diff --git a/setup/so-functions b/setup/so-functions
index 761f3875d..f9f1fb873 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2946,41 +2946,6 @@ zeek_logs_enabled() {
 		for BLOG in "${BLOGS[@]}"; do
 			echo "    - $BLOG" | tr -d '"' >> "$zeeklogs_pillar"
 		done
-	elif [ "$install_type" == "EVAL" ]  || [ "$install_type" == "IMPORT" ]; then
-		printf '%s\n'\
-			"    - conn"\
-			"    - dce_rpc"\
-			"    - dhcp"\
-			"    - dnp3"\
-			"    - dns"\
-			"    - dpd"\
-			"    - files"\
-			"    - ftp"\
-			"    - http"\
-			"    - intel"\
-			"    - irc"\
-			"    - kerberos"\
-			"    - modbus"\
-			"    - notice"\
-			"    - ntlm"\
-			"    - pe"\
-			"    - radius"\
-			"    - rfb"\
-			"    - rdp"\
-			"    - sip"\
-			"    - smb_files"\
-			"    - smb_mapping"\
-			"    - smtp"\
-			"    - snmp"\
-			"    - ssh"\
-			"    - ssl"\
-			"    - syslog"\
-			"    - tunnel"\
-			"    - weird"\
-			"    - mysql"\
-			"    - socks"\
-			"    - x509" >> "$zeeklogs_pillar"
-	# Disable syslog log by default
 	else
 		printf '%s\n'\
 			"    - conn"\
@@ -3073,4 +3038,11 @@ zeek_logs_enabled() {
 			"    - stun_nat"\
 			"    - wireguard" >> "$zeeklogs_pillar"
 	fi
+	
+	# We don't want Zeek syslog for production deployments as this can create duplicate logs.
+	# So we only enable Zeek syslog if EVAL or IMPORT.
+	if [ "$install_type" == "EVAL" ]  || [ "$install_type" == "IMPORT" ]; then
+		echo "    - syslog" >> "$zeeklogs_pillar"
+	fi
+
 }