diff --git a/salt/elasticsearch/files/ingest/zeek.syslog b/salt/elasticsearch/files/ingest/zeek.syslog
index e32b89c7e..5bdbd9736 100644
--- a/salt/elasticsearch/files/ingest/zeek.syslog
+++ b/salt/elasticsearch/files/ingest/zeek.syslog
@@ -4,8 +4,8 @@
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
     { "rename": 	{ "field": "message2.proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.facility", 	"target_field": "syslog.facility",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.severity", 	"target_field": "syslog.severity",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.facility", 	"target_field": "syslog.facility_label",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.severity", 	"target_field": "syslog.severity_label",		"ignore_missing": true 	} },
     { "remove":		{ "field": "message",			"ignore_failure": true						} },
     { "rename": 	{ "field": "message2.message", 		"target_field": "message",		"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json
index 2aaef8e59..de4689e79 100644
--- a/salt/soc/files/soc/hunt.queries.json
+++ b/salt/soc/files/soc/hunt.queries.json
@@ -56,11 +56,11 @@
           { "name": "Software", "description": "List of software seen on the network", "query": "event.dataset:software | groupby software.type software.name"},
           { "name": "SSH", "description": "SSH grouped by version and client", "query": "event.dataset:ssh | groupby ssh.version ssh.client"},
           { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"},
-          { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"},
+          { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity_label syslog.facility_label"},
           { "name": "Tunnel", "description": "Tunnels grouped by type and action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"},
           { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"},
           { "name": "x509", "description": "x.509 grouped by key length and name", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"},
           { "name": "x509", "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"},
           { "name": "x509", "description": "x.509 grouped by name and subject", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.subject"},
           { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event.dataset:firewall | groupby rule.action"}
-        ]
\ No newline at end of file
+        ]