Photo by Susann Schuster on Unsplash

Photo by Susann Schuster on Unsplash

Network monitoring with Zeek

Light into Darkness

Article from ADMIN 72/2022
By
Zeek offers an arsenal of scripts for monitoring popular network protocols and comes with its own policy scripting language for customization.

If you want to know what is happening on your network, the only way is to look at the connections between devices and to endpoints on the Internet. Popular tools such as tcpdump and Wireshark are useful for occasional analysis, but for permanent network monitoring and as an alternative to intrusion detection systems, Zeek is a very interesting tool.

Network Monitoring

Keeping track of device activity on the network is a routine task for IT administrators. Network monitoring is a large market comprising various tools, and vendors outdo each other with feature set claims, especially in the area of event processing and manual analysis.

Zeek, the first version of which was released back in 1999 (known as Bro at that time) [1], is a kind of hidden champion. The declared objective was to develop a tool for monitoring large volumes of data with a simple option for analyzing network traffic with self-programmed scripts, known as policy scripts. The name change to Zeek (think "seek") didn't happen for another 20 years or so.

Zeek offers an extensive arsenal of scripts for monitoring the popular network protocols and writing the monitoring results to various logfiles on your hard drive. From there, you can integrate the files into your existing log management or your installed security information and event management (SIEM) solution. The log data is compressed and archived at regular intervals, which is an effective way to save disc space, especially on busy networks.

Installation

Normally I use Docker when I try out software. Unfortunately, the Zeek developers do not provide their own Docker images, so my options were to find an alternative provider or create an image myself from the Dockerfiles they provided. You will need to allow some time

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=