add zeekloglookup to translate zeeklogs to filebeat filesets

salt/filebeat/init.sls

@@ -23,7 +23,6 @@
 {% from 'filebeat/map.jinja' import THIRDPARTY with context %}
 {% from 'filebeat/map.jinja' import SO with context %}
 
-
 filebeatetcdir:
   file.directory:
     - name: /opt/so/conf/filebeat/etc

salt/filebeat/map.jinja

@@ -4,3 +4,7 @@
 {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
 {% set SO = SODEFAULTS.securityonion_filebeat %}
 {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
+
+{% set ZEEKLOGLOOKUP = {
+    'conn': 'connection',
+} %}

salt/filebeat/securityoniondefaults.yaml

@@ -1,4 +1,6 @@
 {%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
+{% from 'filebeat/map.jinja' import ZEEKLOGLOOKUP with context %}
+
 securityonion_filebeat:
   modules:
     elasticsearch:
@@ -25,7 +27,12 @@ securityonion_filebeat:
       {%- if ZEEKVER != 'SURICATA' %}
     zeek:
         {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
-      {{ LOGNAME }}:
+          {% if LOGNAME in ZEEKLOGLOOKUP.keys() %}
+            {% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %}
+          {% else %}
+            {% set FILESET = LOGNAME %}
+          {% endif %}
+      {{ FILESET }}:
         enabled: false
         var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
         {%- endfor %}