Zeek

NTP

Install the NTP package

sudo apt install ntp

Check to see if ntp is enabled on boot with this command:

If it is not enabled, use the following command

sudo systemctl enable ntpd

Verify that ntp is working correctly using the command

ntpq -p

Installing Zeek

Use the following commands:

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_20.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek

When installing, select the defaults if you are presented with any package configuration screens for Postfix. DO NOT CHOOSE ANY OTHER OPTION.

Zeek is located in /opt/zeek

Node.cfg

Edit /opt/zeek/etc/node.cfg to that it looks like this. Make sure you are using the correct network interfaces!

networks.cfg

Edit /opt/zeek/etc/networks.cfg so it looks like this:

json logging and log rotation

Append the following to the end of the /opt/zeek/share/zeek/site/local.zeek file:

Adjust the log rotation value in /otp/zeek/etc so that it rotates every 86400 seconds (once a day)

Adjusting root's PATH

The following screenshot shows how to add /opt/zeek/bin to root's path. The last line shown in the example .profile should be added to yours. All zeek work needs to happen as the root user as nearly all actions are highly privileged

Starting zeek

Use the following commands to start zeek:

zeekctl
deploy
status

Disable ufw it caused us like thiiiiiiiis much pain