Zeek has a quickstart (and it was rewritten in zeek/zeek-docs#312) and a pretty comprehensive amount of "reference." But it lacks that tier 2 level where people just want to learn how to do the normal Zeek things in a streamlined tutorial-like way.

We should make a tutorial and put it soon after "Get Started" in the docs. This should recycle old content where necessary.

Current idea for the outline is roughly:

• Invoking Zeek on the command line
• zkg, Zeek's package manager and the package ecosystem
• Zeek cluster setup
  • Zeekctl
  • How to tap your network
• Working with Zeek logs
  • Log formats
  • Subset of logs explained: conn.log, ssl.log, dns.log, pivoting
  • How to learn about other logs
  • Real-world log ingestion/processing/storage
• Intro to scripting: flavor of the language, basics like pass-by-reference
  • Eventing
  • JavaScript as an alternative
• The role of Zeek's frameworks
• Cluster backends
  • Distributed system: physical vs logical topology, how to place state, etc
  • ZeroMQ
  • Broker