The Zeek Project is thrilled to announce the release of new and substantially improved Zeek documentation, which we refer to as “The Book of Zeek.” This version includes content for Zeek 4.0, and numerous additional updates. 

Zeek is the world’s leading open source network security monitoring tool, and we hope the new docs make it easier than ever to deploy and run. The new documentation includes over 60,000 words, or 300 printed pages, of new content. One of the goals for this iteration was to make Zeek more accessible to new users, and to cater to the needs of analysts. For example, the documentation includes discussions of approximately 30 of the most popular Zeek logs. These sections offer explanations of Zeek’s interpretation of traffic, sometimes in conjunction with other tools like Tcpdump, Tshark, or Tcpflow. By having a better understanding of the protocols involved, analysts will make better use of the data Zeek generates.

This is a community project and also a work in progress. As we continue to improve the documentation, we are moving in two directions. The first direction is to look backward, adding covering for material not discussed in previous editions of the documentation. The second direction is to look forward, addressing new features as they appear in Zeek releases. Our goal is to eventually fully cover both directions, and then have documentation match new features as part of the Zeek release process.

If you would like to help with either direction, please let us know. Sign up for the documentation mailing list and send an email to, or if you are familiar with GitHub, send us a PR in the zeek-docs repository. You can also ask questions and give feedback in the Zeek #documentation channel on Slack

Many thanks and huge shout out to Richard Bejtlich and all the volunteers who worked tirelessly to write, edit and review this new documentation.

So, what’s in this documentation?

  • Getting Started
  • Beginning Zeek
  • What Is Zeek?
  • Why Zeek?
  • Zeek’s History
  • Architecture
  • Zeek Detection and Response Workflow
  • Instrumentation and Collection Workflow
  • Running Zeek
  • Installation 
  • Installing Zeek Using Packages
  • Installing Zeek From Source Code
  • Cross-compiling Zeek
  • Quick Start Guide
  • Examples and Use Cases
  • Introduction to Zeek Log Formats and Inspection
  • Zeek Logs
  • Introduction to Zeek Frameworks
  • Input Framework
  • Configuration Framework
  • Intelligence Framework (intel.log)
  • Logging Framework
  • Notice & Weird Frameworks
  • Signature Framework
  • Broker-Enabled Communication/Cluster Framework
  • Supervisor Framework
  • Script References
  • Developers Guides 
  • And more…

Getting Involved

Are you a Zeek user?  Are you passionate about documentation?  Do you have ideas and suggestions for future updates?  We’re forming a documentation team.  If you’d like to be part of that team please contact us via email or Slack

%d bloggers like this: