From 525d4325c7530e4e137b956a954c523c868651d9 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 25 May 2021 17:18:58 -0400
Subject: [PATCH] define ZEEKLOGLOOKUP in the yaml

---
 salt/filebeat/map.jinja                  | 4 ----
 salt/filebeat/securityoniondefaults.yaml | 4 +++-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja
index b5df8fea5..6ae6e7cff 100644
--- a/salt/filebeat/map.jinja
+++ b/salt/filebeat/map.jinja
@@ -4,7 +4,3 @@
 {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
 {% set SO = SODEFAULTS.securityonion_filebeat %}
 {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
-
-{% set ZEEKLOGLOOKUP = {
-    'conn': 'connection',
-} %}
diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml
index 58eef8361..0a1459d6b 100644
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -1,5 +1,7 @@
 {%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
-{% from 'filebeat/map.jinja' import ZEEKLOGLOOKUP with context %}
+{% set ZEEKLOGLOOKUP = {
+    'conn': 'connection',
+} %}
 
 securityonion_filebeat:
   modules: