diff --git a/salt/filebeat/defaults.yaml b/salt/filebeat/defaults.yaml
index b1b830262..2e13032e6 100644
--- a/salt/filebeat/defaults.yaml
+++ b/salt/filebeat/defaults.yaml
@@ -1,6 +1,5 @@
 filebeat:
   config:
-  
   zeek_logs_enabled:
     - conn
     - dce_rpc
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index a35ab545f..f38ffd0d7 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -131,7 +131,11 @@ filebeat.inputs:
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}
-    {%- for LOGNAME in salt['pillar.get']('filebeat:zeek_logs_enabled', '')  %}
+  {% import_yaml 'filebeat/defaults.yaml' as FBD with context %}
+
+  {% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %}
+
+    {%- for LOGNAME in FBCONFIG.zeek_logs_enabled %}
 - type: filestream
   id: zeek-{{ LOGNAME }}
   paths: