change how we populate local.zeek - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/585

pillar/zeek/init.sls

@@ -16,7 +16,7 @@ zeek:
     CfgDir: /opt/zeek/etc
     CompressLogs: 1
   local:
-    load:
+    '@load':
       - misc/loaded-scripts
       - tuning/defaults
       - misc/capture-loss
@@ -48,7 +48,7 @@ zeek:
       - securityonion/bpfconf
       - securityonion/communityid
       - securityonion/file-extraction
-    load-sigs:
+    '@load-sigs':
       - frameworks/signatures/detect-windows-shells
     redef:
       - LogAscii::use_json = T;

salt/zeek/files/local.zeek.jinja

@@ -1,11 +1,11 @@
 ##! Local site policy.
 
-{%- set ALLOWEDOPTIONS = [ 'load', 'load-sigs', 'redef' ] %}
+{%- set ALLOWEDOPTIONS = [ '@load', '@load-sigs', 'redef' ] %}
 
 {%- for k, v in LOCAL.items() %}
   {%- if k|lower in ALLOWEDOPTIONS %}
     {%- for li in v|sort %}
-@{{ k }} {{ li }}
+{{ k }} {{ li }}
     {%- endfor %}
   {%- endif %}
 {%- endfor %}

salt/zeek/files/zeekctl.cfg.jinja

@@ -6,4 +6,4 @@
   {%- if option|lower in ALLOWEDOPTIONS %}
 {{ option }} = {{ ZEEKCTL[option] }}
   {%- endif %}
-{%- endfor %}
+{%- endfor %}