diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index b1a91b133..7850f4eb6 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -23,7 +23,6 @@
 {% from 'filebeat/map.jinja' import THIRDPARTY with context %}
 {% from 'filebeat/map.jinja' import SO with context %}
 
-
 filebeatetcdir:
   file.directory:
     - name: /opt/so/conf/filebeat/etc
diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja
index 6ae6e7cff..b5df8fea5 100644
--- a/salt/filebeat/map.jinja
+++ b/salt/filebeat/map.jinja
@@ -4,3 +4,7 @@
 {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
 {% set SO = SODEFAULTS.securityonion_filebeat %}
 {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
+
+{% set ZEEKLOGLOOKUP = {
+    'conn': 'connection',
+} %}
diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml
index 8bcecd618..300e7f42f 100644
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -1,4 +1,6 @@
 {%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
+{% from 'filebeat/map.jinja' import ZEEKLOGLOOKUP with context %}
+
 securityonion_filebeat:
   modules:
     elasticsearch:
@@ -25,9 +27,14 @@ securityonion_filebeat:
       {%- if ZEEKVER != 'SURICATA' %}
     zeek:
         {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
-      {{ LOGNAME }}:
+          {% if LOGNAME in ZEEKLOGLOOKUP.keys() %}
+            {% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %}
+          {% else %}
+            {% set FILESET = LOGNAME %}
+          {% endif %}
+      {{ FILESET }}:
         enabled: false
         var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
         {%- endfor %}
       {%- endif %}
-    {%- endif %}
\ No newline at end of file
+    {%- endif %}