From 8e8f2d0b12afea9a8421647369990c7c28279190 Mon Sep 17 00:00:00 2001 From: Henrik Kramselund Jereminsen Date: Wed, 12 May 2021 10:37:35 +0200 Subject: [PATCH 1/4] Just a few ideas for improving the manual page --- man/zeek.8 | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/man/zeek.8 b/man/zeek.8 index b59b054328..bf47dee136 100644 --- a/man/zeek.8 +++ b/man/zeek.8 @@ -16,6 +16,8 @@ tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others. + +You must have read access to the files or interfaces specified. .SH OPTIONS .TP .B @@ -148,6 +150,28 @@ Output file for script execution statistics .TP .B ZEEK_DISABLE_ZEEKYGEN Disable Zeekygen (Broxygen) documentation support +.SH OUTPUT FORMAT +Output is written in multiple files depending on configuration. Default +location is the current directory. Packets can be written to a tcpdump file. + +The output written by Zeek can be formatted in multiple ways using the +logging framework. +.PP +The default are files in human-readable (ASCII) format and data is organized +into columns (tab-delimited), They can be processed by the \fBzeek-cut\fR tool. + + +.SH EXAMPLES +Read a capture file: +.br + # zeek -r test-capture.pcap +.PP +Usually Zeek is started by running \fBzeekctl\fR. To configure Zeek with an initial +configuration, install, and restart: +.br + # zeekctl deploy +.SH SEE ALSO +zeekctl(8) zeek-cut(1) .SH AUTHOR .B zeek was written by The Zeek Project . From a999d34f7b285c6de11f8f1e121714b0b76a36c4 Mon Sep 17 00:00:00 2001 From: Henrik Kramselund Jereminsen Date: Fri, 14 May 2021 16:36:30 +0200 Subject: [PATCH 2/4] Removed tcpdump file, as it may not even work. --- man/zeek.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/zeek.8 b/man/zeek.8 index bf47dee136..6b31e2a0e2 100644 --- a/man/zeek.8 +++ b/man/zeek.8 @@ -152,7 +152,7 @@ Output file for script execution statistics Disable Zeekygen (Broxygen) documentation support .SH OUTPUT FORMAT Output is written in multiple files depending on configuration. Default -location is the current directory. Packets can be written to a tcpdump file. +location is the current directory. The output written by Zeek can be formatted in multiple ways using the logging framework. From 60eb12f575db74003527a5be4cc2036242914238 Mon Sep 17 00:00:00 2001 From: Henrik Kramselund Jereminsen Date: Fri, 14 May 2021 16:37:40 +0200 Subject: [PATCH 3/4] More precise description of the example --- man/zeek.8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/man/zeek.8 b/man/zeek.8 index 6b31e2a0e2..4650469b03 100644 --- a/man/zeek.8 +++ b/man/zeek.8 @@ -152,7 +152,7 @@ Output file for script execution statistics Disable Zeekygen (Broxygen) documentation support .SH OUTPUT FORMAT Output is written in multiple files depending on configuration. Default -location is the current directory. +location is the current directory. The output written by Zeek can be formatted in multiple ways using the logging framework. @@ -162,7 +162,7 @@ into columns (tab-delimited), They can be processed by the \fBzeek-cut\fR tool. .SH EXAMPLES -Read a capture file: +Read a capture file and generate the default logs: .br # zeek -r test-capture.pcap .PP From 49d99f6a03b26e41cfefa2344d685198ea54844b Mon Sep 17 00:00:00 2001 From: Henrik Kramselund Jereminsen Date: Fri, 14 May 2021 16:40:27 +0200 Subject: [PATCH 4/4] Added note about default configuration --- man/zeek.8 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/man/zeek.8 b/man/zeek.8 index 4650469b03..6b870990ed 100644 --- a/man/zeek.8 +++ b/man/zeek.8 @@ -170,6 +170,9 @@ Usually Zeek is started by running \fBzeekctl\fR. To configure Zeek with an init configuration, install, and restart: .br # zeekctl deploy + +Note: the default configuration may need to be updated before use. Especially the +network interface used should be the correct one. .SH SEE ALSO zeekctl(8) zeek-cut(1) .SH AUTHOR