all the supported distributions. Please follow the instructions on that link to add rpm/deb repositories for the corresponding OS; grabbing the binary files directly does not give you all dependencies. The package source files are available here.
As an example, for CentOS:
For CentOS 8 run the following as root:
cd /etc/yum.repos.d/ wget https://download.opensuse.org/repositories/security:zeek/CentOS_8/security:zeek.repo yum install zeekFor CentOS 7 run the following as root:
cd /etc/yum.repos.d/ wget https://download.opensuse.org/repositories/security:zeek/CentOS_7/security:zeek.repo yum install zeek
Furthermore, you can download the packages for the latest LTS release build here and nightly builds are also available here for all the supported operating systems. Please follow the instructions on the links to add rpm/deb repositories for the corresponding OS; grabbing the binary files directly does not give you all dependencies. The source files for LTS builds are available here and for nightly builds source files are here.
For example, if you prefer to use the most recent LTS release, use yum install
zeek-lts
, and for the nightly builds use yum install zeek-nightly
instead.
The primary install prefix for binary packages is /opt/zeek
(depending
on which version you’re using).
Installing from Source¶
Zeek releases are bundled into source packages for convenience and are
available on the downloads page. The source code can be manually downloaded
from the link in the .tar.gz
format to the target system for installation.
If you plan to contribute to Zeek or just want to try out the latest features under development, you should obtain Zeek’s source code through its Git repositories hosted at https://github.com/zeek:
git clone --recursive https://github.com/zeek/zeek
Note
If you choose to clone the zeek
repository
non-recursively for a “minimal Zeek experience”, be aware that
compiling it depends on several of the other submodules as well, so
you’ll likely have to build/install those independently first.
The typical way to build and install from source is (for more options,
run ./configure --help
):
./configure
make
make install
If the configure
script fails, then it is most likely because it either
couldn’t find a required dependency or it couldn’t find a sufficiently new
version of a dependency. Assuming that you already installed all required
dependencies, then you may need to use one of the --with-*
options
that can be given to the configure
script to help it locate a dependency.
To find out what all different options ./configure
supports, run
./configure --help
.
The default installation path is /usr/local/zeek
, which would typically
require root privileges when doing the make install
. A different
installation path can be chosen by specifying the configure
script
--prefix
option. Note that /usr
, /opt/bro/
, and /opt/zeek
are
the standard prefixes for binary Zeek packages to be installed, so those are
typically not good choices unless you are creating such a package.
OpenBSD users, please see our FAQ if you are having problems installing Zeek.
Depending on the Zeek package you downloaded, there may be auxiliary
tools and libraries available in the auxil/
directory. Some of them
will be automatically built and installed along with Zeek. There are
--disable-*
options that can be given to the configure script to
turn off unwanted auxiliary projects that would otherwise be installed
automatically. Finally, use make install-aux
to install some of
the other programs that are in the auxil/zeek-aux
directory.
Finally, if you want to build the Zeek documentation (not required, because
all of the documentation for the latest Zeek release is available at
https://docs.zeek.org), there are instructions in doc/README
in the source
distribution.
Cross Compiling¶
Prerequisites¶
You need three things on the host system:
The Zeek source tree.
A cross-compilation toolchain, such as one built via crosstool-NG.
Pre-built Zeek dependencies from the target system. This usually includes libpcap, zlib, OpenSSL, and Python development headers and libraries.
Configuration and Compiling¶
You first need to compile a few build tools native to the host system for use during the later cross-compile build. In the root of your Zeek source tree:
./configure --builddir=../zeek-buildtools
( cd ../zeek-buildtools && make binpac bifcl )
Next configure Zeek to use your cross-compilation toolchain (this example uses a Raspberry Pi as the target system):
./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../zeek-buildtools/auxil/binpac/src/binpac --with-bifcl=$(pwd)/../zeek-buildtools/src/bifcl
Here, the RaspberryPi-toolchain.cmake
file specifies a CMake
toolchain. In the toolchain file, you need to point the toolchain and
compiler at the cross-compilation toolchain. It might look something the
following:
# Operating System on which CMake is targeting.
set(CMAKE_SYSTEM_NAME Linux)
# The CMAKE_STAGING_PREFIX option may not work.
# Given that Zeek is configured:
#
# `./configure --prefix=<dir>`
#
# The options are:
#
# (1) `make install` and then copy over the --prefix dir from host to
# target system.
#
# (2) `DESTDIR=<staging_dir> make install` and then copy over the
# contents of that staging directory.
set(toolchain /home/jon/x-tools/arm-rpi-linux-gnueabihf)
set(CMAKE_C_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-gcc)
set(CMAKE_CXX_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-g++)
# The cross-compiler/linker will use these paths to locate dependencies.
set(CMAKE_FIND_ROOT_PATH
/home/jon/x-tools/zeek-rpi-deps
${toolchain}/arm-rpi-linux-gnueabihf/sysroot
)
set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
If that configuration succeeds you are ready to build:
make
And if that works, install on your host system:
make install
Once installed, you can copy/move the files from the installation prefix on the host system to the target system and start running Zeek as usual.
Configure the Run-Time Environment¶
You may want to adjust your PATH
environment variable
according to the platform/shell/package you’re using since
neither /usr/local/zeek/bin/
or /opt/zeek/bin/
are in the default PATH
. For example:
Bourne-Shell Syntax:
export PATH=/usr/local/zeek/bin:$PATH
C-Shell Syntax:
setenv PATH /usr/local/zeek/bin:$PATH
Or substitute /opt/zeek/bin
instead if you installed from a binary package.