diff --git a/logstash/pipelines/zeek/11_zeek_logs.conf b/logstash/pipelines/zeek/11_zeek_logs.conf
index 66eada60d..ada98be8f 100644
--- a/logstash/pipelines/zeek/11_zeek_logs.conf
+++ b/logstash/pipelines/zeek/11_zeek_logs.conf
@@ -4313,9 +4313,10 @@ filter {
 
   } else {
 
-    if ([log_source] =~ /\.\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}$/) {
-      # filebeat caught a file right in the middle of being renamed/moved (ie., renamed from conn.log to
-      # conn.2020-01-16-14-00-00.log). this has actually already been processed, so ignore this event.
+    if ([log_source] =~ /\.\d{4}[_:-]?\d{2}[_:-]?\d{2}[_:-]?\d{2}[_:-]?\d{2}[_:-]?\d{2}$/) {
+      # filebeat caught a file right in the middle of being renamed/moved
+      # (ie., renamed from conn.log to conn.2020-01-16-14-00-00.log or conn.2020_01_16_14_00_00.log).
+      # this has actually already been processed, so ignore this event.
       drop { id => "drop_renamed_logfile" }
 
     } else {