---
title: Zeek
description: Gain insights into Zeek logs. Connect to Cloud SIEM
breadcrumbs: Docs > Integrations > Zeek
---

# Zeek
Supported OS Integration version1.2.0            Zeek - ConnectionsZeek - DHCPZeek - DNSZeek - Network ProtocolsZeek - DetectionZeek - DiagnosticsZeek - FilesZeek - Network Observations
## Overview{% #overview %}

[Zeek](https://zeek.org/) is a platform for network security monitoring. It interprets what it sees and creates compact, high-fidelity transaction logs, and file content. It can create fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.

This integration ingests the following logs:

- Connection logs
- DNS and DHCP logs
- Network Protocols
- Files
- Detections
- Miscellaneous event types

Visualize detailed insights into network connections, DNS and DHCP activity, detailed network protocol analysis, file analysis and certificates, security detection and observation, compliance monitoring through the out-of-the-box dashboards.

**Minimum Agent version:** 7.52.0

## Setup{% #setup %}

### Installation{% #installation %}

To install the Zeek integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management](https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install) documentation.

**Note**: This step is not necessary for Agent version >= 7.52.0.

Linux command

```shell
sudo -u dd-agent -- datadog-agent integration install datadog-zeek==1.0.0
```

#### Opensource Zeek{% #opensource-zeek %}

1. [Install the Agent](https://docs.datadoghq.com/agent/) on your Zeek machine.
1. Install [Corelight Zeek plugin](https://github.com/corelight/json-streaming-logs) for JSON logging.
   ```
   /opt/zeek/bin/zkg install corelight/json-streaming-logs
   ```
1. Load ZKG packages.
   ```gdscript3
   echo -e "\n# Load ZKG packages\n@load packages" >> /opt/zeek/share/zeek/site/local.zeek
   ```
1. Restart Zeek.
   ```
   /opt/zeek/bin/zeekctl install
   ```

   ```
   /opt/zeek/bin/zeekctl restart
   ```

#### Corelight Zeek{% #corelight-zeek %}

- Have the [Datadog Agent](https://docs.datadoghq.com/agent/) installed and running.

### Configuration{% #configuration %}

#### Opensource Zeek{% #opensource-zeek-1 %}

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`:

   ```yaml
   logs_enabled: true
   ```

1. Add this configuration block to your `zeek.d/conf.yaml` file to start collecting your Zeek logs.

See the [sample zeek.d/conf.yaml](https://github.com/DataDog/integrations-core/blob/master/cisco_secure_firewall/datadog_checks/cisco_secure_firewall/data/conf.yaml.example) for available configuration options.

   ```yaml
    logs:
    - type: file
      path: /opt/zeek/logs/current/*.log
      exclude_paths:
        - /opt/zeek/logs/current/*.*.log
      service: zeek
      source: zeek
   ```

**Note**: Include the log file's paths within the `exclude_paths` parameter to prevent the ingestion of unsupported or undesired log files during the monitoring process.

   ```yaml
    # Example of excluded paths
    exclude_paths:
      - /opt/zeek/logs/current/ntlm.log
      - /opt/zeek/logs/current/radius.log
      - /opt/zeek/logs/current/rfb.log
   ```

1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent).

#### Corelight Zeek{% #corelight-zeek-1 %}

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in datadog.yaml:

   ```yaml
   logs_enabled: true
   ```

1. Add this configuration block to your `zeek.d/conf.yaml` file to start collecting your logs.

   ```yaml
   logs:
   - type: tcp
     port: <PORT>
     service: corelight
     source: zeek
   ```

1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent).

1. Configuring Syslog Message Forwarding from corelight

   1. Open a web browser and navigate to the IP address or hostname of your Corelight sensor.
   1. Log in with your administrative credentials.
   1. Navigate to the Zeek Configuration Page. The exact path may vary depending on your sensor's firmware version.
   1. Look for options related to "Zeek" or "Logging". Common paths includes:

   - Settings > Logging
   - Configuration > Zeek > Logging
Locate the option to enable syslog output for Zeek logs and select the checkbox or toggle to activate.Specify Syslog Server Details. Provide the following information:
   - **Syslog server IP address**: The destination where you want to send the Zeek logs.
   - **Syslog port**: The port on which the syslog server is listening (typically 514).
   - **Facility**: The syslog facility to use.
   - **Severity level**: The minimum severity of events to send.
Click the **Save** or **Apply** button to commit the configuration changes.

### Validation{% #validation %}

[Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information) and look for `zeek` under the Checks section.

## Data Collected{% #data-collected %}

### Logs{% #logs %}

The Zeek integration collects following log-types.

| Format                                           | Event Types                                                                                                                                                                                                                                                                                                                                                                         |
| ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Opensource Zeek - JSON Format                    | conn, dhcp, dns, ftp, http, ntp, rdp, smtp, snmp, socks, ssh, ssl, syslog, tunnel, files, pe, intel, notice, signatures, traceroute, known-certs, known-modbus, known-services, known-hosts, software, x509, dpd, weird, captureloss, reporter, ldap, ldap-search, smb-files, smb-mappings                                                                                          |
| Corelight Zeek - Syslog RFC 3164 (Legacy) Format | conn, dhcp, dns, ftp, http, ntp, rdp, smtp, snmp, socks, ssh, ssl, syslog, tunnel, files, pe, intel, notice, signatures, traceroute, known-certs, known-modbus, known-services, known-hosts, software, x509, dpd, weird, captureloss, reporter, ldap, ldap-search, smb-files, smb-mappings, conn-long, conn-red, encrypted-dns, generic-dns-tunnels, smtp-links, suricata-corelight |

### Metrics{% #metrics %}

The Zeek integration does not include any metrics.

### Events{% #events %}

The Zeek integration does not include any events.

### Service Checks{% #service-checks %}

The Zeek integration does not include any service checks.

## Troubleshooting{% #troubleshooting %}

### Opensource Zeek:{% #opensource-zeek-2 %}

If you see a **Permission denied** error while monitoring the log files, give the `dd-agent` user read permission on them.

```shell
sudo chown -R dd-agent:dd-agent /opt/zeek/current/
```

### Corelight Zeek:{% #corelight-zeek-2 %}

**Permission denied while port binding:**

If you see a **Permission denied** error while port binding in the Agent logs, see the following instructions:

1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command:

   ```shell
   sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
   ```

1. Verify the setup is correct by running the `getcap` command:

   ```shell
   sudo getcap /opt/datadog-agent/bin/agent/agent
   ```

With the expected output:

   ```shell
   /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
   ```

**Note**: Re-run this `setcap` command every time you upgrade the Agent.

1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent).

**Data is not being collected:**

Make sure that traffic is bypassed from the configured port if the firewall is enabled.

**Port already in use:**

If you see the **Port <PORT-NO> Already in Use** error, see the following instructions. The example below is for PORT-NO = 514:

On systems using Syslog, if the Agent listens for Zeek logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`.

This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps:

- Disable Syslog
- Configure the Agent to listen on a different, available port

For any further assistance, contact [Datadog support](https://docs.datadoghq.com/help/).