securityonion/salt/zeek/soc_zeek.yaml

zeek:
  logging:
    enabled:
      description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor.
      helpLink: zeek.html
  config:
    local:
      '@load':
        description: List of Zeek policies to load
        helpLink: zeek.html
      '@load-sigs':
        description: List of Zeek signatures to load
        helpLink: zeek.html
    node:
      lb_procs:
        description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins.
        helpLink: zeek.html
        node: True
      pins_enabled:
        description: Enabling this setting allows you to pin Zeek to specific CPUs.
        helpLink: zeek.html
        node: True
        advanced: True
      pins:
        description: This is a list of CPUs you want to pin Zeek to.
        helpLink: zeek.html
        node: True
        advanced: True
    zeekctl:
      CompressLogs:
        description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU.
        helpLink: zeek.html
  policy:
    custom:
      filters: 
        conn:
          description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable.
          helpLink: zeek.html
          file: True
          global: True
          advanced: True
  file_extraction:
    description: This is a list of MIME types that Zeek will extract from the network streams.
    helpLink: zeek.html