issue 10050 and issue 10062

salt/zeek/config.map.jinja

@@ -1,8 +1,17 @@
 {% from 'vars/sensor.map.jinja' import ROLE_GLOBALS %}
 {% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
-{% set zeek_pillar = salt['pillar.get']('zeek', []) %}
-{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
-{% do ZEEKMERGED.zeek.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
+{% set ZEEKMERGED = salt['pillar.get']('zeek', zeek_defaults.zeek, merge=True) %}
+{% do ZEEKMERGED.config.node.update({'interface': ROLE_GLOBALS.sensor.interface}) %}
+
+{% if ZEEKMERGED.config.local.load is defined %}
+  {% set LOCALLOAD = ZEEKMERGED.config.local.pop('load') %}
+  {% do ZEEKMERGED.config.local.update({'@load': LOCALLOAD}) %}
+{% endif %}
+
+{% if ZEEKMERGED.config.local['load-sigs'] is defined %}
+  {% set LOCALLOADSIGS = ZEEKMERGED.config.local.pop('load-sigs') %}
+  {% do ZEEKMERGED.config.local.update({'@load-sigs': LOCALLOADSIGS}) %}
+{% endif %}
 
 {% set ZEEKOPTIONS = {} %}
 {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}

salt/zeek/defaults.yaml

@@ -22,7 +22,7 @@ zeek:
       CfgDir: /opt/zeek/etc
       CompressLogs: 1
     local:
-      '@load':
+      load:
         - misc/loaded-scripts
         - tuning/defaults
         - misc/capture-loss
@@ -68,7 +68,7 @@ zeek:
         - zeek-plugin-profinet
         - zeek-spicy-wireguard
         - zeek-spicy-stun
-      '@load-sigs':
+      load-sigs:
         - frameworks/signatures/detect-windows-shells
       redef:
         - LogAscii::use_json = T;

salt/zeek/files/local.zeek.jinja

@@ -8,4 +8,4 @@
 {{ k }} {{ li }}
     {%- endfor %}
   {%- endif %}
-{%- endfor %}
+{%- endfor %}

salt/zeek/files/zeekctl.cfg.jinja

@@ -6,4 +6,4 @@
   {%- if option|lower in ALLOWEDOPTIONS %}
 {{ option }} = {{ ZEEKCTL[option] }}
   {%- endif %}
-{%- endfor %}
+{%- endfor %}

salt/zeek/init.sls

@@ -78,7 +78,7 @@ zeekpolicysync:
     - group: 939
     - template: jinja
     - defaults:
-        FILE_EXTRACTION: {{ ZEEKMERGED.zeek.file_extraction }}
+        FILE_EXTRACTION: {{ ZEEKMERGED.file_extraction }}
 
 # Ensure the zeek spool tree (and state.db) ownership is correct
 zeekspoolownership:
@@ -109,7 +109,7 @@ zeekctlcfg:
     - group: 939
     - template: jinja
     - defaults:
-        ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }}
+        ZEEKCTL: {{ ZEEKMERGED.config.zeekctl | tojson }}
 
 # Sync node.cfg
 nodecfg:
@@ -120,7 +120,7 @@ nodecfg:
     - group: 939
     - template: jinja
     - defaults:
-        NODE: {{ ZEEKMERGED.zeek.config.node }}
+        NODE: {{ ZEEKMERGED.config.node }}
 
 networkscfg:
   file.managed:
@@ -130,7 +130,7 @@ networkscfg:
     - group: 939
     - template: jinja
     - defaults:
-        NETWORKS: {{ ZEEKMERGED.zeek.config.networks }}
+        NETWORKS: {{ ZEEKMERGED.config.networks }}
 
 #zeekcleanscript:
 #  file.managed:
@@ -198,7 +198,7 @@ localzeek:
     - group: 939
     - template: jinja
     - defaults:
-        LOCAL: {{ ZEEKMERGED.zeek.config.local | tojson }}
+        LOCAL: {{ ZEEKMERGED.config.local | tojson }}
 
 so-zeek:
   docker_container.{{ ZEEKOPTIONS.status }}:

salt/zeek/soc_zeek.yaml

@@ -5,10 +5,10 @@ zeek:
       helpLink: zeek.html
   config:
     local:
-      '@load':
+      load:
         description: List of Zeek policies to load
         helpLink: zeek.html
-      '@load-sigs':
+      load-sigs:
         description: List of Zeek signatures to load
         helpLink: zeek.html
     node: