diff --git a/salt/filebeat/defaults.yaml b/salt/filebeat/defaults.yaml
index b1b830262..2e13032e6 100644
--- a/salt/filebeat/defaults.yaml
+++ b/salt/filebeat/defaults.yaml
@@ -1,6 +1,5 @@
 filebeat:
   config:
-  
   zeek_logs_enabled:
     - conn
     - dce_rpc
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index afcfcd27b..f38ffd0d7 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -131,7 +131,11 @@ filebeat.inputs:
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}
-    {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
+  {% import_yaml 'filebeat/defaults.yaml' as FBD with context %}
+
+  {% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %}
+
+    {%- for LOGNAME in FBCONFIG.zeek_logs_enabled %}
 - type: filestream
   id: zeek-{{ LOGNAME }}
   paths:
diff --git a/salt/idstools/sync_files.sls b/salt/idstools/sync_files.sls
index dee7dd01f..64479e937 100644
--- a/salt/idstools/sync_files.sls
+++ b/salt/idstools/sync_files.sls
@@ -30,7 +30,7 @@ rulesdir:
 synclocalnidsrules:
   file.recurse:
     - name: /opt/so/rules/nids/
-    - source: salt://idstools/
+    - source: salt://idstools/rules/
     - user: 939
     - group: 939
     - show_changes: False