diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml
index ca3168b8b..3b9b71647 100644
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -104,3 +104,18 @@ zeek:
     - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
     - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
     - application/vnd.openxmlformats-officedocument: doc
+  logging:
+    excluded:
+      - broker
+      - capture_loss
+      - ecat_arp_info
+      - known_hosts
+      - known_services
+      - loaded_scripts
+      - ntp
+      - packet_filter
+      - reporter
+      - stats
+      - stderr
+      - stdout
+ 
diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml
index 8410d4e75..0385e90a9 100644
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -3,8 +3,9 @@ zeek:
     description: You can enable or disable ZEEK on all sensors or a single sensor.
     helpLink: zeek.html
   logging:
-    enabled:
-      description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor.
+    excluded:
+      description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, it will be attempt to be ingested. If an ingest node pipeline is not available to process the logs, you may experience errors.
+      forcedType: "[]string"
       helpLink: zeek.html
   config:
     local: