Add default description and Zeek log exclusions for Elastic Fleet

2025-12-06 09:12:45 +01:00 · 2023-05-30 03:10:52 +00:00
parent ef5b63337b
commit e910f04beb
2 changed files with 18 additions and 2 deletions
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -104,3 +104,18 @@ zeek:
    - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
    - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
    - application/vnd.openxmlformats-officedocument: doc
+  logging:
+    excluded:
+      - broker
+      - capture_loss
+      - ecat_arp_info
+      - known_hosts
+      - known_services
+      - loaded_scripts
+      - ntp
+      - packet_filter
+      - reporter
+      - stats
+      - stderr
+      - stdout
+ 
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -3,8 +3,9 @@ zeek:
    description: You can enable or disable ZEEK on all sensors or a single sensor.
    helpLink: zeek.html
  logging:
-    enabled:
-      description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor.
+    excluded:
+      description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, it will be attempt to be ingested. If an ingest node pipeline is not available to process the logs, you may experience errors.
+      forcedType: "[]string"
      helpLink: zeek.html
  config:
    local: