From aa7dd47b005a9a959d31bd792818dc56136164d4 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 26 Sep 2022 17:01:44 -0400
Subject: [PATCH 1/3] Fix zeek logs in filebeat

---
 salt/filebeat/etc/filebeat.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index afcfcd27b..a35ab545f 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -131,7 +131,7 @@ filebeat.inputs:
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}
-    {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
+    {%- for LOGNAME in salt['pillar.get']('filebeat:zeek_logs_enabled', '')  %}
 - type: filestream
   id: zeek-{{ LOGNAME }}
   paths:

From 37c98c14cd6aaae666785c19539d0259613766ec Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 26 Sep 2022 17:11:10 -0400
Subject: [PATCH 2/3] Fix zeek logs in filebeat

---
 salt/filebeat/defaults.yaml    | 1 -
 salt/filebeat/etc/filebeat.yml | 6 +++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/defaults.yaml b/salt/filebeat/defaults.yaml
index b1b830262..2e13032e6 100644
--- a/salt/filebeat/defaults.yaml
+++ b/salt/filebeat/defaults.yaml
@@ -1,6 +1,5 @@
 filebeat:
   config:
-  
   zeek_logs_enabled:
     - conn
     - dce_rpc
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index a35ab545f..f38ffd0d7 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -131,7 +131,11 @@ filebeat.inputs:
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}
-    {%- for LOGNAME in salt['pillar.get']('filebeat:zeek_logs_enabled', '')  %}
+  {% import_yaml 'filebeat/defaults.yaml' as FBD with context %}
+
+  {% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %}
+
+    {%- for LOGNAME in FBCONFIG.zeek_logs_enabled %}
 - type: filestream
   id: zeek-{{ LOGNAME }}
   paths:

From 2066efcabf04d762f7f109f1ee0034ededc739df Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 26 Sep 2022 17:18:28 -0400
Subject: [PATCH 3/3] Add Rules to sync

---
 salt/idstools/sync_files.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/idstools/sync_files.sls b/salt/idstools/sync_files.sls
index dee7dd01f..64479e937 100644
--- a/salt/idstools/sync_files.sls
+++ b/salt/idstools/sync_files.sls
@@ -30,7 +30,7 @@ rulesdir:
 synclocalnidsrules:
   file.recurse:
     - name: /opt/so/rules/nids/
-    - source: salt://idstools/
+    - source: salt://idstools/rules/
     - user: 939
     - group: 939
     - show_changes: False